This article describes our recommendations for configuring a firewall for use with Zendesk. The Zendesk cloud is hosted by Amazon Web Services (AWS). As part of these recommendations, we’ve included a link to download AWS IP address ranges for your reference.
- If your server policy restricts inbound traffic only, whitelisting the AWS IP addresses should suffice.
- If you filter both inbound and outbound traffic:
- We highly recommend whitelisting with both the Fully Qualified Domain Name (FQDN) of your Zendesk subdomain as well as the AWS IP addresses.
- If the firewall doesn’t support FQDN-based whitelisting, we recommend you disable outbound filtering or upgrade to a firewall that supports this feature. rather than try to restrict outbound traffic using IPs only, which can cause issues. If you can’t disable outbound filtering or upgrade your firewall you can temporarily work around this by resolving your FQDN to an IP address using this DNS Lookup Tool. However, because the IP address can change at any time, we don’t recommend using this method.
IP addresses
Refer to AWS IP address ranges to download a list of the Zendesk public IP addresses.
- To be notified about IP address changes, subscribe to AWS IP Address Ranges Notifications.
- Alternatively, to maintain history, Amazon recommends saving successive versions of the .json file on your system. You can write a script to do this. To determine whether there have been changes since the last time that you saved the file, check the publication time in the current file and compare it to the publication time in the last file that you saved.
- AWS publishes IP address ranges in Classless Inter-Domain Routing (CIDR) notation. If your firewall's whitelisting rules do not accept this format, use this tool to convert the CIDR into IP ranges.
Outbound Email Servers IP addresses are listed in our SPF record, which we update as needed. Our SPF record can be read using this Lookup Tool or by using these commands:
host -t TXT mail.zendesk.com
or
dig txt mail.zendesk.com
IP addresses used by Insights
For information about obtaining and whitelisting GoodData IP addresses for Insights, see IP Whitelisting on the GoodData web site.
Whitelisting Explore
For whitelisting Explore, configure your firewall to allow these records as the trusted origins:
67 Comments
Are there a new set of IPs? We've whitelisted every IP in this list but there seems to be requests from different IPs.
Hi Liina,
No new IP's here, so I've created a ticket to work with you more directly. See you there.
We use a Palo Alto Networks firewall which allows use of external dynamic lists.
Is there a way to utilize this feature for this list so we dont have to manually update the list every time theres an IP change? Or at least a simple txt file with these IP's listed?
For Reference:
An external dynamic list is an address object based on an imported list of IP addresses, URLs, or domain names that you can use in policy rules to block or allow traffic. This list must be a text file saved to a web server that is accessible by the firewall.
We have been using Zendesk for a few weeks now and still haven't managed to get it working properly due to issues with our web-filtering/firewall settings. The web filters and firewalls are managed by various 3rd parties who have said it's not their job to interpret the information in the article. So I guess it's our job, as their customer, to do the interpreting!
The points that they have raised are as follows:
For question 1, what are the FQDNs we should be providing? I know there is [subdomain].zendesk.com which is simple enough to provide but are there more and if so, how do we know what they are?
Sorry if these are simple questions for which the answers should be obvious. Since they are being asked by external IT security experts, and we are already into week 4 of trying to get this resolved, I think it's worth me asking here in the hope that someone can provide the necessary answers.
My question is regarding the disclaimer at the top of this article:
Note: This is not a complete list of IP addresses needed to use Zendesk products. If you're on a Pod numbered 12 or above, you may see some IP addresses slightly outside these ranges due to AWS networking.
We are using JWT auth with the Zendesk SDK for ticketing in our app. According to our dashboard, we are hosted in a Pod numbered above 12. So, if a request comes to our JWT endpoint outside of the published list above, we will deny the request and the user will not be able to open a ticket. This is a deal breaker for us. Is it possible to move to another Pod? What are our options?
Hi all.
The company I work for has been using Zendesk for about a month now. The process of adapting from an MS Outlook point-of-view is beginning to show results, tickets from e-mails are being resolved.
The main problem we're facing is the how to implement ZD Talk. Currently we can't speak to our customers in ZD Talk, due to firewall issues. We have an onpen ticket with ZD Support regarding this, which recently has been elevated to Tier2.
Meanwhile, I'd like to check with everyone that are using ZD Talk:
How exactly have you solved the issue of accepting traffic from the list of IP numbers that needs to be allowed for ZD Talk to function properly?
Our IT dep. is reluctant to approve all of the IPs listed and I'm thinking that there should be other companies struggling with the same problem. We're operating from Sweden, if that could be of use, when replying to this.
Hoping for some good advice on how to proceed!
Best regards!
Given this recent change & complete removal of IPs
The Zendesk cloud is hosted by Amazon Web Services (AWS). As part of these recommendations, we’ve included a link to download AWS IP address ranges for your reference.
is there any guidance offered as to which parts of AWS one would whitelist?
I'm aware that to do so may broadcast a bit of infrastructure that Zendesk may not care to give out.
Please sign in to leave a comment.