# IP allowlists

Adding IPs to the allowlist prevents the hijacking of traffic to and from Workato by a malicious website.

# Traffic from Workato

Traffic from Workato uses the following IP address. Each data center uses a unique set of IP addresses.

US Data Center
52.5.142.59, 34.226.132.221, 52.54.43.157
EU Data Center
3.65.225.246, 3.66.45.94, 18.198.249.58
JP Data Center
52.193.168.95, 13.113.30.44, 18.176.45.101
SG Data Center
13.215.42.244, 18.141.131.114, 52.74.226.121
AU Data Center
54.253.214.156, 13.236.115.248, 13.238.90.15

You can add these IP addresses to your application or firewall allowlist. Add all three IP addresses to ensure continuous access.

# Example allowlist configuration

If you have a recipe that accesses a MySQL server that runs on an Amazon EC2 machine, with a special integrationuser user, you can run the following SQL command on your database to allowlist the Workato IP addresses:

GRANT ALL ON db1.*
TO 'integrationuser'@'52.5.142.59',
'integrationuser'@'34.226.132.221',
'integrationuser'@'52.54.43.157';

# Traffic to Workato

# On-premise agent

Workato's on-premise agent (OPA) provides a secure selective access from Workato to customer-authorized on-prem apps, databases, and folders without having to open inbound ‘ports’ in the corporate firewall.

The OPA makes an outbound connection to the Workato cloud's on-premise gateways with the following domain names and IP addresses.

Each data center uses a unique set of IP addresses.

All Workato IP addresses use TCP port 443.

# On-premise Gateway addresses for OPA version 2.11.0 or newer

If you are using OPA version 2.11.0 or newer, add the following addresses to the allowlist. Note that you must use both the sg3 and sg4 versions for load balancing.

United States: US Data Center
FQDN
sg3.workato.com
sg4.workato.com
IPs
54.224.75.148, 52.206.161.203, 52.204.114.159
54.91.65.247, 54.221.112.165, 3.216.209.184
European Union: EU Data Center
FQDN
sg3.eu.workato.com
sg4.eu.workato.com
IPs
3.123.148.167, 18.192.102.156, 52.29.133.142
3.72.205.158, 18.156.149.92, 52.58.222.49
Japan: JP Data Center
FQDN
sg3.jp.workato.com
sg4.jp.workato.com
IPs
35.79.205.155, 52.199.27.57, 35.78.12.221
3.113.210.186, 3.113.92.57, 54.92.47.124
Singapore: SG Data Center
FQDN
sg3.sg.workato.com
sg4.sg.workato.com
IPs
52.76.214.244, 13.215.168.151, 54.255.216.78
52.221.44.179, 52.221.46.218, 18.138.33.21
Australia: AU Data Center
FQDN
sg3.au.workato.com
sg4.au.workato.com
IPs
13.239.42.137, 3.105.83.213, 13.210.248.78
54.206.76.14, 13.211.112.228, 3.24.233.233

# On-premise gateway addresses for OPA versions older than 2.11.0

If you are using an OPA version older than 2.11.0, please add the following addresses to the allowlist. The Japan, Singapore, and Australia data centers do not offer support for the older OPA versions. Note that you must use the sg, sg1, and sg2 versions (when available) for load balancing.

United States: US Data Center
FQDN
sg.workato.com
sg1.workato.com
sg2.workato.com
IPs
34.192.94.13, 34.195.128.7, 34.226.84.130
50.16.101.13, 54.84.241.116, 34.237.50.149
34.204.129.29, 34.228.172.35, 54.83.143.113
European Union: EU Data Center
FQDN
sg1.eu.workato.com
sg2.eu.workato.com
IPs
18.193.100.169, 3.65.178.110, 18.198.138.101
52.57.169.138, 3.65.171.53, 54.93.132.62

# On-premise gateway IP address allowlist

If your organization has strict outbound traffic rules, you have to enable OPA's access to the Workato cloud by adding it to the allowlist.

Firewall allowlists must allow outbound TCP connections from the OPA to port 443, as indicated earlier in this article, based on the OPA version.

# DNS resolution of FQDNs

Some organizations also restrict DNS resolutions in the machines and networks where the OPA runs. Ensure that the machine where OPA runs can resolve the IP addresses of the On-premise gateway's FQDNs.

# Custom APIM domains

When using custom domains for API recipes, Workato routes client traffic to the following set of IP addresses. Each data center uses a unique set of IP addresses.

US Data Center
18.211.121.35, 34.232.254.255, 52.203.235.136
EU Data Center
3.127.182.4, 3.64.168.57, 3.66.114.67
JP Data Center
18.177.63.189, 52.194.114.232, 52.196.96.189
SG Data Center
18.136.28.27, 13.215.62.220, 13.214.235.186
AU Data Center
13.236.168.184, 13.238.90.32, 3.24.69.138

TLS AND HTTP STANDARDS

Refer to Security for information about supported TLS and HTTP standards for custom domain endpoints.

# Static assets

Certain assets like recipe packages, profile photos, and customer adapter logos are served from a dedicated S3 bucket in your regional data center. Each data center has its own S3 bucket. Add the domain to your firewall allow list based on the data center your account is hosted in.

US Data Center
FQDN
workato-assets.s3.amazonaws.com
EU Data Center
FQDN
workato-assets-eu-2.s3.amazonaws.com
JP Data Center
FQDN
workato-assets-jp.s3.amazonaws.com
SG Data Center
FQDN
workato-assets-sg.s3.amazonaws.com
AU Data Center
FQDN
workato-assets-au.s3.amazonaws.com

# Browsers, webhooks, API endpoints

All other traffic to Workato may be served by a different set of IP addresses, distinct from IP addresses discussed previously:

Browser-based user interaction and webhooks depend on the data center in which your account is located:

US Data Center
https://www.workato.com
EU Data Center
https://app.eu.workato.com/
JP Data Center
https://app.jp.workato.com
SG Data Center
https://app.sg.workato.com/
AU Data Center
https://app.au.workato.com/

API endpoint requests also depend on the data center in which your account is located:

US Data Center
https://www.apim.workato.com
EU Data Center
https://app.eu.apim.workato.com/
JP Data Center
https://app.jp.apim.workato.com
SG Data Center
https://app.sg.apim.workato.com/
AU Data Center
https://app.au.apim.workato.com/

TLS AND HTTP STANDARDS

Refer to Security for information about supported TLS and HTTP standards for API endpoints.


Last updated: 1/31/2024, 3:53:54 PM