Announcements
Cloud
April 7, 2022 By Ethan Long 2 min read

Beginning 23 June 2022, when connections are made to IBM Cloud Container Registry, the real source IP of the request will be used.

Previously, when connections came in over private networks, the source IP addresses that you saw in IBM Cloud Activity Tracker and that were configured for IAM restricted IP address lists were documented Container Registry IP addresses. This change also affects you if you have allowlists or a firewall rule.

As of 23 June 2022, only the br-sao and ca-tor regions changed. Changes to the other regions are delayed.

How you benefit from this change

This change increases security for any IBM Cloud Container Registry users that use private connections and IAM restricted IP address lists. You must now configure the restricted IP address list to allow the private subnet/IPs of your own host, which means that you can ensure Container Registry OAuth requests only originate from hosts that you own.

Users of Activity Tracker will also be able to see the true source IP address in any audit logs (where currently, they would see a private Container Registry-owned IP).

Understanding if you are impacted

You are accessing Container Registry over the private network if one of the following statements is true:

  • You’re using one of the private.* domains (e.g., private.us.icr.io.).
  • You’re using an IBM Cloud Kubernetes Service cluster in a configuration that automatically talks to the registry over a private connection.
  • You’re accessing Container Registry through a virtual private cloud (VPC) Virtual Private Endpoint Gateway (VPE Gateway).
  • You’re using the Container Registry private IP addresses for configuring network access; for example, in firewalls or Access Control Lists (ACLs).

If any of the previous statements are true when this change takes effect, the IP addresses in the IBM Cloud Activity Tracker logs change, but you don’t need to do anything unless you are also using IAM IP address access restrictions.

If you use Calico, the samples are updated to take account of the change.

What actions do you need to take?

By 23 June 2022, if you access Container Registry over the private network and maintain a list of restricted IP addresses in IAM, you must update your IAM restricted IP address list to include any IP addresses or subnets of hosts in your account that make requests to Container Registry, in addition to the current Container Registry private IP addresses.

See the docs for more info: “Update IAM restricted IP address lists by 23 June 2022.”

For more information about connecting to Container Registry over the private network, see Securing your connection to Container Registry.

Ethan Long
Product Manager

More from Announcements
July 2, 2024

Success and recognition of IBM offerings in G2 Summer Reports  

2 min read - IBM offerings were featured in over 1,365 unique G2 reports, earning over 230 Leader badges across various categories.   This recognition is important to showcase our leading products and also to provide the unbiased validation our buyers seek. According to the 2024 G2 Software Buyer Behavior Report, “When researching software, buyers are most likely to trust information from people with similar roles and challenges, and they value transparency above other factors.”  With over 90 million visitors each year and hosting more than 2.6…

June 24, 2024

Manage the routing of your observability log and event data 

4 min read - Comprehensive environments include many sources of observable data to be aggregated and then analyzed for infrastructure and app performance management. Connecting and aggregating the data sources to observability tools need to be flexible. Some use cases might require all data to be aggregated into one common location while others have narrowed scope. Optimizing where observability data is processed enables businesses to maximize insights while managing to cost, compliance and data residency objectives.  As announced on 29 March 2024, IBM Cloud® released its next-gen observability…

June 21, 2024

Unify and share data across Netezza and watsonx.data for new generative AI applications

3 min read - In today's data and AI-driven world, organizations are generating vast amounts of data from various sources. The ability to extract value from AI initiatives relies heavily on the availability and quality of an enterprise's underlying data. In order to unlock the full potential of data for AI, organizations must be able to effectively navigate their complex IT landscapes across the hybrid cloud.   At this year’s IBM Think conference in Boston, we announced the new capabilities of IBM watsonx.data, an open…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters