# IP whitelists
IP whitelisting allows you to ensure traffic to/from Workato is not hijacked by a malicious website.
# Traffic from Workato
Traffic from Workato that is hosted in the US datacenter comes through the following IP addresses:
- 52.5.142.59
- 34.226.132.221
- 52.54.43.157
Traffic from Workato that is hosted in the EU datacenter comes through the following IP addresses:
- 3.65.225.246
- 3.66.45.94
- 18.198.249.58
You can add these IP addresses to your application/firewall whitelist. Add all three IP addresses to the whitelist to ensure continuous access.
# Example whitelist configuration
If you have a recipe that accesses a MySQL server running on an Amazon EC2 machine, with a special user called integrationuser, you can run the following SQL command on your database to whitelist the Workato IP addresses.
GRANT ALL ON db1.*
TO 'integrationuser'@'52.5.142.59',
'integrationuser'@'34.226.132.221',
'integrationuser'@'52.54.43.157';
# Traffic to Workato
# On-premise agent
Workato's on-premise agent (OPA) provides a secure way for Workato to selectively access customer-authorized on-prem apps, databases, and folders without having to open inbound ‘ports’ in the corporate firewall.
The OPA makes an outbound connection to the Workato cloud's on-premise gateways using a small number of hostnames/IP addresses.
| Host name | IP Addresses | TCP port | Notes |
|---|---|---|---|
sg1.workato.com | 50.16.101.13 54.84.241.116 34.237.50.149 | 443 | |
sg1.eu.workato.com | 18.193.100.169 3.65.178.110 18.198.138.101 | 443 | For customers accessing Workato in the EU datacenter |
sg2.workato.com | 34.204.129.29 34.228.172.35 54.83.143.113 | 443 | |
sg2.eu.workato.com | 52.57.169.138 3.65.171.53 54.93.132.62 | 443 | For customers accessing Workato in the EU datacenter |
sg.workato.com | 34.192.94.13 34.195.128.7 34.226.84.130 | 443 | |
| N/A | 52.206.58.244 | 443 | Deprecated 28 March 2018, not used in recent OPA versions. |
If your organization has strict outbound traffic rules, you will need to whitelist the OPA's access to the Workato cloud.
# IP Addresses
Firewall whitelists should allow outbound TCP connections from the OPA to port 443 on each address listed above.
# DNS resolution of host names
Some organizations also restrict DNS hostname resolution from the machines/networks where the OPA may run. In that case, you should ensure that the machine where OPA will be running can resolve the relevant hostnames above to their corresponding IP addresses.
# Custom APIM domains
When using custom domains for API recipes in a Workato account hosted in the US datacenter, client traffic will be routed to the following set of IP addresses:
- 18.211.121.35
- 34.232.254.255
- 52.203.235.136
For a Workato account hosted in the EU datacenter, client traffic will be routed to the following set of IP addresses:
- 3.127.182.4
- 3.64.168.57
- 3.66.114.67
# General (browsers, webhooks, API endpoints)
All other traffic to Workato:
- Browser based user interaction and webhooks at
www.workato.com - API endpoint requests at
apim.workato.com
may be served by a different set of IP addresses, distinct from IP addresses mentioned in the previous sections. This set may expand and contract based on overall platform utilization, so it is not completely static.