This article describes recommendations for configuring a firewall for use with Zendesk. As part of these recommendations, a list of Zendesk’s public IP addresses are available from the Zendesk API.
This article includes the following sections:
- About IP address configurations
- Getting the IP addresses
- Getting IP addresses for outbound email servers
- Getting IP addresses for additional Zendesk products
About IP address configurations
- If your server policy restricts inbound traffic only, creating an allowlist with the list of IP addresses should suffice.
If you filter both inbound and outbound traffic:
- Zendesk highly recommends creating an allowlist with both the fully qualified domain name (FQDN) of your Zendesk subdomain as well as the IP addresses you get using the Zendesk API.
- If the firewall doesn’t support creating an FQDN-based allowlist, Zendesk recommends you disable outbound filtering or upgrade to a firewall that supports this feature rather than try to restrict outbound traffic using IP addresses only, which can cause issues.
- If you can’t disable outbound filtering or upgrade your firewall, you can temporarily work around this by resolving your FQDN to an IP address using a DNS lookup tool. However, because the IP address can change at any time, Zendesk doesn't recommend using this method.
Getting the IP addresses
You can use the Zendesk API to get the most-recent list of IP addresses.
To get the IP addresses
Use the following Get Zendesk Public IPs endpoint in the Zendesk API to list the main Zendesk ingress and egress IP addresses:
The endpoint doesn’t require authentication so you can use it in a web browser.
Getting IP addresses for outbound email servers
The IP addresses of outbound email servers are listed in our SPF record, which we update as needed.
Our SPF record can be read using a lookup tool or by using these commands:
host -t TXT mail.zendesk.comor
dig txt mail.zendesk.com
Getting IP addresses for additional Zendesk products
Some Zendesk products require additional IP addresses.
If you’re using Zendesk Talk, specific IP addresses need to be accessible. For a list of IP addresses, see Talk network requirements.
If you’re using Zendesk Chat, specific IP addresses might need to be accessible. For details on how to configure your firewall for Chat, see Zendesk Chat system requirements.
To create an allowlist for Zendesk Explore, configure your firewall to allow these records as the trusted origins:
- JIRA integration (Pod 19)
- Zendesk Insights
For information about obtaining and creating an allowlist of GoodData IP addresses for Insights, see IP Whitelisting on the GoodData web site.