Firewall and Proxy Server Allowlist Reference
Objective
For F5 Distributed Cloud Services to function accurately in your environment, it is pertinent to configure your firewall and/or proxy to allow connections to/from the IP addresses and/or domains provided in this reference guide.
This reference document lists the public IP addresses and domains associated with F5 Distributed Cloud that must be permitted in your firewall and/or proxy settings. For automation purposes, you can download the subnet ranges and domains to include in your network configuration by clicking here.
Important: If your application remains stuck in the connecting mode or encounters network errors, review your firewall or proxy settings and update the allowlist configuration to allow these IP addresses/domain connections and associated locations, such as Docker Registry.
F5 Distributed Cloud SaaS Services
Public IPv4 Subnet Ranges for F5 Regional Edges
For public apps advertised to Distributed Cloud Regional Edges (REs), configure your network firewall to allow connections from or to the IP address ranges specified in the table below. Note that these IP address ranges also apply to apps connecting via Distributed Cloud Customer Edges (CEs).
| Geography | Protocol | Ports | IP Address | Notes |
|---|---|---|---|---|
| Americas | TCP | 80, 443 | 5.182.215.0/25 84.54.61.0/25 23.158.32.0/25 84.54.62.0/25 185.94.142.0/25 185.94.143.0/25 159.60.190.0/24 159.60.168.0/24 159.60.180.0/24 159.60.174.0/24 159.60.176.0/24 | |
| UDP | 4500 | 5.182.215.0/25 84.54.61.0/25 23.158.32.0/25 84.54.62.0/25 185.94.142.0/25 185.94.143.0/25 159.60.190.0/24 159.60.168.0/24 159.60.180.0/24 159.60.174.0/24 159.60.176.0/24 | IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. | |
| Europe | TCP | 80, 443 | 5.182.213.0/25 5.182.212.0/25 5.182.213.128/25 5.182.214.0/25 84.54.60.0/25 185.56.154.0/25 159.60.160.0/24 159.60.162.0/24 159.60.188.0/24 159.60.182.0/24 159.60.178.0/24 | |
| UDP | 4500 | 5.182.213.0/25 5.182.212.0/25 5.182.213.128/25 5.182.214.0/25 84.54.60.0/25 185.56.154.0/25 159.60.160.0/24 159.60.162.0/24 159.60.188.0/24 159.60.182.0/24 159.60.178.0/24 | IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. | |
| Asia | TCP | 80, 443 | 103.135.56.0/25 103.135.57.0/25 103.135.56.128/25 103.135.59.0/25 103.135.58.128/25 103.135.58.0/25 159.60.189.0/24 159.60.166.0/24 159.60.164.0/24 159.60.170.0/24 159.60.172.0/24 159.60.191.0/24 | |
| UDP | 4500 | 103.135.56.0/25 103.135.57.0/25 103.135.56.128/25 103.135.59.0/25 103.135.58.128/25 103.135.58.0/25 159.60.189.0/24 159.60.166.0/24 159.60.164.0/24 159.60.170.0/24 159.60.172.0/24 | IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. |
Note: If the prefix list has CIDR with /28 subnet mask and response cache parameters has subnet mask as /24, then the response cache would be used even if the source prefix does not match the rule. You might need to adjust the response cache parameters according to the prefix set mask.
Public IPv4 Subnet Ranges for F5 Content Distribution Network Services
To use the F5 Content Distribution Network (CDN) services, configure your network firewall to allow connections from or to the IP address ranges specified in the following table:
| Geography | IP Address |
|---|---|
| Europe | 159.60.188.0/24 |
| Asia | 159.60.189.0/24 |
| North America | 159.60.190.0/24 |
| Oceania | 159.60.191.0/24 |
| South America | 159.60.187.0/24 |
Public IPv4 Addresses for F5 Secondary DNS Zone Transfer
To use the DNS zone management service, configure your network firewall to allow connections from or to the IP addresses specified in the table below:
| Geography | IP Address |
|---|---|
| All Geographies | 52.14.213.208 |
| All Geographies | 3.140.118.214 |
Public IPv4 Address Ranges for F5 Global Log Receiver
To use the Global Log Receiver service, configure your network firewall to allow connections from or to the IP address ranges specified in the table below:
| Geography | IP Address Ranges |
|---|---|
| All Geographies | 193.16.236.64/29 |
| All Geographies | 185.160.8.152/29 |
Public IPv4 Addresses for F5 DNSLB Health Checks
To use the Distributed Cloud Services DNSLB health check, configure your network firewall to allow connections from or to the IP addresses specified in the table below:
| Geography | IP Addresses |
|---|---|
| All Geographies | 18.142.173.13 |
| All Geographies | 13.214.108.35 |
| All Geographies | 13.215.164.186 |
| All Geographies | 3.72.163.92 |
| All Geographies | 3.123.183.172 |
| All Geographies | 3.67.212.129 |
| All Geographies | 35.176.105.69 |
| All Geographies | 18.168.190.181 |
| All Geographies | 35.176.214.241 |
| All Geographies | 54.146.175.34 |
| All Geographies | 52.0.217.222 |
| All Geographies | 34.239.223.87 |
| All Geographies | 52.34.2.190 |
| All Geographies | 44.227.27.164 |
| All Geographies | 35.84.99.9 |
F5 Distributed Cloud Customer Edge Sites
New Secure Mesh v2 Sites
Public IPv4 Address for Site Registration and Updates
For provisioning of F5 Distributed Cloud CE sites using the new Secure Mesh workflow introduced in the August 2024 release, configure your network firewall to allow connections from or to the IP address specified in the table below:
For public apps connecting via CEs, configure your network firewall to allow connections from or to the IP address ranges specified for Regional Edges.
| Geography | Protocol | Port | IP Address |
|---|---|---|---|
| All Geographies | TCP | 443 | 159.60.141.140 |
Public Domains
To use F5 Distributed Cloud Services, configure your network firewall to allow connections from or to the public domains specified in the table below:
| Service | Protocol | Port | Domain Address | Notes |
|---|---|---|---|---|
| F5 Distributed Cloud | TCP | 443 | *.volterra.io | This specifies the F5 Distributed Cloud domains. |
| Docker Registry | TCP | 443 | docker.io docker.com | These specify the domains for the Docker Registry. |
| Google Registry | TCP | 443 | gcr.io storage.googleapis.com | These specify the domains for the Google Registry. |
| Red Hat Registry | TCP | 443 | update.release.core.os.net quay.io | These specify the domains for the Red Hat Registry. |
| Webroot URL Classification Database | TCP | 443 | api.bcti.brightcloud.com cc-whitelist.s3.amazonaws.com api.bcss.brightcloud.com api-dualstack.bcti.brightcloud.com localdb-url-daily.brightcloud.com localdb-url-rtu.brightcloud.com localdb-ip-daily.brightcloud.com localdb-ipv6-daily.brightcloud.com localdb-ip-rtu.brightcloud.com | These specify the domains for the Webroot URL classification database. |
| Public IP Detection | TCP | 443 | ifconfig.me | Auto select F5 Distributed Cloud Regional Edges by detecting CE node public IP |
Important: We have removed all third-party wildcard domains. The only wildcard domain is to a domain owned by F5.
Older Customer Edge Sites
Public IPv4 Address Ranges for Container Registries
To allow the Distributed Cloud Services CEs to use various container registries, configure your network firewall to allow connections from or to the IP address ranges specified in the table below:
| Geography | IP Address Ranges |
|---|---|
| All Geographies | 23.158.32.48/29 |
| All Geographies | 84.54.60.0/29 |
| All Geographies | 84.54.61.48/29 |
| All Geographies | 84.54.62.48/29 |
| All Geographies | 103.135.56.48/29 |
| All Geographies | 103.135.56.176/29 |
| All Geographies | 103.135.57.48/29 |
| All Geographies | 103.135.58.0/29 |
| All Geographies | 103.135.58.128/29 |
| All Geographies | 103.135.59.0/29 |
| All Geographies | 159.60.164.0/29 |
| All Geographies | 159.60.166.0/29 |
| All Geographies | 185.56.154.0/29 |
| All Geographies | 185.94.142.0/29 |
| All Geographies | 185.94.143.0/29 |
| All Geographies | 185.160.8.152/29 |
| All Geographies | 185.160.8.160/29 |
| All Geographies | 185.160.8.168/29 |
| All Geographies | 185.160.8.176/29 |
| All Geographies | 193.16.236.64/29 |
| All Geographies | 193.16.236.88/29 |
| All Geographies | 193.16.236.104/29 |
Public IPv4 Address Ranges for Site Registration and Updates
To provision legacy CE sites, you must allow the following public IPv4 address ranges, especially if your firewall does not support domain-based permissions.
Additionally, note that port 65500 is reserved for local UI and API access, so you may want to consider blocking or allowing this port as needed.
Important: IP addresses have the potential to change without F5 being aware of it. For this reason, using domain-based permissions is the preferred method rather than using this list.
Configure your network firewall to allow connections from or to the public IPv4 address ranges specified in the table below:
| Geography | IP Address Ranges |
|---|---|
| All Geographies | 20.33.0.0/16 |
| All Geographies | 74.125.0.0/16 |
| All Geographies | 18.64.0.0/10 |
| All Geographies | 52.223.128.0/18 |
| All Geographies | 20.152.0.0/15 |
| All Geographies | 13.107.238.0/24 |
| All Geographies | 142.250.0.0/15 |
| All Geographies | 20.34.0.0/15 |
| All Geographies | 52.192.0.0/12 |
| All Geographies | 52.208.0.0/13 |
| All Geographies | 52.223.0.0/17 |
| All Geographies | 18.32.0.0/11 |
| All Geographies | 3.208.0.0/12 |
| All Geographies | 13.107.237.0/24 |
| All Geographies | 20.36.0.0/14 |
| All Geographies | 52.222.0.0/16 |
| All Geographies | 52.220.0.0/15 |
| All Geographies | 3.0.0.0/9 |
| All Geographies | 100.64.0.0/10 |
| All Geographies | 54.88.0.0/16 |
| All Geographies | 52.216.0.0/14 |
| All Geographies | 108.177.0.0/17 |
| All Geographies | 20.40.0.0/13 |
| All Geographies | 54.64.0.0/11 |
| All Geographies | 172.253.0.0/16 |
| All Geographies | 20.64.0.0/10 |
| All Geographies | 20.128.0.0/16 |
| All Geographies | 172.217.0.0/16 |
| All Geographies | 173.194.0.0/16 |
| All Geographies | 20.150.0.0/15 |
| All Geographies | 20.48.0.0/12 |
| All Geographies | 72.19.3.0/24 |
| All Geographies | 18.128.0.0/9 |
| All Geographies | 23.20.0.0/14 |
| All Geographies | 13.104.0.0/14 |
| All Geographies | 13.96.0.0/13 |
| All Geographies | 13.64.0.0/11 |
| All Geographies | 13.249.0.0/16 |
| All Geographies | 34.192.0.0/10 |
| All Geographies | 3.224.0.0/12 |
| All Geographies | 54.208.0.0/13 |
| All Geographies | 54.216.0.0/14 |
| All Geographies | 108.156.0.0/14 |
| All Geographies | 54.144.0.0/12 |
| All Geographies | 54.220.0.0/15 |
| All Geographies | 54.192.0.0/12 |
| All Geographies | 54.160.0.0/11 |
| All Geographies | 3.143.6.187/32 |
Public Domains
To use F5 Distributed Cloud Services, configure your network firewall to allow connections from or to the public domains specified in the table below:
| Location | Protocol | Port | Address | Notes |
|---|---|---|---|---|
| F5 Distributed Cloud | TCP | 80, 443 | *.ves.volterra.io downloads.volterra.io | This specifies the F5 Distributed Cloud domain. |
| F5 Distributed Cloud AI Model Updates | TCP | 80, 443 | *.blob.core.windows.net | This specifies the domain for obtaining the AI model updates. |
| Azure Registry | TCP | 80, 443 | volterra.azurecr.io vesio.azureedge.net *.azure.com | This specifies the domain for the Azure Registry. |
| Microsoft | TCP | 80, 443 | *.microsoftonline.com | This specifies the Microsoft domains. |
| AWS | TCP | 80, 443 | *.amazonaws.com | This specifies AWS domains. |
| Docker Registry | TCP | 80, 443 | docker.io docker.com | This specifies the domain for the Docker Registry. |
| Google Registry | TCP | 80, 443 | *.gcr.io gcr.io storage.googleapis.com | This specifies the domain for the Google Registry. |
| Red Hat Registry | TCP | 80, 443 | update.release.core.os.net quay.io | This specifies the domain for the Red Hat Registry. |
| Webroot URL Classification Database | TCP | 80, 443 | api.bcti.brightcloud.com cc-whitelist.s3.amazonaws.com api.bcss.brightcloud.com api-dualstack.bcti.brightcloud.com localdb-url-daily.brightcloud.com localdb-url-rtu.brightcloud.com localdb-ip-daily.brightcloud.com localdb-ipv6-daily.brightcloud.com localdb-ip-rtu.brightcloud.com | This specifies the domain for the Webroot URL classification database. |
| CDN Domains | UDP | 53 | traffic-router-0.cdn-gc.ves.volterra.io traffic-router-1.cdn-gc.ves.volterra.io cdn.ves.volterra.io | Domains for F5 Distributed Cloud Content Delivery Network. |
On this page:
- Objective
- F5 Distributed Cloud SaaS Services
- Public IPv4 Subnet Ranges for F5 Regional Edges
- Public IPv4 Subnet Ranges for F5 Content Distribution Network Services
- Public IPv4 Addresses for F5 Secondary DNS Zone Transfer
- Public IPv4 Address Ranges for F5 Global Log Receiver
- Public IPv4 Addresses for F5 DNSLB Health Checks
- F5 Distributed Cloud Customer Edge Sites
- New Secure Mesh v2 Sites
- Public IPv4 Address for Site Registration and Updates
- Public Domains
- Older Customer Edge Sites
- Public IPv4 Address Ranges for Container Registries
- Public IPv4 Address Ranges for Site Registration and Updates
- Public Domains