Firewall or Proxy Reference for Network Cloud

Objective

This reference document lists the public IP addresses associated with the F5 Distributed Cloud Network Cloud. It is essential that you configure your firewall or proxy to allow connections from and to these IP addresses. Also, this document includes the list of domains that should be included in your allowlist in order for your firewall or proxy to permit connections from and to these domains.

We strongly recommend verifying that your network allows connections to the IP addresses or domains listed in this document. If your application remains stuck in the 'connecting' mode or encounters network errors, review your firewall or proxy settings and update the allowlist configuration to permit connections to F5 Distributed Cloud network and associated locations such as docker registry. For automation purposes, you can download the subnet ranges and domains to be included in your network configuration by clicking here.

Public IPv4 Subnet Ranges

Configure your network firewall to allow connections from or to the IP address ranges specified in the following table:

GeographyProtocolPortsIP AddressNotes
AmericasTCP80, 4435.182.215.0/25
84.54.61.0/25
23.158.32.0/25
84.54.62.0/25
185.94.142.0/25
185.94.143.0/25
159.60.190.0/24
159.60.168.0/24
159.60.180.0/24
159.60.174.0/24
159.60.176.0/24
UDP45005.182.215.0/25
84.54.61.0/25
23.158.32.0/25
84.54.62.0/25
185.94.142.0/25
185.94.143.0/25
159.60.190.0/24
159.60.168.0/24
159.60.180.0/24
159.60.174.0/24
159.60.176.0/24
IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported.
EuropeTCP80, 4435.182.213.0/25
5.182.212.0/25
5.182.213.128/25
5.182.214.0/25
84.54.60.0/25
185.56.154.0/25
159.60.160.0/24
159.60.162.0/24
159.60.188.0/24
159.60.182.0/24
159.60.178.0/24
UDP45005.182.213.0/25
5.182.212.0/25
5.182.213.128/25
5.182.214.0/25
84.54.60.0/25
185.56.154.0/25
159.60.160.0/24
159.60.162.0/24
159.60.188.0/24
159.60.182.0/24
159.60.178.0/24
IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported.
AsiaTCP80, 443103.135.56.0/25
103.135.57.0/25
103.135.56.128/25
103.135.59.0/25
103.135.58.128/25
103.135.58.0/25
159.60.189.0/24
159.60.166.0/24
159.60.164.0/24
159.60.170.0/24
159.60.172.0/24
UDP4500103.135.56.0/25
103.135.57.0/25
103.135.56.128/25
103.135.59.0/25
103.135.58.128/25
103.135.58.0/25
159.60.189.0/24
159.60.166.0/24
159.60.164.0/24
159.60.170.0/24
159.60.172.0/24
IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported.

Public IPs for Secondary DNS zone transfer

Allow the following IP addresses for successful zone transfers if you use the F5 Distributed Cloud DNS zone management service:

  • 52.14.213.208
  • 3.140.118.214

Public IPs for Global Log Receiver

Allow the following IP ranges for successful functioning of the global log receiver:

  • 193.16.236.64/29
  • 185.160.8.152/29

Public IPs for DNSLB Health Checks

  • 18.142.173.13
  • 13.214.108.35
  • 13.215.164.186
  • 3.72.163.92
  • 3.123.183.172
  • 3.67.212.129
  • 35.176.105.69
  • 18.168.190.181
  • 35.176.214.241
  • 54.146.175.34
  • 52.0.217.222
  • 34.239.223.87
  • 52.34.2.190
  • 44.227.27.164
  • 35.84.99.9

Public IPs for Container Registries

Also, ensure that you allow the following ranges to enable access to the various container registries:

  • 23.158.32.48/29
  • 84.54.60.0/29
  • 84.54.61.48/29
  • 84.54.62.48/29
  • 103.135.56.48/29
  • 103.135.56.176/29
  • 103.135.57.48/29
  • 103.135.58.0/29
  • 103.135.58.128/29
  • 103.135.59.0/29
  • 159.60.164.0/29
  • 159.60.166.0/29
  • 185.56.154.0/29
  • 185.94.142.0/29
  • 185.94.143.0/29
  • 185.160.8.152/29
  • 185.160.8.160/29
  • 185.160.8.168/29
  • 185.160.8.176/29
  • 193.16.236.64/29
  • 193.16.236.88/29
  • 193.16.236.104/29

Allowed Domains

Add the following domains to your allowlist to enable firewall or proxy to allow connections from or to the domains:

LocationProtocolPortAddressNotes
F5 Distributed CloudTCP80, 443*.ves.volterra.io
downloads.volterra.io
This specifies the F5 Distributed Cloud domain.
F5 Distributed Cloud AI Model UpdatesTCP80, 443*.blob.core.windows.netThis specifies the domain for obtaining the AI model updates.
Azure RegistryTCP80, 443volterra.azurecr.io
vesio.azureedge.net
*.azure.com
This specifies the domain for the Azure Registry.
MicrosoftTCP80, 443*.microsoftonline.comThis specifies the Microsoft domains.
AWSTCP80, 443*.amazonaws.comThis specifies AWS domains.
Docker RegistryTCP80, 443docker.io
docker.com
This specifies the domain for the Docker Registry.
Google RegistryTCP80, 443*.gcr.io
gcr.io
storage.googleapis.com
This specifies the domain for the Google Registry.
Redhat RegistryTCP80, 443update.release.core-os.net
quay.io
This specifies the domain for the Redhat Registry.
Webroot URL Classification DatabaseTCP80, 443api.bcti.brightcloud.comThis specifies the domain for webroot URL classification database.
CDN DomainsUDP53traffic-router-0.cdn-gc.ves.volterra.io
traffic-router-1.cdn-gc.ves.volterra.io
cdn.ves.volterra.io
Domains for F5 Distributed Cloud Content Delivery Network.

IP Addresses for Site Provisioning

If your firewall does not support domain-based permissions, you can use the following list of outbound IPs that the Customer Edge (CE) Site needs to communicate with for initial provisioning. A DNS server is required for a Site to function correctly in resolving queries. Additionally, note that port 65500 is reserved for local UI and API access, so you may want to consider blocking or allowing this port as needed.

Note: IPs have the potential to change without F5 being aware of it. For this reason, using domain-based permissions is the preferred method rather than using this list.

  • 20.33.0.0/16
  • 74.125.0.0/16
  • 18.64.0.0/10
  • 52.223.128.0/18
  • 20.152.0.0/15
  • 13.107.238.0/24
  • 142.250.0.0/15
  • 20.34.0.0/15
  • 52.192.0.0/12
  • 52.208.0.0/13
  • 52.223.0.0/17
  • 18.32.0.0/11
  • 3.208.0.0/12
  • 13.107.237.0/24
  • 20.36.0.0/14
  • 52.222.0.0/16
  • 52.220.0.0/15
  • 3.0.0.0/9
  • 100.64.0.0/10
  • 54.88.0.0/16
  • 52.216.0.0/14
  • 108.177.0.0/17
  • 20.40.0.0/13
  • 54.64.0.0/11
  • 172.253.0.0/16
  • 20.64.0.0/10
  • 20.128.0.0/16
  • 172.217.0.0/16
  • 173.194.0.0/16
  • 20.150.0.0/15
  • 20.48.0.0/12
  • 72.19.3.0/24
  • 18.128.0.0/9
  • 23.20.0.0/14
  • 13.104.0.0/14
  • 13.96.0.0/13
  • 13.64.0.0/11
  • 13.249.0.0/16
  • 34.192.0.0/10
  • 3.224.0.0/12
  • 54.208.0.0/13
  • 54.216.0.0/14
  • 108.156.0.0/14
  • 54.144.0.0/12
  • 54.220.0.0/15
  • 54.192.0.0/12
  • 54.160.0.0/11