This article describes recommendations for configuring a firewall for use with Zendesk. As part of these recommendations, a list of Zendesk’s public IP addresses are available from the Zendesk API. 

This article includes the following sections:

• About IP address configurations
• Getting the IP addresses
• Getting IP addresses for outbound email servers
• Getting IP addresses for additional Zendesk products
• Network allowlist configuration for Zendesk products

About IP address configurations

• Port 443 is a crucial component when integrating your firewall with Zendesk, primarily because it is the designed port for HTTPS traffic. Be sure to allow Zendesk traffic through this port.
• If your server policy restricts inbound traffic only, creating an allowlist with the list of IP addresses should suffice.
• If you filter both inbound and outbound traffic:
  • Zendesk highly recommends creating an allowlist with both the fully qualified domain name (FQDN) of your Zendesk subdomain as well as the IP addresses you get using the Zendesk API. 
  • If the firewall doesn’t support creating an FQDN-based allowlist, Zendesk recommends you disable outbound filtering or upgrade to a firewall that supports this feature rather than try to restrict outbound traffic using IP addresses only, which can cause issues.
  • If you can’t disable outbound filtering or upgrade your firewall, you can temporarily work around this by resolving your FQDN to an IP address using a DNS lookup tool. However, because the IP address can change at any time, Zendesk doesn't recommend using this method.

Getting the IP addresses

You can use the Zendesk API to get the most-recent list of IP addresses.

To get the IP addresses

• Use the following Get Zendesk Public IPs endpoint in the Zendesk API to list the main Zendesk ingress and egress IP addresses:
  

  https://{your-subdomain}.zendesk.com/ips

The endpoint doesn’t require authentication so you can use it in a web browser.

IP addresses are listed using Classless Inter-Domain Routing (CIDR) notation. You can convert IP addresses using a CIDR utility tool. 

Getting IP addresses for outbound email servers

The IP addresses of outbound email servers are listed in our SPF record, which we update as needed.

• Our SPF record can be read using a lookup tool or by using these commands:
  

  host -t TXT mail.zendesk.com
  

  or

  dig txt mail.zendesk.com

Getting IP addresses for additional Zendesk products

Some Zendesk products and features require additional IP addresses. 

• Zendesk Talk
  If you’re using Zendesk Talk, specific IP addresses need to be accessible. For a list of IP addresses, see Talk network requirements.
• Zendesk Chat
  If you’re using Zendesk Chat, specific IP addresses might need to be accessible. For details on how to configure your firewall for Chat, see Zendesk Chat system requirements.
• JIRA integration (Pod 19)
  18.233.240.4/32
  35.171.179.180/32
  54.88.153.44/32
  216.198.0.0/18
• Zendesk Explore
  If you're using Zendesk Explore, specific IP addresses need to be accessible. See Allowing network IP addresses for Explore.
• Zendesk Sell 
  If you're using Zendesk Sell, specific IP addresses need to be accessible to support Sell email integration. See Configuring allowlist IP addresses
• Zendesk Marketplace
  If you're using Zendesk Marketplace or other pages located on www.zendesk.com, specific IP addresses need to be accessible. Contact Zendesk Customer Support for more information. 

Network allowlist configuration for Zendesk products

Some Zendesk products and features require entries to your network allowlist.

• Data importer
  If you're using the data importer to bulk import data into Zendesk, add
  *-data-importer*.s3.*.amazonaws.com to your network allowlist. 
• Zendesk Guide
  Zendesk Guide uses Amazon Web Services (AWS) S3 to store uploaded images. If you're using Zendesk Guide, add uploaded-assets-*.s3.*.amazonaws.com to your network allowlist to ensure your images will upload properly.