Some of our service providers require us to provide the IP addresses of our services to them for them to safelist. It’s stupid, but it’s not something we can control.
Rather than constantly update them as our servers change, we route through a NAT. I wouldn’t know how to do it with IPv6. Maybe the service provider could safelist a subnet?
They probably wouldn’t support that. Most non software heavy companies outsource these sorts of projects and to make changes to their systems requires a bunch of upfront capital costs which can be expensive so they will push back against changes unless you are big enough to force them to or you convince them of the merits of such changes.
Depending on the type of connection it's fairy easy to set up squid as a proxy for outbound connections so everything appears to come from the squid box which can have a static address and can be added to an allow list
Rather than constantly update them as our servers change, we route through a NAT. I wouldn’t know how to do it with IPv6. Maybe the service provider could safelist a subnet?