doc(AIP-4114): Add Firewall and IP Address Guidance. (#1482)

andyrzhao · web-flow · commit aa10763f01cd · 2025-02-24T10:29:53.000-08:00
diff --git a/aip/auth/4114.md b/aip/auth/4114.md
@@ -130,12 +130,26 @@ the user. The default value **should** be "true" as of May 3, 2024. Users who
 wish to disable DCA feature **must** explicitly set this environment variable
 to "false".
 
+### Firewall and IP Address Guidance
+
+For any given GCP service, its mTLS endpoint has a different IP address compared
+to the non-mTLS endpoint but is expected to fall within the same IP range. The
+GCP guidance for IP range management is on a service by service basis. See
+[Compute Engine IP Range Documentation][3] for example. In the unlikely event
+that an end-user has configured firewall rules based on exact IP addresses
+instead of an IP range, they may be impacted by the "auto" mTLS endpoint
+upgrade behavior. The best-practice recommendation in this case would be to
+avoid adding rules that expect exact IP address matches, and instead use
+range-based IP rules following public GCP documentation.
+
 ## Changelog
 
 - **2024-11-25*: GOOGLE_API_USE_CLIENT_CERTIFICATE should default to "true" as of May 3, 2024.
+- **2025-02-20*: Add Firewall and IP Address Guidance
 
 <!-- prettier-ignore-start -->
 [0]: https://google.aip.dev/auth/4110
 [1]: https://cloud.google.com/endpoint-verification/docs/overview
 [2]: https://cloud.google.com/beyondcorp-enterprise/docs/enable-cba-enterprise-certificates
+[3]: https://cloud.google.com/compute/docs/faq#find_ip_range
 <!-- prettier-ignore-end -->
