Sentry Ingestion Domains Updates
The TL;DR: We are going to apply these changes on September 1st, 2023:
- Ingestion via non-encrypted HTTP will be disabled.
- DNS A records for
sentry.ioand*.sentry.iowill point to35.186.247.156 - DNS A record for
app.getsentry.comwill point to34.96.102.34
Read on if you have:
- outbound firewall rules mentioning
35.188.42.15; - http:// (non-HTTPS) specified in your Sentry SDK settings.
Why are we making these changes?
Software development can be hard. So is operating large software setups like Sentry SaaS. Some technical solutions that worked perfectly before, show their drawbacks as the system grows, while new, better solutions appear. The time has come to reconsider the performance and enforce security around our ingestion.
The good news is that we already prepared the internal changes, it will just take some time to roll them out.
Here are some improvements that we plan to roll out:
- increase overall security and performance by using modern protocols, such as TLS 1.3, HTTP/2, and HTTP/3;
- TTFB for Sentry UI and API calls will be lower globally due to Anycast technology;
- fully deprecating non-encrypted HTTP.
1. Disabling HTTP ingestion
Last year, we disabled TLS 1.0 and 1.1 because these protocols were considered insecure. But, It was also clear that it’s no longer reasonable to support non-encrypted HTTP. The API calls via plain HTTP were disabled a long time ago, but ingestion via HTTP was still possible for older clients. Now we are disabling it, keeping only HTTP → HTTPS redirects.
2. IP address changes
You should care about this change if you have strict firewall rules for outbound internet requests. In most setups, this should continue to work as before.
In general, please refer to this page for more details about the IP addresses that we use: https://docs.sentry.io/product/security/ip-ranges/
We are going to change the IP address of the sentry.io and *.sentry.io host names.
New IP address: 35.186.247.156
Old IP address: 35.188.42.15
Also, we are going to change the IP address of the legacy app.getsentry.com host name:
New IP address: 34.96.102.34
Old IP address: 35.188.42.15
3. Recommended ingestion domains
If you’re still using sentry.io or app.getsentry.com domains for event ingestion, please consider migrating away from them. They were superseded by organization subdomains (April 2020) which look like:
https://oXXXXX.ingest.sentry.io
You can acquire the new settings on the Platforms page or in the “SDK Setup” section of your project settings.
Timeline
June 22: Publication of this blog post.
July 3 through August 31: Series of brownouts. Throughout July and August, we are going to switch the DNS A records to the new IP addresses. Also, non-encrypted HTTP ingestion will be disabled during these brownouts. The purpose is to provide Sentry customers a warning and allow some time to make corresponding changes to network configurations. Keep an eye on our StatusPage for exact dates.
September 1: Complete switch of DNS A records to new IP addresses and disabling non-encrypted HTTP.
We’ll be updating this blog post with relevant information as we move ahead in the timeline, so please check back if this affects you.