Firewall and Proxy Server Allowlist Reference
Objective
For F5 Distributed Cloud Services to function accurately in your environment, it is necessary to configure your firewall and/or proxy to allow connections to the IP addresses and/or domains provided in this reference guide.
This reference document lists the public IP addresses and domains associated with F5 Distributed Cloud that must be permitted in your firewall and/or proxy settings. For automation purposes, you can download the subnet ranges and domains to include in your network configuration by clicking here.
Important: Ideally, you want to only allow the F5 Distributed Cloud subnets, exclusively. This will ensure that only F5 Distributed Cloud Routed Traffic can reach your network, and thus prevent attackers from being able to circumnavigate the F5 Distributed Cloud Infrastructure.
Important: If your application remains stuck in the
connectingmode or encounters network errors, review your firewall or proxy settings and update the allowlist configuration to allow these IP addresses/domain connections and associated locations, such as Docker Registry.
F5 Distributed Cloud SaaS Services
Public IPv4 Subnet Ranges for F5 Regional Edges
For public apps advertised to Distributed Cloud Regional Edges (REs), configure your network firewall to allow connections to the IP address ranges specified in the table below. Note that these IP address ranges also apply to apps connecting via Distributed Cloud Customer Edges (CEs).
| Geography | Protocol | Ports | IP Address | Notes |
|---|---|---|---|---|
| Americas | TCP | 80, 443 | 5.182.215.0/25 84.54.61.0/25 23.158.32.0/25 84.54.62.0/25 185.94.142.0/25 185.94.143.0/25 159.60.190.0/24 159.60.168.0/24 159.60.180.0/24 159.60.174.0/24 159.60.176.0/24 | |
| UDP | 4500, 123 | 5.182.215.0/25 84.54.61.0/25 23.158.32.0/25 84.54.62.0/25 185.94.142.0/25 185.94.143.0/25 159.60.190.0/24 159.60.168.0/24 159.60.180.0/24 159.60.174.0/24 159.60.176.0/24 | IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. Port 123 is for NTP service of RE. | |
| Europe | TCP | 80, 443 | 5.182.213.0/25 5.182.212.0/25 5.182.213.128/25 5.182.214.0/25 84.54.60.0/25 185.56.154.0/25 159.60.160.0/24 159.60.162.0/24 159.60.188.0/24 159.60.182.0/24 159.60.178.0/24 | |
| UDP | 4500, 123 | 5.182.213.0/25 5.182.212.0/25 5.182.213.128/25 5.182.214.0/25 84.54.60.0/25 185.56.154.0/25 159.60.160.0/24 159.60.162.0/24 159.60.188.0/24 159.60.182.0/24 159.60.178.0/24 | IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. Port 123 is for NTP service of RE. | |
| Asia | TCP | 80, 443 | 103.135.56.0/25 103.135.57.0/25 103.135.56.128/25 103.135.59.0/25 103.135.58.128/25 103.135.58.0/25 159.60.189.0/24 159.60.166.0/24 159.60.164.0/24 159.60.170.0/24 159.60.172.0/24 159.60.191.0/24 | |
| UDP | 4500, 123 | 103.135.56.0/25 103.135.57.0/25 103.135.56.128/25 103.135.59.0/25 103.135.58.128/25 103.135.58.0/25 159.60.189.0/24 159.60.166.0/24 159.60.164.0/24 159.60.170.0/24 159.60.172.0/24 | IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. Port 123 is for NTP service of RE. |
Note: If the prefix list has CIDR with /28 subnet mask and response cache parameters has subnet mask as /24, then the response cache would be used even if the source prefix does not match the rule. You might need to adjust the response cache parameters according to the prefix set mask.
Public IPv4 Subnet Ranges for F5 Content Distribution Network Services
To use the F5 Content Distribution Network (CDN) services, configure your network firewall to allow connections to the IP address ranges specified in the following table:
| Geography | IP Address |
|---|---|
| Europe | 159.60.188.0/24 |
| Asia | 159.60.189.0/24 |
| North America | 159.60.190.0/24 |
| Oceania | 159.60.191.0/24 |
| South America | 159.60.187.0/24 |
Public IPv4 Addresses for F5 Secondary DNS Zone Transfer
To use the DNS zone management service, configure your network firewall to allow connections to the IP addresses specified in the table below:
| Geography | IP Address |
|---|---|
| All Geographies | 52.14.213.208 |
| All Geographies | 3.140.118.214 |
Public IPv4 Address Ranges for F5 Global Log Receiver
To use the Global Log Receiver service, configure your network firewall to allow connections to the IP address ranges specified in the table below:
| Geography | IP Address Ranges |
|---|---|
| All Geographies | 193.16.236.64/29 |
| All Geographies | 185.160.8.152/29 |
Public IPv4 Addresses for F5 DNSLB Health Checks
To use the Distributed Cloud Services DNSLB health check, configure your network firewall to allow connections to the IP addresses specified in the table below:
| Geography | IP Addresses |
|---|---|
| All Geographies | 18.142.173.13 |
| All Geographies | 13.214.108.35 |
| All Geographies | 13.215.164.186 |
| All Geographies | 3.72.163.92 |
| All Geographies | 3.123.183.172 |
| All Geographies | 3.67.212.129 |
| All Geographies | 35.176.105.69 |
| All Geographies | 18.168.190.181 |
| All Geographies | 35.176.214.241 |
| All Geographies | 54.146.175.34 |
| All Geographies | 52.0.217.222 |
| All Geographies | 34.239.223.87 |
| All Geographies | 52.34.2.190 |
| All Geographies | 44.227.27.164 |
| All Geographies | 35.84.99.9 |
F5 Distributed Cloud Customer Edge Sites
New Secure Mesh v2 Sites
Public IPv4 Address for Site Registration and Updates
For provisioning of F5 Distributed Cloud CE sites using the new Secure Mesh workflow, configure your network firewall to allow connections to the IP address specified in the table below:
| Geography | Protocol | Port | IP Address |
|---|---|---|---|
| All Geographies | TCP | 443 | 159.60.141.140 |
Public Domains for Site Registration and Updates
For provisioning of F5 Distributed Cloud CE sites using the new Secure Mesh workflow, configure your network firewall/proxy to allow connections to the public domains specified in the table below:
| Service | Protocol | Port | Domain Address | Notes |
|---|---|---|---|---|
| F5 Distributed Cloud | TCP | 443 | *.volterra.io | This specifies the F5 Distributed Cloud domains. |
| Docker Registry | TCP | 443 | docker.io docker.com | These specify the domains for the Docker Registry. |
| Google Registry | TCP | 443 | gcr.io storage.googleapis.com | These specify the domains for the Google Registry. |
| Red Hat Registry | TCP | 443 | update.release.core.os.net quay.io | These specify the domains for the Red Hat Registry. |
| Webroot URL Classification Database | TCP | 443 | api.bcti.brightcloud.com cc-whitelist.s3.amazonaws.com api.bcss.brightcloud.com api-dualstack.bcti.brightcloud.com localdb-url-daily.brightcloud.com localdb-url-rtu.brightcloud.com localdb-ip-daily.brightcloud.com localdb-ipv6-daily.brightcloud.com localdb-ip-rtu.brightcloud.com waferdatasetsprod.blob.core.windows.net | These specify the domains for the Webroot URL classification database. |
Important: We have removed all third-party wildcard domains. The only wildcard domain is to a domain owned by F5.
Public IPv4 Addresses for Connecting to F5 Distributed Cloud Regional Edges
Configure your network firewall to allow connections to the IP address ranges specified for Regional Edges. See section Public IPv4 Subnet Ranges for F5 Regional Edges.
Default DNS for Site Registration and Updates
For provisioning of F5 Distributed Cloud CE sites using the new Secure Mesh (v2) workflow, configure your network firewall to allow connections to the Google DNS IP addresses specified in the table below.
Important: You can use custom DNS servers while creating a CE site. Refer to the Create Secure Mesh Site v2 document for instructions. If you use custom DNS servers, then these firewall requirements are not required.
| IP Address | Port |
|---|---|
| 8.8.8.8 | 53 |
| 8.8.4.4 | 53 |
Default NTP for Site Registration and Updates
For provisioning of F5 Distributed Cloud CE sites using the new Secure Mesh (v2) workflow, configure your network firewall to allow connections to the Google NTP IP addresses specified in the table below.
Important: You can use custom NTP servers while creating a CE site. Refer to the Create Secure Mesh Site v2 document for instructions. If you use custom NTP servers, then these firewall requirements are not required.
| IP Address | Port |
|---|---|
| 216.239.35.4 | 123 |
| 216.239.35.8 | 123 |
| 216.239.35.12 | 123 |
| 216.239.35.0 | 123 |
Older Customer Edge Sites
Public IPv4 Address Ranges for Container Registries
To allow the Distributed Cloud Services CEs to use various container registries, configure your network firewall to allow connections to the IP address ranges specified in the table below:
| Geography | IP Address Ranges |
|---|---|
| All Geographies | 23.158.32.48/29 |
| All Geographies | 84.54.60.0/29 |
| All Geographies | 84.54.61.48/29 |
| All Geographies | 84.54.62.48/29 |
| All Geographies | 103.135.56.48/29 |
| All Geographies | 103.135.56.176/29 |
| All Geographies | 103.135.57.48/29 |
| All Geographies | 103.135.58.0/29 |
| All Geographies | 103.135.58.128/29 |
| All Geographies | 103.135.59.0/29 |
| All Geographies | 159.60.164.0/29 |
| All Geographies | 159.60.166.0/29 |
| All Geographies | 185.56.154.0/29 |
| All Geographies | 185.94.142.0/29 |
| All Geographies | 185.94.143.0/29 |
| All Geographies | 185.160.8.152/29 |
| All Geographies | 185.160.8.160/29 |
| All Geographies | 185.160.8.168/29 |
| All Geographies | 185.160.8.176/29 |
| All Geographies | 193.16.236.64/29 |
| All Geographies | 193.16.236.88/29 |
| All Geographies | 193.16.236.104/29 |
Public IPv4 Address Ranges for Site Registration and Updates
To provision legacy CE sites, you must allow the following public IPv4 address ranges, especially if your firewall does not support domain-based permissions.
Additionally, note that port 65500 is reserved for local UI and API access, so you may want to consider blocking or allowing this port as needed.
Important: IP addresses have the potential to change without F5 being aware of it. For this reason, using domain-based permissions is the preferred method rather than using this list.
Configure your network firewall to allow connections to the public IPv4 address ranges specified in the table below:
| Geography | IP Address Ranges |
|---|---|
| All Geographies | 20.33.0.0/16 |
| All Geographies | 74.125.0.0/16 |
| All Geographies | 18.64.0.0/10 |
| All Geographies | 52.223.128.0/18 |
| All Geographies | 20.152.0.0/15 |
| All Geographies | 13.107.238.0/24 |
| All Geographies | 142.250.0.0/15 |
| All Geographies | 20.34.0.0/15 |
| All Geographies | 52.192.0.0/12 |
| All Geographies | 52.208.0.0/13 |
| All Geographies | 52.223.0.0/17 |
| All Geographies | 18.32.0.0/11 |
| All Geographies | 3.208.0.0/12 |
| All Geographies | 13.107.237.0/24 |
| All Geographies | 20.36.0.0/14 |
| All Geographies | 52.222.0.0/16 |
| All Geographies | 52.220.0.0/15 |
| All Geographies | 3.0.0.0/9 |
| All Geographies | 100.64.0.0/10 |
| All Geographies | 54.88.0.0/16 |
| All Geographies | 52.216.0.0/14 |
| All Geographies | 108.177.0.0/17 |
| All Geographies | 20.40.0.0/13 |
| All Geographies | 54.64.0.0/11 |
| All Geographies | 172.253.0.0/16 |
| All Geographies | 20.64.0.0/10 |
| All Geographies | 20.128.0.0/16 |
| All Geographies | 172.217.0.0/16 |
| All Geographies | 173.194.0.0/16 |
| All Geographies | 20.150.0.0/15 |
| All Geographies | 20.48.0.0/12 |
| All Geographies | 72.19.3.0/24 |
| All Geographies | 18.128.0.0/9 |
| All Geographies | 23.20.0.0/14 |
| All Geographies | 13.104.0.0/14 |
| All Geographies | 13.96.0.0/13 |
| All Geographies | 13.64.0.0/11 |
| All Geographies | 13.249.0.0/16 |
| All Geographies | 34.192.0.0/10 |
| All Geographies | 3.224.0.0/12 |
| All Geographies | 54.208.0.0/13 |
| All Geographies | 54.216.0.0/14 |
| All Geographies | 108.156.0.0/14 |
| All Geographies | 54.144.0.0/12 |
| All Geographies | 54.220.0.0/15 |
| All Geographies | 54.192.0.0/12 |
| All Geographies | 54.160.0.0/11 |
| All Geographies | 3.143.6.187/32 |
Public Domains
To use F5 Distributed Cloud Services, configure your network firewall to allow connections to the public domains specified in the table below:
| Location | Protocol | Port | Address | Notes |
|---|---|---|---|---|
| F5 Distributed Cloud | TCP | 80, 443 | *.ves.volterra.io downloads.volterra.io | This specifies the F5 Distributed Cloud domain. |
| F5 Distributed Cloud AI Model Updates | TCP | 80, 443 | *.blob.core.windows.net | This specifies the domain for obtaining the AI model updates. |
| Azure Registry | TCP | 80, 443 | volterra.azurecr.io vesio.azureedge.net *.azure.com | This specifies the domain for the Azure Registry. |
| Microsoft | TCP | 80, 443 | *.microsoftonline.com | This specifies the Microsoft domains. |
| AWS | TCP | 80, 443 | *.amazonaws.com | This specifies AWS domains. |
| Docker Registry | TCP | 80, 443 | docker.io docker.com | This specifies the domain for the Docker Registry. |
| Google Registry | TCP | 80, 443 | *.gcr.io gcr.io storage.googleapis.com | This specifies the domain for the Google Registry. |
| Red Hat Registry | TCP | 80, 443 | update.release.core.os.net quay.io | This specifies the domain for the Red Hat Registry. |
| Webroot URL Classification Database | TCP | 80, 443 | api.bcti.brightcloud.com cc-whitelist.s3.amazonaws.com api.bcss.brightcloud.com api-dualstack.bcti.brightcloud.com localdb-url-daily.brightcloud.com localdb-url-rtu.brightcloud.com localdb-ip-daily.brightcloud.com localdb-ipv6-daily.brightcloud.com localdb-ip-rtu.brightcloud.com | This specifies the domain for the Webroot URL classification database. |
| CDN Domains | UDP | 53 | traffic-router-0.cdn-gc.ves.volterra.io traffic-router-1.cdn-gc.ves.volterra.io cdn.ves.volterra.io | Domains for F5 Distributed Cloud Content Delivery Network. |
Default DNS for Site Registration and Updates
For provisioning of F5 Distributed Cloud CE sites, configure your network firewall to allow connections to the Google DNS IP addresses specified in the table below, if you are not using your own enterprise DNS server:
| IP Address | Port |
|---|---|
| 8.8.8.8 | 53 |
| 8.8.4.4 | 53 |
Default NTP for Site Registration and Updates
For provisioning of F5 Distributed Cloud CE sites, configure your network firewall to allow connections to the Google NTP server IP addresses specified in the table below, if you are not using your own enterprise NTP server:
| IP Address | Port |
|---|---|
| 216.239.35.4 | 123 |
| 216.239.35.8 | 123 |
| 216.239.35.12 | 123 |
| 216.239.35.0 | 123 |
On this page:
- Objective
- F5 Distributed Cloud SaaS Services
- Public IPv4 Subnet Ranges for F5 Regional Edges
- Public IPv4 Subnet Ranges for F5 Content Distribution Network Services
- Public IPv4 Addresses for F5 Secondary DNS Zone Transfer
- Public IPv4 Address Ranges for F5 Global Log Receiver
- Public IPv4 Addresses for F5 DNSLB Health Checks
- F5 Distributed Cloud Customer Edge Sites
- New Secure Mesh v2 Sites
- Public IPv4 Address for Site Registration and Updates
- Public Domains for Site Registration and Updates
- Public IPv4 Addresses for Connecting to F5 Distributed Cloud Regional Edges
- Default DNS for Site Registration and Updates
- Default NTP for Site Registration and Updates
- Older Customer Edge Sites
- Public IPv4 Address Ranges for Container Registries
- Public IPv4 Address Ranges for Site Registration and Updates
- Public Domains
- Default DNS for Site Registration and Updates
- Default NTP for Site Registration and Updates