IP allowlists

Adding IPs to the allowlist prevents the hijacking of traffic to and from Workato by a malicious website.

Traffic from Workato

Traffic from Workato uses the following IP address. Each data center uses a unique set of IP addresses.

US Data Center

52.5.142.59, 34.226.132.221, 52.54.43.157

EU Data Center

3.65.225.246, 3.66.45.94, 18.198.249.58

JP Data Center

52.193.168.95, 13.113.30.44, 18.176.45.101

SG Data Center

13.215.42.244, 18.141.131.114, 52.74.226.121

AU Data Center

54.253.214.156, 13.236.115.248, 13.238.90.15

You can add these IP addresses to your application or firewall allowlist. Add all three IP addresses to ensure continuous access.

Example allowlist configuration

If you have a recipe that accesses a MySQL server that runs on an Amazon EC2 machine, with a special integrationuser user, you can run the following SQL command on your database to allowlist the Workato IP addresses:

GRANT ALL ON db1.*
TO 'integrationuser'@'52.5.142.59',
'integrationuser'@'34.226.132.221',
'integrationuser'@'52.54.43.157';

Traffic to Workato

On-premise agent

Workato's on-premise agent (OPA) provides a secure selective access from Workato to customer-authorized on-prem apps, databases, and folders without having to open inbound ‘ports’ in the corporate firewall.

The OPA makes an outbound connection to the Workato cloud's on-premise gateways with the following domain names and IP addresses.

Each data center uses a unique set of IP addresses.

All Workato IP addresses use TCP port 443.

On-premise Gateway addresses for OPA version 2.11.0 or newer

If you are using OPA version 2.11.0 or newer, add the following addresses to the allowlist. Note that you must use both the sg3 and sg4 versions for load balancing.

United States: US Data Center

FQDN

sg3.workato.com

sg4.workato.com

IPs

54.224.75.148, 52.206.161.203, 52.204.114.159

54.91.65.247, 54.221.112.165, 3.216.209.184

European Union: EU Data Center

FQDN

sg3.eu.workato.com

sg4.eu.workato.com

IPs

3.123.148.167, 18.192.102.156, 52.29.133.142

3.72.205.158, 18.156.149.92, 52.58.222.49

Japan: JP Data Center

FQDN

sg3.jp.workato.com

sg4.jp.workato.com

IPs

35.79.205.155, 52.199.27.57, 35.78.12.221

3.113.210.186, 3.113.92.57, 54.92.47.124

Singapore: SG Data Center

FQDN

sg3.sg.workato.com

sg4.sg.workato.com

IPs

52.76.214.244, 13.215.168.151, 54.255.216.78

52.221.44.179, 52.221.46.218, 18.138.33.21

Australia: AU Data Center

FQDN

sg3.au.workato.com

sg4.au.workato.com

IPs

13.239.42.137, 3.105.83.213, 13.210.248.78

54.206.76.14, 13.211.112.228, 3.24.233.233

On-premise gateway addresses for OPA versions older than 2.11.0

If you are using an OPA version older than 2.11.0, please add the following addresses to the allowlist. The Japan, Singapore, and Australia data centers do not offer support for the older OPA versions. Note that you must use the sg, sg1, and sg2 versions (when available) for load balancing.

United States: US Data Center

FQDN

sg.workato.com

sg1.workato.com

sg2.workato.com

IPs

34.192.94.13, 34.195.128.7, 34.226.84.130

50.16.101.13, 54.84.241.116, 34.237.50.149

34.204.129.29, 34.228.172.35, 54.83.143.113

European Union: EU Data Center

FQDN

sg1.eu.workato.com

sg2.eu.workato.com

IPs

18.193.100.169, 3.65.178.110, 18.198.138.101

52.57.169.138, 3.65.171.53, 54.93.132.62

On-premise gateway IP address allowlist

If your organization has strict outbound traffic rules, you have to enable OPA's access to the Workato cloud by adding it to the allowlist.

Firewall allowlists must allow outbound TCP connections from the OPA to port 443, as indicated earlier in this article, based on the OPA version.

DNS resolution of FQDNs

Some organizations also restrict DNS resolutions in the machines and networks where the OPA runs. Ensure that the machine where OPA runs can resolve the IP addresses of the On-premise gateway's FQDNs.

Custom APIM domains

When using custom domains for API recipes, Workato routes client traffic to the following set of IP addresses. Each data center uses a unique set of IP addresses.

US Data Center

18.211.121.35, 34.232.254.255, 52.203.235.136

EU Data Center

3.127.182.4, 3.64.168.57, 3.66.114.67

JP Data Center

18.177.63.189, 52.194.114.232, 52.196.96.189

SG Data Center

18.136.28.27, 13.215.62.220, 13.214.235.186

AU Data Center

13.236.168.184, 13.238.90.32, 3.24.69.138

TLS AND HTTP STANDARDS

Refer to Security for information about supported TLS and HTTP standards for custom domain endpoints.

Static assets

Certain assets like recipe packages, profile photos, and customer adapter logos are served from a dedicated S3 bucket in your regional data center. Each data center has its own S3 bucket. Add the domain to your firewall allow list based on the data center your account is hosted in.

US Data Center

FQDN

workato-assets.s3.amazonaws.com

EU Data Center

FQDN

workato-assets-eu-2.s3.amazonaws.com

JP Data Center

FQDN

workato-assets-jp.s3.amazonaws.com

SG Data Center

FQDN

workato-assets-sg.s3.amazonaws.com

AU Data Center

FQDN

workato-assets-au.s3.amazonaws.com

Browsers, webhooks, API endpoints

All other traffic to Workato may be served by a different set of IP addresses, distinct from IP addresses discussed previously:

Browser-based user interaction and webhooks depend on the data center in which your account is located:

US Data Center

https://www.workato.com

EU Data Center

https://app.eu.workato.com/

JP Data Center

https://app.jp.workato.com

SG Data Center

https://app.sg.workato.com/

AU Data Center

https://app.au.workato.com/

API endpoint requests also depend on the data center in which your account is located:

US Data Center

https://apim.workato.com/

EU Data Center

https://apim.eu.workato.com/

JP Data Center

https://apim.jp.workato.com/

SG Data Center

https://apim.sg.workato.com/

AU Data Center

https://apim.au.workato.com/

TLS AND HTTP STANDARDS

Refer to Security for information about supported TLS and HTTP standards for API endpoints.