IP Address ranges for APNS servers? [closed]

Answer 1

From Apple's documentation (emphasis on the interesting bit added):

Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to have TCP port 2195 open. To reach the feedback service, you will need to have TCP port 2196 open. Devices and computers connecting to the push service over Wi-Fi will need to have TCP port 5223 open.

The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 17.0.0.0/8 address block is assigned to Apple, so you can specify that range in your firewall rules.

17.0.0.0/8 is CIDR notation for 17.0.0.1 to 17.255.255.254.

Answer 2

The official answer is, unfortunately, that there is no official answer :) -- unless you consider Apple's rather sloppy approach of simply allowing all traffic to 17.0.0.0/8. Apple developer support provided the same link to the documentation as vcsjones in the first answer.

For my particular situation, I have narrowed the IP addresses down to these ranges after checking DNS regularly for the last couple of weeks. Keep in mind that these are only valid for the midwest portion of the United States, since Apple's CDN will return a set of addresses closest to the server making the query.

For gateway.push.apple.com, I'm opening ports 2195 and 2196 on my firewall for:

17.149.35.0 / 24
17.172.238.0 / 24

For gateway.sandbox.push.apple.com, I'm opening ports 2195 and 2196 on my firewall for:

17.149.34.66
17.149.34.65
17.172.233.65
17.172.233.66

Since these addresses are obviously subject to change, I've built in some monitoring for my application to detect when the APNS servers are no longer reachable (and fall back to these address ranges instead of using DNS). It's not the ideal solution, but it will have work for now until I can work out a solution with my corporate network / firewall teams...