# IP allowlists

Adding IPs to the allowlist prevents the hijacking of traffic to and from Workato by a malicious website.

# Traffic from Workato

Traffic from Workato uses the following IP address. Each data center uses a unqiue set of IP addresses.

US data center
52.5.142.59
34.226.132.221
52.54.43.157
EU data center
3.65.225.246
3.66.45.94
18.198.249.58
SG data center
13.215.42.244
18.141.131.114
52.74.226.121

You can add these IP addresses to your application or firewall allowlist. Add all three IP addresses to ensure continuous access.

# Example allowlist configuration

If you have a recipe that accesses a MySQL server that runs on an Amazon EC2 machine, with a special integrationuser user, you can run the following SQL command on your database to allowlist the Workato IP addresses:

GRANT ALL ON db1.*
TO 'integrationuser'@'52.5.142.59',
'integrationuser'@'34.226.132.221',
'integrationuser'@'52.54.43.157';

# Traffic to Workato

# On-premise agent

Workato's on-premise agent (OPA) provides a secure selective access from Workato to customer-authorized on-prem apps, databases, and folders without having to open inbound ‘ports’ in the corporate firewall.

The OPA makes an outbound connection to the Workato cloud's on-premise gateways with the following domain names and IP addresses.

Each data center uses a unique set of IP addresses.

All Workato IP addresses use TCP port 443.

# On-premise Gateway addresses for OPA version 2.11.0 or newer

If you are using OPA version 2.11.0 or newer, add the following addresses to the allowlist.

sg3
US data center
FQDN
sg3.workato.com
IPs
54.224.75.148
52.206.161.203
52.204.114.159
EU data center
FQDN
sg3.eu.workato.com
IPs
3.123.148.167
18.192.102.156
52.29.133.142
SG data center
FQDN
sg3.sg.workato.com
IPs
52.76.214.244
13.215.168.151
54.255.216.78
sg4
US data center
FQDN
sg4.workato.com
IPs
54.91.65.247
54.221.112.165
3.216.209.184
EU data center
FQDN
sg4.eu.workato.com
IPs
3.72.205.158
18.156.149.92
52.58.222.49
SG data center
FQDN
sg4.sg.workato.com
IPs
52.221.44.179
52.221.46.218
18.138.33.21

# On-premise gateway addresses for OPA versions older than 2.11.0

If you are using an OPA version older than 2.11.0, please allowlist the following addresses:

sg
US data center
FQDN
sg.workato.com
IPs
34.192.94.13
34.195.128.7
34.226.84.130
EU data center
Not applicable
SG data center
Not applicable
sg1
US data center
FQDN
sg1.workato.com
IPs
50.16.101.13
4.84.241.116
34.237.50.149
EU data center
FQDN
sg1.eu.workato.com
IPs
18.193.100.169
3.65.178.110
18.198.138.101
SG data center
Not applicable
sg2
US data center
FQDN
sg2.workato.com
IPs
34.204.129.29
34.228.172.35
54.83.143.113
EU data center
FQDN
sg2.eu.workato.com
IPs
52.57.169.138
3.65.171.53
54.93.132.62
SG data center
Not applicable

# On-premise gateway IP address allowlist

If your organization has strict outbound traffic rules, you have to enable OPA's access to the Workato cloud by adding it to the allowlist.

Firewall allowlists must allow outbound TCP connections from the OPA to port 443, as indicated earlier in this article, based on the OPA version.

# DNS resolution of FQDNs

Some organizations also restrict DNS resolutions in the machines and networks where the OPA runs. Ensure that the machine where OPA runs can resolve the IP addresses of the On-premise gateway's FQDNs, as indicated earlier in this article.

# Custom APIM domains

When using custom domains for API recipes, Workato routes client traffic to the following set of IP addresses. Each data center uses a unqiue set of IP addresses.

US data center
18.211.121.35
34.232.254.255
52.203.235.136
EU data center
3.127.182.4
3.64.168.57
3.66.114.67
SG data center
18.136.28.27
13.215.62.220
13.214.235.186

# Browsers, webhooks, API endpoints

All other traffic to Workato may be served by a different set of IP addresses, distinct from IP addresses discussed previously:

  • Browser-based user interaction and webhooks are at www.workato.com.
  • API endpoint requests are at apim.workato.com.