Send to AI

Platform Outbound IP Addresses

Overview

All outbound traffic from our Lambda functions (HTTP, CLI, queue workers) exits through a NAT Gateway with a static Elastic IP. This applies to every service deployed via Laravel Vapor that runs inside a VPC.

IP Addresses

Both environments live in AWS account 314863550469 (us-east-1).

Environment	IP Address	Vapor Network	AWS Console
Production	`54.156.183.195`	`vapor-network-1595960370`	eipalloc-03bbdd143a8646be5
Staging	`54.235.200.172`	`vapor-network-1593719736`	eipalloc-057fc143415e4cce6

How It Works

Each Vapor project's config (vapor.production.yml / vapor.staging.yml) declares a network for each environment. All projects share the same VPC networks (Farfalla, Coniglio, Medusa, and Castoro). This places the Lambda functions inside a VPC. When those functions make outbound internet requests, traffic routes through:

Lambda → VPC Subnet → NAT Gateway (Elastic IP) → Internet

The Elastic IP is managed by Vapor as part of the VPC network provisioning. It remains stable across deployments and scaling events, but could change if the network is re-provisioned.

Services NOT on the VPC

Not all services use these static IPs:

farfalla-integrations: Has no network: declaration in its Vapor config. It runs outside the VPC, so its outbound IP is a dynamic AWS Lambda public IP that can change on every invocation. This is relevant because farfalla-integrations makes outbound calls to customer APIs.
Micelio: Deployed to Cloudflare Workers, not AWS. Outbound traffic uses Cloudflare's IP ranges, not our Elastic IPs.

Verification

To check the outbound IP from a running Lambda, use Vapor's Tinker in the dashboard or run:

php artisan tinker --execute="echo file_get_contents('https://api.ipify.org');"

Finding the IP If It Changes

If the VPC network is re-provisioned:

Check the AWS Console: VPC > NAT Gateways in account 314863550469
Or via AWS CLI: aws ec2 describe-nat-gateways --region us-east-1
Or run the verification tinker command above from the Vapor dashboard

Known Customer Allowlists

These are customers we know have allowlisted our IPs. This list may not be complete; there is no centralized registry yet.

Copesa: Permission API (publicalapi.copesa.cl/get_permissions.php)
Arc XP: Authentication provider (blocked us in May 2024, see Slack history)

Before the Laravel Cloud migration, we need to audit tenant configs to build a complete list.

Public Documentation

These IPs are also documented for customers at docs.publica.la/platform-ip-addresses. That page intentionally omits which IP belongs to which environment.

Migration to Laravel Cloud

When migrating to Laravel Cloud Private Cloud, new static IPs will be assigned by the new VPC's NAT Gateway.

Checklist

Get new static IPs from Laravel Cloud Private Cloud setup
Update this doc and the public docs page
Build a list of all customers with IP allowlists (check tenant configs for external permission URLs, webhook endpoints, etc.)
Notify affected customers with enough lead time to update their firewalls
Run both old and new IPs simultaneously during the transition period
Verify outbound connectivity from the new infrastructure
Coordinate with customers to confirm their allowlists are updated before decommissioning old IPs

Overview​

IP Addresses​

How It Works​

Services NOT on the VPC​

Verification​

Finding the IP If It Changes​

Known Customer Allowlists​

Public Documentation​

Migration to Laravel Cloud​

Checklist​

Graph View