NANOG, We have a hybrid cloud model that includes an external cloud service that needs to reach back into our internal network. The application documentation states that this connection cannot go through a proxy server. I am not in a position to redesign this solution or change the parameters. My question to NANOG is how to manage (filter/secure) the ingress traffic from the external cloud service. Past network guy managed inbound firewall rules based on the cloud-providers source IP address, but this wasn't sustainable and led to multiple outages as the external (source) IP has changed from time to time. I can define the destination ports well enough, but not the source IP addresses. Any ideas on how I can filter this type of inbound traffic from an internet-based service? Thanks Matt