# IP allowlists

Adding IPs to the allowlist prevents the hijacking of traffic to and from Workato by a malicious website.

# Traffic from Workato

Traffic from Workato uses the following IP address. Each data center uses a unqiue set of IP addresses.

US data center
52.5.142.59, 34.226.132.221, 52.54.43.157
EU data center
3.65.225.246, 3.66.45.94, 18.198.249.58
JP data center
52.193.168.95, 13.113.30.44, 18.176.45.101
SG data center
13.215.42.244, 18.141.131.114, 52.74.226.121

You can add these IP addresses to your application or firewall allowlist. Add all three IP addresses to ensure continuous access.

# Example allowlist configuration

If you have a recipe that accesses a MySQL server that runs on an Amazon EC2 machine, with a special integrationuser user, you can run the following SQL command on your database to allowlist the Workato IP addresses:

GRANT ALL ON db1.*
TO 'integrationuser'@'52.5.142.59',
'integrationuser'@'34.226.132.221',
'integrationuser'@'52.54.43.157';

# Traffic to Workato

# On-premise agent

Workato's on-premise agent (OPA) provides a secure selective access from Workato to customer-authorized on-prem apps, databases, and folders without having to open inbound ‘ports’ in the corporate firewall.

The OPA makes an outbound connection to the Workato cloud's on-premise gateways with the following domain names and IP addresses.

Each data center uses a unique set of IP addresses.

All Workato IP addresses use TCP port 443.

# On-premise Gateway addresses for OPA version 2.11.0 or newer

If you are using OPA version 2.11.0 or newer, add the following addresses to the allowlist. Note that you must use both the sg3 and sg4 versions for load balancing.

United States: US data center
FQDN
sg3.workato.com
sg4.workato.com
IPs
54.224.75.148, 52.206.161.203, 52.204.114.159
54.91.65.247, 54.221.112.165, 3.216.209.184
European Union: EU data center
FQDN
sg3.eu.workato.com
sg4.eu.workato.com
IPs
3.123.148.167, 18.192.102.156, 52.29.133.142
3.72.205.158, 18.156.149.92, 52.58.222.49
Japan: JP data center
FQDN
sg3.jp.workato.com
sg4.jp.workato.com
IPs
35.79.205.155, 52.199.27.57, 35.78.12.221
3.113.210.186, 3.113.92.57, 54.92.47.124
Singapore: SG data center
FQDN
sg3.sg.workato.com
>sg4.sg.workato.com
IPs
52.76.214.244, 13.215.168.151, 54.255.216.78
52.221.44.179, 52.221.46.218, 18.138.33.21

# On-premise gateway addresses for OPA versions older than 2.11.0

If you are using an OPA version older than 2.11.0, please add the following addresses to the allowlist. Neither the Japan or the Singapore data centers offer support for the older OPA versions. Note that you must use the sg, sg1, and sg2 versions (when available) for load balancing.

United States: US data center
FQDN
sg.workato.com
sg1.workato.com
sg2.workato.com
IPs
34.192.94.13, 34.195.128.7, 34.226.84.130
50.16.101.13, 4.84.241.116, 34.237.50.149
34.204.129.29, 34.228.172.35, 54.83.143.113
European Union: EU data center
FQDN
sg1.eu.workato.com
sg2.eu.workato.com
IPs
18.193.100.169, 3.65.178.110, 18.198.138.101
52.57.169.138, 3.65.171.53, 54.93.132.62

# On-premise gateway IP address allowlist

If your organization has strict outbound traffic rules, you have to enable OPA's access to the Workato cloud by adding it to the allowlist.

Firewall allowlists must allow outbound TCP connections from the OPA to port 443, as indicated earlier in this article, based on the OPA version.

# DNS resolution of FQDNs

Some organizations also restrict DNS resolutions in the machines and networks where the OPA runs. Ensure that the machine where OPA runs can resolve the IP addresses of the On-premise gateway's FQDNs, as indicated earlier in this article.

# Custom APIM domains

When using custom domains for API recipes, Workato routes client traffic to the following set of IP addresses. Each data center uses a unqiue set of IP addresses.

US data center
18.211.121.35, 34.232.254.255, 52.203.235.136
EU data center
3.127.182.4, 3.64.168.57, 3.66.114.67
JP data center
18.177.63.189, 52.194.114.232, 52.196.96.189
SG data center
18.136.28.27, 13.215.62.220, 13.214.235.186

# Browsers, webhooks, API endpoints

All other traffic to Workato may be served by a different set of IP addresses, distinct from IP addresses discussed previously:

  • Browser-based user interaction and webhooks are at www.workato.com.
  • API endpoint requests are at apim.workato.com.