IP allowlists

You can add IPs to the allowlist to prevent a malicious website from hijacking traffic to and from Workato.

VIRTUAL PRIVATE WORKATO (VPW) CUSTOMERS

This page provides general guidance for all Workato users. If you're a Virtual Private Workato (VPW) customer, refer to your private documentation for detailed configuration guidance specific to your instances.

Traffic from Workato

Traffic from Workato uses a unique set of IP addresses for each data center:

US data center

52.5.142.59, 34.226.132.221, 52.54.43.157

EU data center

3.65.225.246, 3.66.45.94, 18.198.249.58

JP data center

52.193.168.95, 13.113.30.44, 18.176.45.101

SG data center

13.215.42.244, 18.141.131.114, 52.74.226.121

AU data center

54.253.214.156, 13.236.115.248, 13.238.90.15

You can add these IP addresses to your application or firewall allowlist. Add all three IP addresses to ensure continuous access.

Example allowlist configuration

If you have a recipe that accesses a MySQL server that runs on an Amazon EC2 machine, with a special integrationuser user, you can run the following SQL command on your database to add Workato IP addresses to the allowlist:

GRANT ALL ON db1.*
TO 'integrationuser'@'52.5.142.59',
'integrationuser'@'34.226.132.221',
'integrationuser'@'52.54.43.157';

Traffic to Workato

On-premise agent

Workato's on-premise agent (OPA) provides secure selective access from Workato to customer-authorized on-prem apps, databases, and folders without having to open inbound ‘ports’ in the corporate firewall.

The OPA creates an outbound connection to the Workato cloud's on-premise gateways with the following domain names and IP addresses.

Each data center uses a unique set of IP addresses.

All Workato IP addresses use TCP port 443.

On-premise gateway addresses

If you are using OPA version 2.11.0 or later, add the following addresses to the allowlist. Note that you must use both the sg3 and sg4 versions for load balancing.

United States: US data center

FQDN

sg3.workato.com

sg4.workato.com

IPs

54.224.75.148, 52.206.161.203, 52.204.114.159

54.91.65.247, 54.221.112.165, 3.216.209.184

European Union: EU data center

FQDN

sg3.eu.workato.com

sg4.eu.workato.com

IPs

3.123.148.167, 18.192.102.156, 52.29.133.142

3.72.205.158, 18.156.149.92, 52.58.222.49

Japan: JP data center

FQDN

sg3.jp.workato.com

sg4.jp.workato.com

IPs

35.79.205.155, 52.199.27.57, 35.78.12.221

3.113.210.186, 3.113.92.57, 54.92.47.124

Singapore: SG data center

FQDN

sg3.sg.workato.com

sg4.sg.workato.com

IPs

52.76.214.244, 13.215.168.151, 54.255.216.78

52.221.44.179, 52.221.46.218, 18.138.33.21

Australia: AU data center

FQDN

sg3.au.workato.com

sg4.au.workato.com

IPs

13.239.42.137, 3.105.83.213, 13.210.248.78

54.206.76.14, 13.211.112.228, 3.24.233.233

On-premise gateway IP address allowlist

If your organization has strict outbound traffic rules, you must enable OPA's access to the Workato cloud by adding it to the allowlist.

Firewall allowlists must allow outbound TCP connections from the OPA to port 443 based on the OPA version.

DNS resolution of FQDNs

Some organizations also restrict DNS resolutions on the machines and networks where the OPA runs. Ensure that the machine running OPA can resolve the IP addresses of the on-premise gateway's FQDNs.

Custom APIM domains

When using custom domains for API recipes, Workato routes client traffic to the following set of IP addresses. Each data center uses a unique set of IP addresses.

US data center

18.211.121.35, 34.232.254.255, 52.203.235.136

EU data center

3.127.182.4, 3.64.168.57, 3.66.114.67

JP data center

18.177.63.189, 52.194.114.232, 52.196.96.189

SG data center

18.136.28.27, 13.215.62.220, 13.214.235.186

AU data center

13.236.168.184, 13.238.90.32, 3.24.69.138

TLS AND HTTP STANDARDS

Refer to Security for information about supported TLS and HTTP standards for custom domain endpoints.

Static assets

Certain assets like recipe packages, profile photos, and customer adapter logos are served from a dedicated S3 bucket in your regional data center. Each data center has its own S3 bucket. Add the domain to your firewall allowlist based on the data center your account is hosted in.

US data center

FQDN

workato-assets.s3.amazonaws.com

EU data center

FQDN

workato-assets-eu-2.s3.amazonaws.com

JP data center

FQDN

workato-assets-jp.s3.amazonaws.com

SG data center

FQDN

workato-assets-sg.s3.amazonaws.com

AU data center

FQDN

workato-assets-au.s3.amazonaws.com

Browsers, webhooks, API endpoints

All other traffic to Workato may be served by a different set of IP addresses, distinct from IP addresses discussed previously:

Browser-based user interaction and webhooks depend on the data center where your account is located:

US data center

https://www.workato.com

EU data center

https://app.eu.workato.com/

JP data center

https://app.jp.workato.com

SG data center

https://app.sg.workato.com/

AU data center

https://app.au.workato.com/

API endpoint requests depend on the data center where your account is located:

US data center

https://apim.workato.com/

EU data center

https://apim.eu.workato.com/

JP data center

https://apim.jp.workato.com/

SG data center

https://apim.sg.workato.com/

AU data center

https://apim.au.workato.com/

TLS AND HTTP STANDARDS

See Security for more information about supported TLS and HTTP standards for API endpoints.