Laravel Forge & Vultr API

Wanted to setup a server at Vultr using my Laravel Forge account for a new WordPress customer of mine. Recommended Vultr as they are well represented in Australia. For this API key to work Vultr asks you to add the subnet of the location where the request comes from. 

Laravel Forge’s Subnet

Had a real hard time finding the proper subnet or CIDR as I wrote at the Laracasts forum:

Vultr asks for a subnet, not an ip address. Seems Laravel Forge is on a Cloudflare ip range, but when I added it I somehow still got blocked so I must be doing something wrong. Then I checked some again and via I saw the CIDR and tried. No joy yet either. Then I found and added a CIDR for these two mentioned ip addresses: and it still failed..

So I decided to look for help at the source..

Laravel Forge

I decided to ask Laravel Forge itself via their HelpScout Chat function and was told by Taylor himself that they normally request to accept requests from any endpoint to make this work.

Vultr and API Security

Vultr really discourages this from their security standpoint of view. They mention this when you are about to allow all ipv4 addresses to access the API

Are you sure you want to allow access from any IPv4 address? We recommend using a strict list of allowed hosts, in order to ensure the security of your account.

My Point of View

Of course when you have a solid API key and take well care of this it should not be a real issue. On the other hand, filtering on ip subnet and disallowing all the other blocks does save you a load of probes.

There is however an alternative way. You can temporarily allow full access, set up the server and then remove it all again.

All Access Test

We did an all access test and still had an error 400 or error meaning API location was not allowed. Decided to check current regions allowed

curl -H 'API-Key: xxxxxxxxxxxxxxxxx'
{"6":{"DCID":"6","name":"Atlanta","country":"US","continent":"North America","state":"GA","ddos_protection":false,"block_storage":false,"regioncode":"ATL"},"2":{"DCID":"2","name":"Chicago","country":"US","continent":"North America","state":"IL","ddos_protection":true,"block_storage":false,"regioncode":"ORD"},"3":{"DCID":"3","name":"Dallas","country":"US","continent":"North America","state":"TX","ddos_protection":true,"block_storage":false,"regioncode":"DFW"},"5":{"DCID":"5","name":"Los Angeles","country":"US","continent":"North America","state":"CA","ddos_protection":true,"block_storage":false,"regioncode":"LAX"},"39":{"DCID":"39","name":"Miami","country":"US","continent":"North America","state":"FL","ddos_protection":true,"block_storage":false,"regioncode":"MIA"},"1":{"DCID":"1","name":"New Jersey","country":"US","continent":"North America","state":"NJ","ddos_protection":true,"block_storage":true,"regioncode":"EWR"},"4":{"DCID":"4","name":"Seattle","country":"US","continent":"North America","state":"WA","ddos_protection":true,"block_storage":false,"regioncode":"SEA"},"12":{"DCID":"12","name":"Silicon Valley","country":"US","continent":"North America","state":"CA","ddos_protection":true,"block_storage":false,"regioncode":"SJC"},"40":{"DCID":"40","name":"Singapore","country":"SG","continent":"Asia","state":"","ddos_protection":false,"block_storage":false,"regioncode":"SGP"},"7":{"DCID":"7","name":"Amsterdam","country":"NL","continent":"Europe","state":"","ddos_protection":true,"block_storage":false,"regioncode":"AMS"},"25":{"DCID":"25","name":"Tokyo","country":"JP","continent":"Asia","state":"","ddos_protection":false,"block_storage":false,"regioncode":"NRT"},"8":{"DCID":"8","name":"London","country":"GB","continent":"Europe","state":"","ddos_protection":true,"block_storage":false,"regioncode":"LHR"},"24":{"DCID":"24","name":"Paris","country":"FR","continent":"Europe","state":"","ddos_protection":true,"block_storage":false,"regioncode":"CDG"},"9":{"DCID":"9","name":"Frankfurt","country":"DE","continent":"Europe","state":"","ddos_protection":true,"block_storage":false,"regioncode":"FRA"},"22":{"DCID":"22","name":"Toronto","country":"CA","continent":"North America","state":"","ddos_protection":false,"block_storage":false,"regioncode":"YTO"},"19":{"DCID":"19","name":"Sydney","country":"AU","continent":"Australia","state":"","ddos_protection":false,"block_storage":false,"regioncode":"SYD"}}%

And I did see Sydney there listed still as it should with DCID 19.

When I compared that to the request by Laravel Forge that seemed fine

{provider: "vultr", credential: 63183, name: "sm-prod", size: "01", region: "19", nodeBalancer: false,…}
aws_subnet_id: ""
aws_vpc_id: ""
aws_vpc_name: ""
backups: false
credential: 63183
database: "forge"
database_type: "mysql"
ip_address: ""
name: "xx-prod"
nodeBalancer: false
php_version: "php73"
private_ip_address: ""
provider: "vultr"
recipe: ""
region: "19"
size: "01"
ssh_port: 22
timezone: "Asia/Jakarta"

Vultr Ticket

So we opened a ticket with them. Perhaps the old API settings still lingered? They initially simply mentioned this was an issue outside their network, but the fact that despite opening up to all I still kept getting an error 400 which means

Invalid API location. Check the URL that you are using.

And that could no longer be the case.

No Payment Method, No Deployments

Then checking the account status I saw that a payment method had not been added… And without it you cannot deploy servers!

You are almost ready to deploy servers – please link a payment method to get started!

So that was the issue. Once we had that taken care of all was fine and we could deploy from Laravel Forge

Jasper Frumau

Jasper has been working with web frameworks and applications such as Laravel, Magento and his favorite CMS WordPress including Roots Trellis and Sage for more than a decade. He helps customers with web design and online marketing. Services provided are web design, ecommerce, SEO, content marketing. When Jasper is not coding, marketing a website, reading about the web or dreaming the internet of things he plays with his son, travels or run a few blocks.