This article describes our recommendations for configuring a firewall for use with Zendesk. The Zendesk cloud is hosted by Amazon Web Services (AWS). As part of these recommendations, we’ve included a link to download AWS IP address ranges for your reference.
- If your server policy restricts inbound traffic only, whitelisting the AWS IP addresses should suffice.
- If you filter both inbound and outbound traffic:
- We highly recommend whitelisting with both the Fully Qualified Domain Name (FQDN) of your Zendesk subdomain as well as the AWS IP addresses.
- If the firewall doesn’t support FQDN-based whitelisting, we recommend you disable outbound filtering or upgrade to a firewall that supports this feature. rather than try to restrict outbound traffic using IPs only, which can cause issues. If you can’t disable outbound filtering or upgrade your firewall you can temporarily work around this by resolving your FQDN to an IP address using this DNS Lookup Tool. However, because the IP address can change at any time, we don’t recommend using this method.
IP addresses
Refer to AWS IP address ranges to download a list of the Zendesk public IP addresses.
- To be notified about IP address changes, subscribe to AWS IP Address Ranges Notifications.
- Alternatively, to maintain history, Amazon recommends saving successive versions of the .json file on your system. You can write a script to do this. To determine whether there have been changes since the last time that you saved the file, check the publication time in the current file and compare it to the publication time in the last file that you saved.
Outbound Email Servers IP addresses are listed in our SPF record, which we update as needed. Our SPF record can be read using this Lookup Tool or by using these commands:
host -t TXT mail.zendesk.com
or
dig txt mail.zendesk.com
IP addresses used by Insights
For information about obtaining and whitelisting GoodData IP addresses for Insights, see IP Whitelisting on the GoodData web site.
Whitelisting Explore
For whitelisting Explore, configure your firewall to allow these records as the trusted origins:
66 Comments
Hi there,
We had some issues with our Jira integration yesterday. we couldn't link zendesk tickets to Jira anymore.
We noticed a lot of traffic coming from IP 34.253.42.1 (amazon)
When we whitelisted this IP, the integration worked again.
Is it possible you are using additional IP's that are not documented above?
Thanks!
Regards,
Bart
Hi everyone! Please note that the list of IPs in this article has been updated.
Hey Bart,
That looks like one of the ones we recently added to the list, so you should be good going forward.
Please can we have this list accessible through the api or via a published xml document that we can use to automate this process?
Hey Benjamin!
That's a good suggestion...I'll be sure to pass it along!
The following IPs have been deprecated and removed from the list:
Hi there,
We had some issues with our API calls integration. Basically we are developing zendesk widgets using ZAF and calls our internal services from it. We have two clusters with similar setup and same widgets.
Cluster one, we do IP whitelist with the help of IP range mentioned in this article, and the call working fine.
Cluster two, we do the same process, but the calls getting rejected with 4xx error, basically our service rejecting the requester/caller IP. When we tail the logs from our service we get this IP:
36.69.145.22
I dont this its anywhere there on your list. API call from zendesk widget should be server sided right?
Also is there any way or any API that maintain all iof the zendesk public IPs so we dont have to do the process manually? (as you said the list gets updated from time to time, right?)
Hey Tidar!
Looks like you already have a separate ticket open with us and someone from support has reached out. :)
Unfortunately we do not have any API endpoint that contains all of the Zendesk Public IPs yet.
I'll make sure to get this feature request passed along to the correct team.
Hi there,
Do you know how often IPs change? This will inform decisions about how we manage this whitelisting.
Thanks
Hi, all. We've just added a few new IP addresses to the list:
104.18.70.113
104.18.71.113
104.18.72.113
104.18.73.113
104.18.74.113
Hey0 Roberto!
Thanks for leaving us with your question :)
From what I understand, there isn't a set pattern on the changing behaviors of an IP address, but they can change at any point in time. However, it isn't a change that doesn't happen very often.
Hope that helps!
Hi all, I've just added the following new IP addresses to this article.
18.233.240.4/32
35.171.179.180/32
54.88.153.44/32
34.199.96.193/32
35.153.123.152/32
52.2.33.185/32
54.190.230.46/32
54.71.249.105/32
54.245.210.112/32
52.33.130.83/32
54.203.161.166/32
54.200.201.186/32
52.214.141.52/32
52.31.82.113/32
52.49.113.232/32
34.254.62.10/32
34.247.211.51/32
34.253.246.236/32
18.184.231.213/32
18.194.206.174/32
18.197.30.168/32
18.185.65.168/32
18.185.52.110/32
18.194.247.215/32
18.206.72.19/32
34.197.211.159/32
54.172.209.60/32
34.206.241.1/32
34.225.199.37/32
54.172.126.223/32
50.112.215.172/32
52.36.128.200/32
54.71.103.5/32
54.203.135.202/32
54.203.198.138/32
52.43.45.99/32
Thanks for all the updates, it's great to see!
With the introduction of cloudflare, I wonder if there's a delineation between IPs that Zendesk might reach out on, vs ones we might need to allow to reach Zendesk?
Thanks!
Thanks for removing from the article list the 3 that Jessie said were removed on 6/12/18. Also found there are 3 IPs listed twice on the article list, just fyi on the duplicates.
52.203.0.71/32
52.203.58.200/32
52.63.26.17/32
Thanks,
John, thanks for the heads-up about the duplicates. Appreciate it! I've now removed them.
Not all entries end in their mask (eg some are missing /32)
for those who love to copy & paste, could we get the main list preened to show exact IP range?
Thanks!
Hi all, the following IPs have been removed from the list:
52.214.141.52
52.31.82.113
52.49.113.232
34.254.62.10
34.247.211.51
34.253.246.236
18.184.231.213
18.194.206.174
18.197.30.168
18.185.65.168
18.185.52.110
18.194.247.215
50.112.215.172
52.36.128.200
54.71.103.5
54.203.135.202
54.203.198.138
52.43.45.99
Hi All,
Can Zendesk add an API endpoint that returns an array of IPs used based on your current Pod so that we can programmatically update our internal access controls?
This will require some level of security, authentication and for sure some kind of encryption.
I see it as risky action. Imagine the packets in the network get successfully intercepted (by some good man in the middle attacker focussed in your network) when after you perform the get action to get the list of IP addresses of Zendesk by some job. Then, he can actually inject his IP addresses into the list and open up your firewall for further attacks.
What do you think?
It would need to be secured just like the rest of the Core API endpoints. It would also need to gather details about your current pod so that it could provide an accurate list for each customer based on that pod.
https://developer.zendesk.com/rest_api/docs/core/introduction#security-and-authentication
This is a fairly annoying way to do things. I'd like to add my voice to requesting an API endpoint to retrieve these, even better being able to narrow this down to our pod only... doesn't work when I lookup the A record and whitelist that only. Adding this many addresses to my whitelist makes me anxious...
It would really be appreciated if you guys could either use gateway's for outbound traffic, or tell us what they are. Anyone that leaves unnecessary ports open to the world these days is crazy, but to try to constantly update a whitelist after hearing from users that integrations aren't working is frustrating. If the machines are set to route out a number of common gateways and those were listed, it would make it MUCH easier to whitelist those gateway addresses that we need to allow in for JIRA integration. Just my $0.02.
so far we have around 100 ip's to whitelist - can we please reduce this to less than 5?
upvote for Joe Koenig - thanks!
Added two new ingress IPs:
I've been following this article for some time now and maintaining the list of IPs we whitelist with all the post updates for removals and new additions, with the latest 2 new ones as of 10/19/18. I was comparing my full list I had to the main master list of the article. I had 86 total IPs on my list, but the main article list has 98 IPs. So I found there were these 12 new IPs that are on the master list that I did not have on my list. I searched all the postings to see if maybe I missed a post about them, but didn't see anything.
So here are the 12 IPs I see were added without a post update, any idea the date these were added?
18.205.33.7/32
18.236.24.80/32
199.127.232.0/22
199.255.192.0/22
23.22.136.103/32
34.198.132.11/32
34.225.61.68/32
52.0.60.126/32
52.36.216.7/32
52.87.17.117/32
54.213.203.82/32
54.240.0.0/18
Hi John,
Most of the ones on your list were added on August 14th this year.
These three were not added at that time (and I haven't been able to determine when they were added):
Thanks Jennifer & team for continuing to keep this list up to date — we all greatly appreciate it!
I saw that the list was updated.. here's a fresh post of IPs. I've added subnet masks to all, and sorted them, because that makes it easier for us to see what's changed.
Thanks, Allen!
@Allen Hancock or Zendesk - Any chance we can just have a list of only what's changed in this last update?
Please sign in to leave a comment.