Does Canonical host third-party services on their public IP ranges ?

[Julian CLEAUD]

Hello,

I am willing to secure some servers outgoing traffic. With this in mind, I reviewed 2 solutions :
- Level 7 proxy (squid or equivalent) - for HTTP/HTTPs traffic
- Level 4 firewall (netfilter or equivalent) - for port 443

With my current setup, I found out that setting up level 4 firewall would be a first step faster
to setup than setting up a proxy.
I am seriously willing to investigate about setting up a proxy on all my servers, but configuring
the firewall would be an intermediate step in the goal of securing outbound traffic.

With that in mind, I was looking for Ubuntu/Canonical ip ranges and found out thanks to the RIPE
database that every service I need to access (except Ubuntu mirrors) are hosted on the CANONICAL-AS:
https://apps.db.ripe.net/db-web-ui/query?bflag=true&dflag=false&inverse=mnt-by&rflag=false&searchtext=CANONICAL-MNT&source=RIPE&types=route

Some example of such services are:
- Ubuntu keyserver
- Ubuntu repositories (except mirrors)
- Launchpad PPAs
- Snapcraft/Snapstore

Hence, my question is rather simple:
- Is that safe to allow outbound traffic to Canonical IP ranges ?
or in other words:
- Does Canonical only host Canonical (or Ubuntu community) services on those ranges, or
  do they also host third party non-Canonical services ? (just like would Amazon host third-party services/files/... on their AWS infrastructure).

Thanks for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20210722/952f9500/attachment.html>