Skip to content

Network Whitelisting

In this document you will find all of the necessary domains and IP addresses to be whitelisted for communication between your environment and HiddenLayer. To ensure secure access to our services, please whitelist the domains and IP addresses as outlined below. These are necessary for accessing various functionalities within our system and for enabling supported outbound integrations.

Stateful Firewall Required

Your firewall must support stateful connection tracking. A stateless firewall will drop the return packets from HiddenLayer's endpoints, causing TLS handshake failures and connection resets even if an outbound allow rule is in place.

All HTTP Methods Must Be Permitted

Firewall rules must allow both GET and POST methods to all domains listed below. Method-based filtering that permits GET but blocks POST will prevent interaction data from being submitted to the console.


Ingress

The following domains and IP addresses are required for connections from your environment to HiddenLayer services.

General Whitelisting Domains

For broad access to all our environments, you can whitelist the following wildcard domains. These domains cover all necessary subdomains for general access.

Non-Region Specific

Domain
*.hiddenlayer.ai

US Region

Domain
*.us.hiddenlayer.ai

EU Region

Domain
*.eu.hiddenlayer.ai

Specific Access Domains

For more fine-grained control or specific service access, the following subdomains should be whitelisted.

Console Access — This domain is used for accessing the management console.

RegionDomain
USconsole.us.hiddenlayer.ai
EUconsole.eu.hiddenlayer.ai

API Access — This domain is used for interacting with our APIs and submitting interaction data.

RegionDomain
USapi.us.hiddenlayer.ai
EUapi.eu.hiddenlayer.ai

Authentication Access — This domain is used for authentication and authorization services.

RegionDomain
USauth.us.hiddenlayer.ai
EUauth.eu.hiddenlayer.ai
Region-Specific Endpoints

The non-suffixed domains api.hiddenlayer.ai and auth.hiddenlayer.ai are aliases that default to the US region and are equivalent to api.us.hiddenlayer.ai and auth.us.hiddenlayer.ai. Use the region-specific subdomains for consistency across US and EU deployments.

IP Addresses

If domain-based whitelisting is not available in your environment, the following IP addresses can be used for API and authentication access.

IPs May Change

Some IPs below are managed by third-party infrastructure providers (AWS Global Accelerator and Cloudflare) and may change without notice. Domain-based whitelisting is always preferred for long-term stability. Use IP-based rules only if domain whitelisting is not available in your environment.

Authentication — auth.hiddenlayer.ai

IP AddressProvider
75.2.71.215AWS Global Accelerator (FusionAuth)
99.83.245.24AWS Global Accelerator (FusionAuth)

API — api.hiddenlayer.ai

IP AddressProvider
104.18.26.19Cloudflare
104.18.27.19Cloudflare

Egress

The following IP addresses are used by HiddenLayer when initiating outbound connections to your environment for integrations such as webhooks and Splunk data export. Please ensure that inbound connections from these IP addresses are permitted.

IP Addresses

These IPs correspond to the public IP addresses of the NAT Gateways serving our SaaS environments.

US Region

  • 3.221.59.6
  • 34.228.90.136
  • 35.170.103.88

EU Region

  • 3.66.107.41
  • 3.77.95.231
  • 18.185.151.6

Troubleshooting

SymptomLikely CauseAction
Connection reset by peer after TLS Client Hello on auth.hiddenlayer.aiAuth endpoint IP not whitelistedWhitelist auth.hiddenlayer.ai or its IPs
ConnectError on token refresh in pod logsauth.hiddenlayer.ai blockedVerify auth.hiddenlayer.ai is reachable from inside the cluster
GET requests to api.hiddenlayer.ai succeed but POST failsMethod-based firewall rule blocking POSTEnsure all HTTP methods are permitted, not just GET
Error submitting to MLDR in pod logsapi.hiddenlayer.ai POST blockedVerify POST is permitted on api.hiddenlayer.ai
Interactions not appearing in the consoleMLDR submission failing silentlyConfirm POST is permitted on api.hiddenlayer.ai
Connection resets despite domain being whitelistedNon-stateful firewall dropping return packetsConfirm your firewall has stateful connection tracking enabled