​

Firewall and Proxy Server Allowlist Reference

Published April 5, 2023 | Last modified May 28, 2025

Objective

For F5 Distributed Cloud Services to function accurately in your environment, it is necessary to configure your firewall and/or proxy to allow connections to the IP addresses and/or domains provided in this reference guide.

This reference document lists the public IP addresses and domains associated with F5 Distributed Cloud that must be permitted in your firewall and/or proxy settings. For automation purposes, you can download the subnet ranges and domains to include in your network configuration by clicking here.

Important: Ideally, you want to only allow the F5 Distributed Cloud subnets, exclusively. This will ensure that only F5 Distributed Cloud Routed Traffic can reach your network, and thus prevent attackers from being able to circumnavigate the F5 Distributed Cloud Infrastructure.

Important: If your application remains stuck in the connecting mode or encounters network errors, review your firewall or proxy settings and update the allowlist configuration to allow these IP addresses/domain connections and associated locations, such as Docker Registry.

F5 Distributed Cloud SaaS Services

Public IPv4 Subnet Ranges for F5 Regional Edges

For public apps advertised to Distributed Cloud Regional Edges (REs), configure your network firewall to allow connections to the IP address ranges specified in the table below. Note that these IP address ranges also apply to apps connecting via Distributed Cloud Customer Edges (CEs).

GeographyProtocolPortsIP AddressNotes
AmericasTCP80, 4435.182.215.0/25
84.54.61.0/25
23.158.32.0/25
84.54.62.0/25
185.94.142.0/25
185.94.143.0/25
159.60.190.0/24
159.60.168.0/24
159.60.180.0/24
159.60.174.0/24
159.60.176.0/24
UDP4500, 1235.182.215.0/25
84.54.61.0/25
23.158.32.0/25
84.54.62.0/25
185.94.142.0/25
185.94.143.0/25
159.60.190.0/24
159.60.168.0/24
159.60.180.0/24
159.60.174.0/24
159.60.176.0/24		IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. Port 123 is for NTP service of RE.
EuropeTCP80, 4435.182.213.0/25
5.182.212.0/25
5.182.213.128/25
5.182.214.0/25
84.54.60.0/25
185.56.154.0/25
159.60.160.0/24
159.60.162.0/24
159.60.188.0/24
159.60.182.0/24
159.60.178.0/24
UDP4500, 1235.182.213.0/25
5.182.212.0/25
5.182.213.128/25
5.182.214.0/25
84.54.60.0/25
185.56.154.0/25
159.60.160.0/24
159.60.162.0/24
159.60.188.0/24
159.60.182.0/24
159.60.178.0/24		IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. Port 123 is for NTP service of RE.
AsiaTCP80, 443103.135.56.0/25
103.135.57.0/25
103.135.56.128/25
103.135.59.0/25
103.135.58.128/25
103.135.58.0/25
159.60.189.0/24
159.60.166.0/24
159.60.164.0/24
159.60.170.0/24
159.60.172.0/24
159.60.191.0/24
159.60.184.0/24
159.60.186.0/24
UDP4500, 123103.135.56.0/25
103.135.57.0/25
103.135.56.128/25
103.135.59.0/25
103.135.58.128/25
103.135.58.0/25
159.60.189.0/24
159.60.166.0/24
159.60.164.0/24
159.60.170.0/24
159.60.172.0/24
159.60.184.0/24
159.60.186.0/24		IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. Port 123 is for NTP service of RE.

Note: If the prefix list has CIDR with /28 subnet mask and response cache parameters has subnet mask as /24, then the response cache would be used even if the source prefix does not match the rule. You might need to adjust the response cache parameters according to the prefix set mask.

Public IPv4 Subnet Ranges for F5 Content Distribution Network Services

To use the F5 Content Distribution Network (CDN) services, configure your network firewall to allow connections to the IP address ranges specified in the following table:

GeographyIP Address
Europe159.60.188.0/24
Asia159.60.189.0/24
North America159.60.190.0/24
Oceania159.60.191.0/24
South America159.60.187.0/24

Public IPv4 Addresses for F5 Secondary DNS Zone Transfer

To use the DNS zone management service, configure your network firewall to allow connections to the IP addresses specified in the table below:

GeographyIP Address
All Geographies52.14.213.208
All Geographies3.140.118.214

Public IPv4 Address Ranges for F5 Global Log Receiver

To use the Global Log Receiver service, configure your network firewall to allow connections to the IP address ranges specified in the table below:

GeographyIP Address Ranges
All Geographies193.16.236.64/29
All Geographies185.160.8.152/29

Public IPv4 Addresses for F5 DNSLB Health Checks

To use the Distributed Cloud Services DNSLB health check, configure your network firewall to allow connections to the IP addresses specified in the table below:

GeographyIP Addresses
All Geographies18.142.173.13
All Geographies13.214.108.35
All Geographies13.215.164.186
All Geographies3.72.163.92
All Geographies3.123.183.172
All Geographies3.67.212.129
All Geographies35.176.105.69
All Geographies18.168.190.181
All Geographies35.176.214.241
All Geographies54.146.175.34
All Geographies52.0.217.222
All Geographies34.239.223.87
All Geographies52.34.2.190
All Geographies44.227.27.164
All Geographies35.84.99.9

F5 Distributed Cloud Customer Edge Sites

New Secure Mesh v2 Sites

Public IPv4 Address for Site Registration and Updates

For provisioning of F5 Distributed Cloud CE sites using the new Secure Mesh workflow, configure your network firewall to allow connections to the IP address specified in the table below:

GeographyProtocolPortIP Address
All GeographiesTCP443159.60.141.140

Public Domains for Site Registration and Updates

For provisioning of F5 Distributed Cloud CE sites using the new Secure Mesh workflow, configure your network firewall/proxy to allow connections to the public domains specified in the table below:

ServiceProtocolPortDomain AddressNotes
F5 Distributed CloudTCP443*.volterra.ioThis specifies the F5 Distributed Cloud domains.
Docker RegistryTCP443docker.io
docker.com		These specify the domains for the Docker Registry.
Google RegistryTCP443gcr.io
storage.googleapis.com		These specify the domains for the Google Registry.
Red Hat RegistryTCP443update.release.core.os.net
quay.io		These specify the domains for the Red Hat Registry.
Webroot URL Classification DatabaseTCP443api.bcti.brightcloud.com
cc-whitelist.s3.amazonaws.com
api.bcss.brightcloud.com
api-dualstack.bcti.brightcloud.com
localdb-url-daily.brightcloud.com
localdb-url-rtu.brightcloud.com
localdb-ip-daily.brightcloud.com
localdb-ipv6-daily.brightcloud.com
localdb-ip-rtu.brightcloud.com
waferdatasetsprod.blob.core.windows.net		These specify the domains for the Webroot URL classification database.

Important: We have removed all third-party wildcard domains. The only wildcard domain is to a domain owned by F5.

Public IPv4 Addresses for Connecting to F5 Distributed Cloud Regional Edges

Configure your network firewall to allow connections to the IP address ranges specified for Regional Edges. See section Public IPv4 Subnet Ranges for F5 Regional Edges.

Default DNS for Site Registration and Updates

For provisioning of F5 Distributed Cloud CE sites using the new Secure Mesh (v2) workflow, configure your network firewall to allow connections to the Google DNS IP addresses specified in the table below.

Important: You can use custom DNS servers while creating a CE site. Refer to the Create Secure Mesh Site v2 document for instructions. If you use custom DNS servers, then these firewall requirements are not required.

IP AddressPort
8.8.8.853
8.8.4.453

Default NTP for Site Registration and Updates

For provisioning of F5 Distributed Cloud CE sites using the new Secure Mesh (v2) workflow, configure your network firewall to allow connections to the Google NTP IP addresses specified in the table below.

Important: You can use custom NTP servers while creating a CE site. Refer to the Create Secure Mesh Site v2 document for instructions. If you use custom NTP servers, then these firewall requirements are not required.

IP AddressPort
216.239.35.4123
216.239.35.8123
216.239.35.12123
216.239.35.0123

Older Customer Edge Sites

Public IPv4 Address Ranges for Container Registries

To allow the Distributed Cloud Services CEs to use various container registries, configure your network firewall to allow connections to the IP address ranges specified in the table below:

GeographyIP Address Ranges
All Geographies23.158.32.48/29
All Geographies84.54.60.0/29
All Geographies84.54.61.48/29
All Geographies84.54.62.48/29
All Geographies103.135.56.48/29
All Geographies103.135.56.176/29
All Geographies103.135.57.48/29
All Geographies103.135.58.0/29
All Geographies103.135.58.128/29
All Geographies103.135.59.0/29
All Geographies159.60.164.0/29
All Geographies159.60.166.0/29
All Geographies185.56.154.0/29
All Geographies185.94.142.0/29
All Geographies185.94.143.0/29
All Geographies185.160.8.152/29
All Geographies185.160.8.160/29
All Geographies185.160.8.168/29
All Geographies185.160.8.176/29
All Geographies193.16.236.64/29
All Geographies193.16.236.88/29
All Geographies193.16.236.104/29

Public IPv4 Address Ranges for Site Registration and Updates

To provision legacy CE sites, you must allow the following public IPv4 address ranges, especially if your firewall does not support domain-based permissions.

Additionally, note that port 65500 is reserved for local UI and API access, so you may want to consider blocking or allowing this port as needed.

Important: IP addresses have the potential to change without F5 being aware of it. For this reason, using domain-based permissions is the preferred method rather than using this list.

Configure your network firewall to allow connections to the public IPv4 address ranges specified in the table below:

GeographyIP Address Ranges
All Geographies20.33.0.0/16
All Geographies74.125.0.0/16
All Geographies18.64.0.0/10
All Geographies52.223.128.0/18
All Geographies20.152.0.0/15
All Geographies13.107.238.0/24
All Geographies142.250.0.0/15
All Geographies20.34.0.0/15
All Geographies52.192.0.0/12
All Geographies52.208.0.0/13
All Geographies52.223.0.0/17
All Geographies18.32.0.0/11
All Geographies3.208.0.0/12
All Geographies13.107.237.0/24
All Geographies20.36.0.0/14
All Geographies52.222.0.0/16
All Geographies52.220.0.0/15
All Geographies3.0.0.0/9
All Geographies100.64.0.0/10
All Geographies54.88.0.0/16
All Geographies52.216.0.0/14
All Geographies108.177.0.0/17
All Geographies20.40.0.0/13
All Geographies54.64.0.0/11
All Geographies172.253.0.0/16
All Geographies20.64.0.0/10
All Geographies20.128.0.0/16
All Geographies172.217.0.0/16
All Geographies173.194.0.0/16
All Geographies20.150.0.0/15
All Geographies20.48.0.0/12
All Geographies72.19.3.0/24
All Geographies18.128.0.0/9
All Geographies23.20.0.0/14
All Geographies13.104.0.0/14
All Geographies13.96.0.0/13
All Geographies13.64.0.0/11
All Geographies13.249.0.0/16
All Geographies34.192.0.0/10
All Geographies3.224.0.0/12
All Geographies54.208.0.0/13
All Geographies54.216.0.0/14
All Geographies108.156.0.0/14
All Geographies54.144.0.0/12
All Geographies54.220.0.0/15
All Geographies54.192.0.0/12
All Geographies54.160.0.0/11
All Geographies3.143.6.187/32

Public Domains

To use F5 Distributed Cloud Services, configure your network firewall to allow connections to the public domains specified in the table below:

LocationProtocolPortAddressNotes
F5 Distributed CloudTCP80, 443*.ves.volterra.io
downloads.volterra.io		This specifies the F5 Distributed Cloud domain.
F5 Distributed Cloud AI Model UpdatesTCP80, 443*.blob.core.windows.netThis specifies the domain for obtaining the AI model updates.
Azure RegistryTCP80, 443volterra.azurecr.io
vesio.azureedge.net
*.azure.com		This specifies the domain for the Azure Registry.
MicrosoftTCP80, 443*.microsoftonline.comThis specifies the Microsoft domains.
AWSTCP80, 443*.amazonaws.comThis specifies AWS domains.
Docker RegistryTCP80, 443docker.io
docker.com		This specifies the domain for the Docker Registry.
Google RegistryTCP80, 443*.gcr.io
gcr.io
storage.googleapis.com		This specifies the domain for the Google Registry.
Red Hat RegistryTCP80, 443update.release.core.os.net
quay.io
This specifies the domain for the Red Hat Registry.
Webroot URL Classification DatabaseTCP80, 443api.bcti.brightcloud.com
cc-whitelist.s3.amazonaws.com
api.bcss.brightcloud.com
api-dualstack.bcti.brightcloud.com
localdb-url-daily.brightcloud.com
localdb-url-rtu.brightcloud.com
localdb-ip-daily.brightcloud.com
localdb-ipv6-daily.brightcloud.com
localdb-ip-rtu.brightcloud.com		This specifies the domain for the Webroot URL classification database.
CDN DomainsUDP53traffic-router-0.cdn-gc.ves.volterra.io
traffic-router-1.cdn-gc.ves.volterra.io
cdn.ves.volterra.io		Domains for F5 Distributed Cloud Content Delivery Network.

Default DNS for Site Registration and Updates

For provisioning of F5 Distributed Cloud CE sites, configure your network firewall to allow connections to the Google DNS IP addresses specified in the table below, if you are not using your own enterprise DNS server:

IP AddressPort
8.8.8.853
8.8.4.453

Default NTP for Site Registration and Updates

For provisioning of F5 Distributed Cloud CE sites, configure your network firewall to allow connections to the Google NTP server IP addresses specified in the table below, if you are not using your own enterprise NTP server:

IP AddressPort
216.239.35.4123
216.239.35.8123
216.239.35.12123
216.239.35.0123

F5 Bot Defense

To use the Distributed Cloud Services Bot Defense Standard, configure your network firewall to allow connections to the IP addresses specified in the table below:

IP AddressPort
ibd-webus.fastcache.netTCP Port 443
ibd-webemea.fastcache.netTCP Port 443
ibd-webapac.fastcache.netTCP Port 443
On this page: