From 7e8ad7ed5036f95a34af731ae6ba25789c9372dc Mon Sep 17 00:00:00 2001 From: stayseesong Date: Mon, 21 Oct 2024 14:03:00 -0700 Subject: [PATCH] fixed allowlisting ips --- src/connections/storage/catalog/azuresqldw/index.md | 12 +++++++++--- src/connections/storage/catalog/bigquery/index.md | 8 +++++++- src/connections/storage/catalog/databricks/index.md | 12 +++++++++--- src/connections/storage/catalog/db2/index.md | 7 +++++-- src/connections/storage/catalog/postgres/index.md | 10 ++++++++-- src/connections/storage/catalog/redshift/index.md | 9 ++++++++- src/connections/storage/catalog/snowflake/index.md | 2 -- src/connections/storage/warehouses/faq.md | 9 ++++----- 8 files changed, 50 insertions(+), 19 deletions(-) diff --git a/src/connections/storage/catalog/azuresqldw/index.md b/src/connections/storage/catalog/azuresqldw/index.md index 3872c901ac..1abec59e72 100644 --- a/src/connections/storage/catalog/azuresqldw/index.md +++ b/src/connections/storage/catalog/azuresqldw/index.md @@ -4,14 +4,12 @@ rewrite: true redirect_from: - '/connections/warehouses/catalog/azuresqldw/' --- -{% include content/warehouse-ip.html %} - Azure's [Azure Synapse Analytics](https://azure.microsoft.com/en-us/services/synapse-analytics/){:target="_blank"}, previously known as Azure SQL Data Warehouse, is a limitless analytics service that brings together enterprise data warehousing and Big Data analytics. {% include content/storage-do-include.md %} -## Getting Started +## Getting started Complete the following prerequisites in Microsoft Azure before connecting your Azure Synapse Analytics databases to Segment: @@ -87,6 +85,14 @@ The default [resource allocation class](https://docs.microsoft.com/en-us/azure/s Users with a Business Tier plan can enable Selective Sync for their Azure Synapse Analytics destination. With Selective Sync, you can customize which collections and properties from a source are sent to each warehouse, which leads to faster, more relevant syncs. To learn more about Selective Sync, review the [Warehouse Syncs](/docs/connections/storage/warehouses/warehouse-syncs/#warehouse-selective-sync) documentation. +### Allowlisting IPs + +Segment recommends enabling IP allowlists for added security. All Segment users with workspaces hosted in the US who use allowlists in their warehouses must update those allowlists to include the following ranges: +* `52.25.130.38/32` +* `34.223.203.0/28` + +Users with workspaces in the EU must allowlist `3.251.148.96/29`. + ## Troubleshooting ### Segment is not able to connect to Azure Synapse Analytics diff --git a/src/connections/storage/catalog/bigquery/index.md b/src/connections/storage/catalog/bigquery/index.md index a17a1c1d40..899bb27aef 100644 --- a/src/connections/storage/catalog/bigquery/index.md +++ b/src/connections/storage/catalog/bigquery/index.md @@ -4,7 +4,6 @@ rewrite: true redirect_from: - '/connections/warehouses/catalog/bigquery/' --- -{% include content/warehouse-ip.html %} Segment's [BigQuery](https://cloud.google.com/bigquery/){:target="_blank"} connector makes it easy to load web, mobile, and third-party source data like Salesforce, Zendesk, and @@ -138,6 +137,13 @@ To remove access to the shared Service Account: For more information about managing IAM access, refer to Google's documentation, [Manage access to projects, folders, and organization](https://cloud.google.com/iam/docs/granting-changing-revoking-access){:target="_blank"}. +### Allowlisting IPs + +Segment recommends enabling IP allowlists for added security. All Segment users with workspaces hosted in the US who use allowlists in their warehouses must update those allowlists to include the following ranges: +* `52.25.130.38/32` +* `34.223.203.0/28` + +Users with workspaces in the EU must allowlist `3.251.148.96/29`. ## Best Practices diff --git a/src/connections/storage/catalog/databricks/index.md b/src/connections/storage/catalog/databricks/index.md index 95e845e87e..df3a0c64b4 100644 --- a/src/connections/storage/catalog/databricks/index.md +++ b/src/connections/storage/catalog/databricks/index.md @@ -3,7 +3,6 @@ title: Databricks Destination public: true --- -{% include content/warehouse-ip.html %} With the Databricks Destination, you can ingest event data directly from Segment into your Databricks Lakehouse. @@ -87,7 +86,14 @@ Segment uses the service principal to access your Databricks workspace and assoc 1. Follow the [Databricks guide for adding a service principal to your account](https://docs.databricks.com/en/administration-guide/users-groups/service-principals.html#manage-service-principals-in-your-account){:target="_blank"}. This name can be anything, but Segment recommends something that identifies the purpose (for example, "Segment Storage Destinations"). Note the principal application ID that Databricks generates to use in this step. Segment doesn't require Account admin or Marketplace admin roles. 2. Follow the [Databricks instructions to generate an OAuth secret](https://docs.databricks.com/en/dev-tools/authentication-oauth.html#step-2-create-an-oauth-secret-for-a-service-principal){:target="_blank"}. Note the secret generated by Databricks to use in this step. Once you navigate away from this page, the secret is no longer visible. If you lose or forget the secret, delete the existing secret and create a new one. - Once connected, you'll see a confirmation screen with next steps and more info on using your warehouse. -{% include content/storage-do-include.md %} \ No newline at end of file +{% include content/storage-do-include.md %} + +## Security + +Segment recommends enabling IP allowlists for added security. All Segment users with workspaces hosted in the US who use allowlists in their warehouses must update those allowlists to include the following ranges: +* `52.25.130.38/32` +* `34.223.203.0/28` + +Users with workspaces in the EU must allowlist `3.251.148.96/29`. diff --git a/src/connections/storage/catalog/db2/index.md b/src/connections/storage/catalog/db2/index.md index e22c3a5198..b4486ef7f6 100644 --- a/src/connections/storage/catalog/db2/index.md +++ b/src/connections/storage/catalog/db2/index.md @@ -4,7 +4,6 @@ rewrite: true redirect_from: - '/connections/warehouses/catalog/db2/' --- -{% include content/warehouse-ip.html %} Use [IBM Db2](https://www.ibm.com/analytics/us/en/db2/){:target="_blank"} with Segment to get all of your event and Cloud Source data in a warehouse built by IBM. This @@ -64,7 +63,11 @@ To set up an IBM Db2 destination in the Segment app: ### Allowlisting IPs -If your Db2 Warehouse is in a private network, be sure to [allowlist Segment's IP address](/docs/connections/storage/warehouses/faq/#which-ips-should-i-allowlist) when creating the Db2 user Segment assumes. Otherwise, Segment won't be able to load your data. +Segment recommends enabling IP allowlists for added security. All Segment users with workspaces hosted in the US who use allowlists in their warehouses must update those allowlists to include the following ranges: +* `52.25.130.38/32` +* `34.223.203.0/28` + +Users with workspaces in the EU must allowlist `3.251.148.96/29`. ### Unique User diff --git a/src/connections/storage/catalog/postgres/index.md b/src/connections/storage/catalog/postgres/index.md index d1844ae0d4..a63457d8cf 100644 --- a/src/connections/storage/catalog/postgres/index.md +++ b/src/connections/storage/catalog/postgres/index.md @@ -4,8 +4,6 @@ rewite: true redirect_from: - '/connections/warehouses/catalog/postgres/' --- -{% include content/warehouse-ip.html %} - PostgreSQL, or Postgres, is an object-relational database management system (ORDBMS) with an emphasis on extensibility and standards compliance. As a database server, its primary functions are to store data securely and return that data in response to requests from other software applications. @@ -104,6 +102,14 @@ To make sure your Postgres database is secure: - Create a service user that has `read/write` permissions. - Always require SSL/TLS and make sure your data warehouse can only accept secure connections. Segment only connects to your data warehouse using SSL/TLS. +### Allowlisting IPs + +Segment recommends enabling IP allowlists for added security. All Segment users with workspaces hosted in the US who use allowlists in their warehouses must update those allowlists to include the following ranges: +* `52.25.130.38/32` +* `34.223.203.0/28` + +Users with workspaces in the EU must allowlist `3.251.148.96/29`. + ## Best Practices Once you've got your data in Postgres, you can do even more with it. You might develop an app that performs various functions based on different events being loaded to the database, potentially using [RabbitMQ](https://www.compose.io/articles/going-from-postgresql-rows-to-rabbitmq-messages/){:target="_blank"} as your asynchronous message broker. For example, you might want a banner to appear once your 1000th customer has signed up. The data is at your fingertips; you just need to decide how to use it. diff --git a/src/connections/storage/catalog/redshift/index.md b/src/connections/storage/catalog/redshift/index.md index f0c81b1268..335ed090bc 100644 --- a/src/connections/storage/catalog/redshift/index.md +++ b/src/connections/storage/catalog/redshift/index.md @@ -4,7 +4,6 @@ rewrite: true redirect_from: - '/connections/warehouses/catalog/redshift/' --- -{% include content/warehouse-ip.html %} This guide explains the process to provision a Redshift cluster and allow the Segment warehouse connector to write to it. @@ -75,6 +74,14 @@ VPCs keep servers inaccessible to traffic from the internet. With VPC, you're ab ### SSL/TLS Always require SSL/TLS and make sure your data warehouse accepts only secure connections. Segment only connects to your data warehouse using SSL/TLS. +### Allowlisting IPs + +Segment recommends enabling IP allowlists for added security. All Segment users with workspaces hosted in the US who use allowlists in their warehouses must update those allowlists to include the following ranges: +* `52.25.130.38/32` +* `34.223.203.0/28` + +Users with workspaces in the EU must allowlist `3.251.148.96/29`. + ## Best practices ### Networking diff --git a/src/connections/storage/catalog/snowflake/index.md b/src/connections/storage/catalog/snowflake/index.md index f9b341fcc8..aa76e90e8b 100644 --- a/src/connections/storage/catalog/snowflake/index.md +++ b/src/connections/storage/catalog/snowflake/index.md @@ -5,8 +5,6 @@ redirect_from: - '/connections/warehouses/catalog/snowflake/' --- -{% include content/warehouse-ip.html %} - [Snowflake](https://docs.snowflake.net/manuals/index.html){:target="_blank"} is a data warehouse, built for the cloud, that delivers performance, simplicity, concurrency and affordability. > info "" diff --git a/src/connections/storage/warehouses/faq.md b/src/connections/storage/warehouses/faq.md index e7c7249d60..79861a35f0 100644 --- a/src/connections/storage/warehouses/faq.md +++ b/src/connections/storage/warehouses/faq.md @@ -114,12 +114,11 @@ Segment recommends scripting any sort of additions of data you might have to war ## Which IPs should I allowlist? -{% include content/warehouse-ip.html %} +Segment recommends enabling IP allowlists for added security. All Segment users with workspaces hosted in the US who use allowlists in their warehouses must update those allowlists to include the following ranges: +* `52.25.130.38/32` +* `34.223.203.0/28` -You must allowlist Segment's custom IPs `52.25.130.38/32` and `34.223.203.0/28` while authorizing Segment to write in to your warehouse port. Currently, Redshift and Postgres are the only connectors that require you to configure an IP upon setup. Segment recommends enabling IP allowlists for added security. - - -If you're in the EU region, use CIDR `3.251.148.96/29`. To learn more about EU workspace locations, contact your account manager. +Users with workspaces in the EU must allowlist `3.251.148.96/29`. ## Will Segment sync my historical data?