English (US)
  1. Zendesk help
  2. Cross Product
  3. Cross-product features
  4. Managing global security and user access

Configuring your firewall for use with Zendesk

Lisa Kelly
  • Edited

This article describes our recommendations for configuring a firewall for use with Zendesk. As part of these recommendations, we’ve included a list of Zendesk’s public IP addresses for your reference below. 

  • If your server policy restricts inbound traffic only, whitelisting the list of IPs below should suffice.
  • If you filter both inbound and outbound traffic:
    • We highly recommend whitelisting with both the Fully Qualified Domain Name (FQDN) of your Zendesk subdomain as well as the IP addresses below.
    • If the firewall doesn’t support FQDN-based whitelisting, we recommend you disable outbound filtering or upgrade to a firewall that supports this feature. rather than try to restrict outbound traffic using IPs only, which can cause issues. If you can’t disable outbound filtering or upgrade your firewall you can temporarily work around this by resolving your FQDN to an IP address using this DNS Lookup Tool. However, because the IP address can change at any time, we don’t recommend using this method.

IP Addresses

The following list includes the Zendesk public IP addresses.

Note: This is not a complete list of IP addresses needed to use Zendesk products. If you're on a Pod numbered 12 or above, you may see some IP addresses slightly outside these ranges due to AWS networking.

IP addresses are listed using Classless Inter-Domain Routing (CIDR) notation. You can convert IP addresses using this CIDR Utility Tool. If you are using Zendesk Talk, specific IP addresses will need to be accessible. For a list of IP addresses, see Talk network requirements.

  • 13.210.202.182/32
  • 13.211.9.239/32
  • 13.211.27.207/32
  • 13.55.4.222/32
  • 13.55.84.43/32
  • 13.55.104.134/32
  • 18.194.213.105
  • 18.195.109.170/32
  • 18.196.192.91/32
  • 18.196.61.131/32
  • 18.196.66.109/32
  • 18.205.33.7/32
  • 18.206.72.19/32
  • 18.233.240.4/32
  • 18.236.24.80/32
  • 23.22.136.103/32
  • 34.197.119.172/32
  • 34.197.211.159/32
  • 34.198.132.11/32
  • 34.199.96.193/32
  • 34.206.241.1/32
  • 34.214.170.210/32
  • 34.216.174.56/32
  • 34.225.199.37/32
  • 34.225.61.68/32
  • 34.251.237.213/32
  • 34.253.42.1/32
  • 35.153.123.152/32
  • 35.158.67.8/32
  • 35.167.245.158/32
  • 35.171.179.180/32
  • 35.172.245.139/32
  • 35.173.105.139/32
  • 35.174.158.178/32
  • 35.174.160.246/32
  • 52.0.60.126/32
  • 52.2.33.185/32
  • 52.21.112.236/32
  • 52.27.183.82/32
  • 52.34.190.153/32
  • 52.36.216.7/32
  • 52.63.26.17/32
  • 52.63.132.21/32
  • 52.209.40.193/32
  • 52.209.118.114/32
  • 52.203.0.71/32
  • 52.203.58.200/32
  • 52.210.87.214/32
  • 52.210.245.193/32
  • 52.214.140.202/32
  • 52.33.130.83/32
  • 52.34.200.91/32
  • 52.37.212.231/32
  • 52.37.220.11/32
  • 52.43.228.19/32
  • 52.57.0.38
  • 52.57.21.10/32
  • 52.58.121.97
  • 52.192.205.30/32
  • 52.193.22.204/32
  • 54.71.249.105/32
  • 54.72.137.238/32
  • 54.79.46.48/32
  • 52.87.17.117/32
  • 54.88.153.44/32
  • 54.92.60.91/32
  • 54.95.12.3/32
  • 54.168.60.210/32
  • 54.172.126.223/32
  • 54.172.209.60/32
  • 54.178.87.147/32
  • 54.190.230.46/32
  • 54.194.140.222/32
  • 54.200.201.186/32
  • 54.203.161.166/32
  • 54.208.38.43/32
  • 54.213.203.82/32
  • 54.240.0.0/18
  • 54.245.210.112/32
  • 104.16.51.111
  • 104.16.52.111
  • 104.16.53.111
  • 104.16.54.111
  • 104.16.55.111
  • 104.18.70.113
  • 104.18.71.113
  • 104.18.72.113
  • 104.18.73.113
  • 104.18.74.113
  • 104.18.172.234
  • 104.18.173.234
  • 104.18.249.37
  • 104.18.248.37
  • 104.218.200.0/21
  • 185.12.80.0/22
  • 188.172.128.0/20
  • 192.161.144.0/20
  • 199.127.232.0/22
  • 199.255.192.0/22
  • 216.198.0.0/18

Outbound Email Servers IP addresses are listed in our SPF record, which we update as needed. Our SPF record can be read using this Lookup Tool or by using these commands:

host -t TXT mail.zendesk.com

or

dig txt mail.zendesk.com

Note: Due to server and IP rotation on our mail server's end, we do not support the use of IPs to validate your record. While using IPs may work within the SPF record, it's likely to cause issues down the road, when an IP or mail server rotation occurs.

IP Addresses used by Insights

For information about obtaining and whitelisting GoodData IP addresses for Insights, see IP Whitelisting on the GoodData web site.

Whitelisting Explore

For whitelisting Explore configure your firewall to allow these records as the trusted origins: 

Have more questions? Submit a request

67 Comments

Sort by Date Votes
  • Liina
    Comment actions Permalink

    Are there a new set of IPs? We've whitelisted every IP in this list but there seems to be requests from different IPs.

    0
  • Brian Green
    Comment actions Permalink

    Hi Liina,

    No new IP's here, so I've created a ticket to work with you more directly. See you there.

    0
  • Jamison Donato
    • Edited
    Comment actions Permalink

    We use a Palo Alto Networks firewall which allows use of external dynamic lists.  

    Is there a way to utilize this feature for this list so we dont have to manually update the list every time theres an IP change?  Or at least a simple txt file with these IP's listed? 

    For Reference:  

    An external dynamic list is an address object based on an imported list of IP addresses, URLs, or domain names that you can use in policy rules to block or allow traffic. This list must be a text file saved to a web server that is accessible by the firewall.

    2
  • Richard Hartley
    Comment actions Permalink

    We have been using Zendesk for a few weeks now and still haven't managed to get it working properly due to issues with our web-filtering/firewall settings.  The web filters and firewalls are managed by various 3rd parties who have said it's not their job to interpret the information in the article.  So I guess it's our job, as their customer, to do the interpreting!

    The points that they have raised are as follows:

    1. The article only lists IP’s not FQDNs – ZenDesk themselves advise not to use IPs due to their use of dynamic services in AWS.
    2. No TCP/UDP port information is provided – Can the application be assumed to use HTTP/HTTPS over TCP 80/443?
    3. Beyond the main “Zendesk” FQDN, do any other FQDN’s also need to be excluded from the proxy? This is not covered in the article – Prior to the requirement for locking down the accessible IPs we were dealing with ‘CORS’ issues, this identified the site uses multiple resources across different FQDNs. Perhaps these also need to be bypassed to avoid getting blocked by the IP restrictions filter?

    For question 1, what are the FQDNs we should be providing? I know there is [subdomain].zendesk.com which is simple enough to provide but are there more and if so, how do we know what they are?

    Sorry if these are simple questions for which the answers should be obvious.  Since they are being asked by external IT security experts, and we are already into week 4 of trying to get this resolved, I think it's worth me asking here in the hope that someone can provide the necessary answers.

     

    0
  • N & P
    • Edited
    Comment actions Permalink

    My question is regarding the disclaimer at the top of this article: 

    Note: This is not a complete list of IP addresses needed to use Zendesk products. If you're on a Pod numbered 12 or above, you may see some IP addresses slightly outside these ranges due to AWS networking.

    We are using JWT auth with the Zendesk SDK for ticketing in our app. According to our dashboard, we are hosted in a Pod numbered above 12. So, if a request comes to our JWT endpoint outside of the published list above, we will deny the request and the user will not be able to open a ticket. This is a deal breaker for us. Is it possible to move to another Pod? What are our options?

    1
  • Anders Feijen
    Comment actions Permalink

    Hi all.

    The company I work for has been using Zendesk for about a month now. The process of adapting from an MS Outlook point-of-view is beginning to show results, tickets from e-mails are being resolved.

    The main problem we're facing is the how to implement ZD Talk. Currently we can't speak to our customers in ZD Talk, due to firewall issues. We have an onpen ticket with ZD Support regarding this, which recently has been elevated to Tier2.

    Meanwhile, I'd like to check with everyone that are using ZD Talk:

    How exactly have you solved the issue of accepting traffic from the list of IP numbers that needs to be allowed for ZD Talk to function properly?

    Our IT dep. is reluctant to approve all of the IPs listed and I'm thinking that there should be other companies struggling with the same problem. We're operating from Sweden, if that could be of use, when replying to this.

    Hoping for some good advice on how to proceed!

    Best regards!

    0
  • Allen Hancock
    • Edited
    Comment actions Permalink

    Given this recent change & complete removal of IPs

     

     The Zendesk cloud is hosted by Amazon Web Services (AWS). As part of these recommendations, we’ve included a link to download AWS IP address ranges for your reference.

     

    is there any guidance offered as to which parts of AWS one would whitelist? 

    • Which region(s)?
    • Which product types.. ec2 nlb, etc

    I'm aware that to do so may broadcast a bit of infrastructure that Zendesk may not care to give out.

     

     

    0

Please sign in to leave a comment.

Related articles

Related articles

Powered by Zendesk