Loopback IP Ranges

Last modified on July 3, 2024

By default, your StrongDM organization assigns each resource a port on the 127.0.0.1 IP address, which is the address and port that clients reach out to with traffic for that resource. These ports can be overridden and set to specific ports, as necessary. To learn more about how ports are assigned and overridden, see the Port Overrides section.

Should an organization require a large amount of resources, beyond the available ports on the default local address (around 60,000 unique ports), you may specify a larger loopback range to use for your organization.

Effects of Expanding the Loopback Range

Once the loopback range is expanded, when an organization creates a resource without providing a bind address or port, that resource has these values auto-assigned as always, but can automatically iterate through as many IP addresses as configured by this multi loopback setting. Additionally, when resources are created, they can be directly assigned to IPs within the configured range, if desired.

Service Installation for macOS Users

When your organization is configured with a non-default loopback range, if a user on macOS attempts to access a resource that is accessible at a non-default loopback address, they receive a notification. In the Desktop App, they are then instructed to install the StrongDM System Service via a banner alert. This service requires administrator privileges to install. The installed service sets up aliases on the user device’s operating system for whatever loopback addresses are configured as needed by a user.

Users on Windows or Linux operating systems do not have this interaction, as those operating systems already bind all 127.* addresses to the loopback interface.

Configure Loopback Range

To set a larger available range of addresses for your organization, you can use the Admin UI or the CLI to configure your loopback range.

Loopback Settings in the Admin UI

In the Admin UI on the Settings > Networking page, in the Loopback Settings section.

Settings for Loopback Range
Settings for Loopback Range

You can use the Loopback IP Range or Subnet Mask field to set ranges in terms of explicit start and end IPs (127.0.0.5-127.0.0.10) or in terms of a mask, between 32 and 24.

Loopback Settings in the CLI

You can use the sdm admin organization update command in the CLI to update the range of available addresses as well:

sdm admin organization update --loopback-range

See the CLI reference for details.