Xero Webhook source IP's and Akamai

Forums › IT Pro and developers › Xero Webhook source IP's and Akamai

Delphinus

611 posts

Ultimate Geek

#281555 25-Feb-2021 10:41

I've been wanting to block all international traffic (excl NZ and AU) to something we've developed, but need to allow some overseas source IP's for things like webhooks from Postmark and Xero.

Postmark provide a handy list of their webhook IP's: https://postmarkapp.com/support/article/800-ips-for-firewalls

However when I asked Xero for the same they responded:

Xero uses Akamai, a content distribution network with several thousand IP addresses, serving over a quarter of the world's internet traffic. We are dynamically allocated IPs from that pool, which may change at any time. Therefore we do not have a fixed list of IP addresses we can supply.

Furthermore since Akamai serves such a large portion of the world's internet traffic, whitelisting all of their IP address ranges wouldn't achieve the desired result for you. The only option is using domain name based whitelisting if that is something your firewall supports.

Please add the xero.com domain to your whitelist. For more information on server setup for Webhooks, please see the link below.

Xero Developer: Configuring your server

I always assumed that Akamai is an inbound CDN. Can it really be used for OUTBOUND webhook requests as well? ie will Xero webhooks really come from any Akamai IP address? Rather than just Xero's origin IP's (which would be a more finite address range).

deadlyllama

1262 posts

Uber Geek

Trusted

#2662617 25-Feb-2021 12:00

Sounds like you've got a canned answer to the "what IPs is Xero on" question.

Do you really need to block international traffic - what's the problem you're trying to solve here?

Xero may not be able to give you a stable set of IPs to let through your firewall, especially if they're hosted in the cloud (i.e. AWS/similar).

Is there a way you could allow traffic to the webhook but not the rest of your app?

Delphinus

611 posts

Ultimate Geek

#2662630 25-Feb-2021 12:45

Yeah that's what I thought, but wanted to double check my own logic!

I would prefer to block international traffic from a security point of view, as we store confidential information. No-one uses us from outside NZ/AU, so I figured the fewer means of malicious access the better. Our servers only allow HTTPS traffic from cloudflare IP's, and nothing else. I was going to use the cloudflare firewall to block anything other than NZ, AU, Postmark, Xero.

The CloudFlare firewall does have a range of options, including hostname, so that might be the only option if I can't get past the xero canned answer. Similar non-response here: https://community.xero.com/developer/discussion/111376002 Most entities provide at least a range of addresses or ranges to allow.

We're also looking into some pen testing (Waiting on a quote from https://zxsecurity.co.nz/ ) but wanted to do everything possible. Suggestions welcome (or maybe I should start an additional thread?).

deadlyllama

1262 posts

Uber Geek

Trusted

#2662636 25-Feb-2021 13:13

Will Cloudflare let you "allow all incoming" to just the Xero webhook endpoint? Or if that's a hostname-wide setting could you put the webhook endpoint on its own hostname?

A determined attacker can just rent a VPN with servers in New Zealand.

I'd be worried about blocking customers with a blanket country ban - but that's a business (and tech support cost) decision. Do all satellite connections have "NZ" IPs?

Delphinus

611 posts

Ultimate Geek

#2662641 25-Feb-2021 13:27

Yeah I've just done some testing on staging, and can allow just the webhook endpoint (and OAuth2 callback!) which works fine. I can see from logs they are using AWS in the US as their origins!

Agree that a determined attacler can rent a NZ VPN/VPS, but if I can easily make it that much harder for them, then why not.

Not too fussed about blocking customers. Reasonably small customer base, so if anyone does have issues, they will tell us. Unlikely for them to be using satellite connections but it's a good thing to think about.

The public website will stay world accessible.