This article describes recommendations for configuring a firewall for use with Zendesk. As part of these recommendations, a list of Zendesk’s public IP addresses are available from the Zendesk API.
This article includes the following sections:
- About IP address configurations
- Getting the IP addresses
- Getting IP addresses for outbound email servers
- Getting IP addresses for additional Zendesk products
About IP address configurations
- If your server policy restricts inbound traffic only, creating an allowlist with the list of IP addresses should suffice.
- If you filter both inbound and outbound traffic:
- Zendesk highly recommends creating an allowlist with both the fully qualified domain name (FQDN) of your Zendesk subdomain as well as the IP addresses you get using the Zendesk API.
- If the firewall doesn’t support creating an FQDN-based allowlist, Zendesk recommends you disable outbound filtering or upgrade to a firewall that supports this feature rather than try to restrict outbound traffic using IP addresses only, which can cause issues.
- If you can’t disable outbound filtering or upgrade your firewall, you can temporarily work around this by resolving your FQDN to an IP address using a DNS lookup tool. However, because the IP address can change at any time, Zendesk doesn't recommend using this method.
Getting the IP addresses
You can use the Zendesk API to get the most-recent list of IP addresses.
To get the IP addresses
- Use the following Get Zendesk Public IPs endpoint in the Zendesk API to list the main Zendesk ingress and egress IP addresses:
https://{your-subdomain}.zendesk.com/ips
The endpoint doesn’t require authentication so you can use it in a web browser.
IP addresses are listed using Classless Inter-Domain Routing (CIDR) notation. You can convert IP addresses using a CIDR utility tool.
Getting IP addresses for outbound email servers
The IP addresses of outbound email servers are listed in our SPF record, which we update as needed.
- Our SPF record can be read using a lookup tool or by using these commands:
host -t TXT mail.zendesk.com
ordig txt mail.zendesk.com
Note: Due to server and IP rotation on our mail server's end, we do not support the use of IPs to validate your record. While using IPs may work within the SPF record, it's likely to cause issues down the road, when an IP or mail server rotation occurs.
Getting IP addresses for additional Zendesk products
Some Zendesk products require additional IP addresses.
- Zendesk Talk
If you’re using Zendesk Talk, specific IP addresses need to be accessible. For a list of IP addresses, see Talk network requirements. - Zendesk Chat
If you’re using Zendesk Chat, specific IP addresses might need to be accessible. For details on how to configure your firewall for Chat, see Zendesk Chat system requirements. - JIRA integration (Pod 19)
18.233.240.4/32
35.171.179.180/32
54.88.153.44/32
216.198.0.0/18 - Zendesk Explore
If you're using Zendesk Explore, specific IP addresses need to be accessible. For more information, see Allowing network IP addresses for Explore.
75 Comments
Hi there,
We had some issues with our Jira integration yesterday. we couldn't link zendesk tickets to Jira anymore.
We noticed a lot of traffic coming from IP 34.253.42.1 (amazon)
When we whitelisted this IP, the integration worked again.
Is it possible you are using additional IP's that are not documented above?
Thanks!
Regards,
Bart
Hi everyone! Please note that the list of IPs in this article has been updated.
Hey Bart,
That looks like one of the ones we recently added to the list, so you should be good going forward.
Please can we have this list accessible through the api or via a published xml document that we can use to automate this process?
Hey Benjamin!
That's a good suggestion...I'll be sure to pass it along!
The following IPs have been deprecated and removed from the list:
Hi there,
We had some issues with our API calls integration. Basically we are developing zendesk widgets using ZAF and calls our internal services from it. We have two clusters with similar setup and same widgets.
Cluster one, we do IP whitelist with the help of IP range mentioned in this article, and the call working fine.
Cluster two, we do the same process, but the calls getting rejected with 4xx error, basically our service rejecting the requester/caller IP. When we tail the logs from our service we get this IP:
36.69.145.22
I dont this its anywhere there on your list. API call from zendesk widget should be server sided right?
Also is there any way or any API that maintain all iof the zendesk public IPs so we dont have to do the process manually? (as you said the list gets updated from time to time, right?)
Hey Tidar!
Looks like you already have a separate ticket open with us and someone from support has reached out. :)
Unfortunately we do not have any API endpoint that contains all of the Zendesk Public IPs yet.
I'll make sure to get this feature request passed along to the correct team.
Hi there,
Do you know how often IPs change? This will inform decisions about how we manage this whitelisting.
Thanks
Hi, all. We've just added a few new IP addresses to the list:
104.18.70.113
104.18.71.113
104.18.72.113
104.18.73.113
104.18.74.113
Hey0 Roberto!
Thanks for leaving us with your question :)
From what I understand, there isn't a set pattern on the changing behaviors of an IP address, but they can change at any point in time. However, it isn't a change that doesn't happen very often.
Hope that helps!
Hi all, I've just added the following new IP addresses to this article.
18.233.240.4/32
35.171.179.180/32
54.88.153.44/32
34.199.96.193/32
35.153.123.152/32
52.2.33.185/32
54.190.230.46/32
54.71.249.105/32
54.245.210.112/32
52.33.130.83/32
54.203.161.166/32
54.200.201.186/32
52.214.141.52/32
52.31.82.113/32
52.49.113.232/32
34.254.62.10/32
34.247.211.51/32
34.253.246.236/32
18.184.231.213/32
18.194.206.174/32
18.197.30.168/32
18.185.65.168/32
18.185.52.110/32
18.194.247.215/32
18.206.72.19/32
34.197.211.159/32
54.172.209.60/32
34.206.241.1/32
34.225.199.37/32
54.172.126.223/32
50.112.215.172/32
52.36.128.200/32
54.71.103.5/32
54.203.135.202/32
54.203.198.138/32
52.43.45.99/32
Thanks for all the updates, it's great to see!
With the introduction of cloudflare, I wonder if there's a delineation between IPs that Zendesk might reach out on, vs ones we might need to allow to reach Zendesk?
Thanks!
Thanks for removing from the article list the 3 that Jessie said were removed on 6/12/18. Also found there are 3 IPs listed twice on the article list, just fyi on the duplicates.
52.203.0.71/32
52.203.58.200/32
52.63.26.17/32
Thanks,
John, thanks for the heads-up about the duplicates. Appreciate it! I've now removed them.
Not all entries end in their mask (eg some are missing /32)
for those who love to copy & paste, could we get the main list preened to show exact IP range?
Thanks!
Hi all, the following IPs have been removed from the list:
52.214.141.52
52.31.82.113
52.49.113.232
34.254.62.10
34.247.211.51
34.253.246.236
18.184.231.213
18.194.206.174
18.197.30.168
18.185.65.168
18.185.52.110
18.194.247.215
50.112.215.172
52.36.128.200
54.71.103.5
54.203.135.202
54.203.198.138
52.43.45.99
Hi All,
Can Zendesk add an API endpoint that returns an array of IPs used based on your current Pod so that we can programmatically update our internal access controls?
This will require some level of security, authentication and for sure some kind of encryption.
I see it as risky action. Imagine the packets in the network get successfully intercepted (by some good man in the middle attacker focussed in your network) when after you perform the get action to get the list of IP addresses of Zendesk by some job. Then, he can actually inject his IP addresses into the list and open up your firewall for further attacks.
What do you think?
It would need to be secured just like the rest of the Core API endpoints. It would also need to gather details about your current pod so that it could provide an accurate list for each customer based on that pod.
https://developer.zendesk.com/rest_api/docs/core/introduction#security-and-authentication
This is a fairly annoying way to do things. I'd like to add my voice to requesting an API endpoint to retrieve these, even better being able to narrow this down to our pod only... doesn't work when I lookup the A record and whitelist that only. Adding this many addresses to my whitelist makes me anxious...
It would really be appreciated if you guys could either use gateway's for outbound traffic, or tell us what they are. Anyone that leaves unnecessary ports open to the world these days is crazy, but to try to constantly update a whitelist after hearing from users that integrations aren't working is frustrating. If the machines are set to route out a number of common gateways and those were listed, it would make it MUCH easier to whitelist those gateway addresses that we need to allow in for JIRA integration. Just my $0.02.
so far we have around 100 ip's to whitelist - can we please reduce this to less than 5?
upvote for Joe Koenig - thanks!
Added two new ingress IPs:
I've been following this article for some time now and maintaining the list of IPs we whitelist with all the post updates for removals and new additions, with the latest 2 new ones as of 10/19/18. I was comparing my full list I had to the main master list of the article. I had 86 total IPs on my list, but the main article list has 98 IPs. So I found there were these 12 new IPs that are on the master list that I did not have on my list. I searched all the postings to see if maybe I missed a post about them, but didn't see anything.
So here are the 12 IPs I see were added without a post update, any idea the date these were added?
18.205.33.7/32
18.236.24.80/32
199.127.232.0/22
199.255.192.0/22
23.22.136.103/32
34.198.132.11/32
34.225.61.68/32
52.0.60.126/32
52.36.216.7/32
52.87.17.117/32
54.213.203.82/32
54.240.0.0/18
Hi John,
Most of the ones on your list were added on August 14th this year.
These three were not added at that time (and I haven't been able to determine when they were added):
Thanks Jennifer & team for continuing to keep this list up to date — we all greatly appreciate it!
I saw that the list was updated.. here's a fresh post of IPs. I've added subnet masks to all, and sorted them, because that makes it easier for us to see what's changed.
Thanks, Allen!
@Allen Hancock or Zendesk - Any chance we can just have a list of only what's changed in this last update?
Please sign in to leave a comment.