This article describes recommendations for configuring a firewall for use with Zendesk. As part of these recommendations, a list of Zendesk’s public IP addresses are available from the Zendesk API.
This article includes the following sections:
- About IP address configurations
- Getting the IP addresses
- Getting IP addresses for outbound email servers
- Getting IP addresses for additional Zendesk products
About IP address configurations
- If your server policy restricts inbound traffic only, creating an allowlist with the list of IP addresses should suffice.
- If you filter both inbound and outbound traffic:
- Zendesk highly recommends creating an allowlist with both the fully qualified domain name (FQDN) of your Zendesk subdomain as well as the IP addresses you get using the Zendesk API.
- If the firewall doesn’t support creating an FQDN-based allowlist, Zendesk recommends you disable outbound filtering or upgrade to a firewall that supports this feature rather than try to restrict outbound traffic using IP addresses only, which can cause issues.
- If you can’t disable outbound filtering or upgrade your firewall, you can temporarily work around this by resolving your FQDN to an IP address using a DNS lookup tool. However, because the IP address can change at any time, Zendesk doesn't recommend using this method.
Getting the IP addresses
You can use the Zendesk API to get the most-recent list of IP addresses.
To get the IP addresses
- Use the following Get Zendesk Public IPs endpoint in the Zendesk API to list the main Zendesk ingress and egress IP addresses:
https://{your-subdomain}.zendesk.com/ips
The endpoint doesn’t require authentication so you can use it in a web browser.
IP addresses are listed using Classless Inter-Domain Routing (CIDR) notation. You can convert IP addresses using a CIDR utility tool.
Getting IP addresses for outbound email servers
The IP addresses of outbound email servers are listed in our SPF record, which we update as needed.
- Our SPF record can be read using a lookup tool or by using these commands:
host -t TXT mail.zendesk.com
ordig txt mail.zendesk.com
Note: Due to server and IP rotation on our mail server's end, we do not support the use of IPs to validate your record. While using IPs may work within the SPF record, it's likely to cause issues down the road, when an IP or mail server rotation occurs.
Getting IP addresses for additional Zendesk products
Some Zendesk products require additional IP addresses.
- Zendesk Talk
If you’re using Zendesk Talk, specific IP addresses need to be accessible. For a list of IP addresses, see Talk network requirements. - Zendesk Chat
If you’re using Zendesk Chat, specific IP addresses might need to be accessible. For details on how to configure your firewall for Chat, see Zendesk Chat system requirements. - JIRA integration (Pod 19)
18.233.240.4/32
35.171.179.180/32
54.88.153.44/32
216.198.0.0/18 - Zendesk Explore
If you're using Zendesk Explore, specific IP addresses need to be accessible. For more information, see Allowing network IP addresses for Explore.
75 Comments
Are there a new set of IPs? We've whitelisted every IP in this list but there seems to be requests from different IPs.
Hi Liina,
No new IP's here, so I've created a ticket to work with you more directly. See you there.
We use a Palo Alto Networks firewall which allows use of external dynamic lists.
Is there a way to utilize this feature for this list so we dont have to manually update the list every time theres an IP change? Or at least a simple txt file with these IP's listed?
For Reference:
An external dynamic list is an address object based on an imported list of IP addresses, URLs, or domain names that you can use in policy rules to block or allow traffic. This list must be a text file saved to a web server that is accessible by the firewall.
We have been using Zendesk for a few weeks now and still haven't managed to get it working properly due to issues with our web-filtering/firewall settings. The web filters and firewalls are managed by various 3rd parties who have said it's not their job to interpret the information in the article. So I guess it's our job, as their customer, to do the interpreting!
The points that they have raised are as follows:
For question 1, what are the FQDNs we should be providing? I know there is [subdomain].zendesk.com which is simple enough to provide but are there more and if so, how do we know what they are?
Sorry if these are simple questions for which the answers should be obvious. Since they are being asked by external IT security experts, and we are already into week 4 of trying to get this resolved, I think it's worth me asking here in the hope that someone can provide the necessary answers.
My question is regarding the disclaimer at the top of this article:
Note: This is not a complete list of IP addresses needed to use Zendesk products. If you're on a Pod numbered 12 or above, you may see some IP addresses slightly outside these ranges due to AWS networking.
We are using JWT auth with the Zendesk SDK for ticketing in our app. According to our dashboard, we are hosted in a Pod numbered above 12. So, if a request comes to our JWT endpoint outside of the published list above, we will deny the request and the user will not be able to open a ticket. This is a deal breaker for us. Is it possible to move to another Pod? What are our options?
Hi all.
The company I work for has been using Zendesk for about a month now. The process of adapting from an MS Outlook point-of-view is beginning to show results, tickets from e-mails are being resolved.
The main problem we're facing is the how to implement ZD Talk. Currently we can't speak to our customers in ZD Talk, due to firewall issues. We have an onpen ticket with ZD Support regarding this, which recently has been elevated to Tier2.
Meanwhile, I'd like to check with everyone that are using ZD Talk:
How exactly have you solved the issue of accepting traffic from the list of IP numbers that needs to be allowed for ZD Talk to function properly?
Our IT dep. is reluctant to approve all of the IPs listed and I'm thinking that there should be other companies struggling with the same problem. We're operating from Sweden, if that could be of use, when replying to this.
Hoping for some good advice on how to proceed!
Best regards!
Given this recent change & complete removal of IPs
The Zendesk cloud is hosted by Amazon Web Services (AWS). As part of these recommendations, we’ve included a link to download AWS IP address ranges for your reference.
is there any guidance offered as to which parts of AWS one would whitelist?
I'm aware that to do so may broadcast a bit of infrastructure that Zendesk may not care to give out.
Hi there
Have there been any recent changes to the Zendesk public IP whitelist? Just troubleshooting a JIRA integration issue.
Thanks
Hi Raymond,
We're creating a ticket for you to get some account specific info, please keep an eye out for email.
Thanks!
Thanks for that 😎
Hi
The IP address 52.197.24.108 needs to be added.
Thanks
Thank you, Raymond! We have created a ticket for this update to the article.
Please add
34.220.255.82
54.202.122.123
52.42.73.12
and ask your ops department to maintain this list a little more proactively 🧐
Thank you Adam. I have submitted a ticket on your behalf to request this update.
Guys really?
i need to maintain several security groups just to have this list, as a single SG only accepts 50 entries, and from what i am reading here, there are more addresses unlisted?
Please sign in to leave a comment.