In this document you will find all of the necessary domains and IP addresses to be whitelisted for both Ingress and Egress. To ensure secure access to our services, please whitelist the domains and IP addresses as outlined below. These are necessary for accessing various functionalities within our system.
Your firewall must support stateful connection tracking. A stateless firewall will drop the return packets from HiddenLayer's endpoints, causing TLS handshake failures and connection resets even if an outbound allow rule is in place.
Firewall rules must allow both GET and POST methods to all domains listed below. Method-based filtering that permits GET but blocks POST will prevent interaction data from being submitted to the console.
For broad access to all environments, you can whitelist the following wildcard domain. This covers all necessary subdomains for general access.
| Domain |
|---|
*.hiddenlayer.ai |
For more fine-grained control, the following service-specific subdomains should be whitelisted:
Console Access — used for accessing the management console.
| Region | Domain |
|---|---|
| US | console.us.hiddenlayer.ai |
| EU | console.eu.hiddenlayer.ai |
API Access — used for interacting with our APIs and submitting interaction data.
| Region | Domain |
|---|---|
| US | api.us.hiddenlayer.ai |
| EU | api.eu.hiddenlayer.ai |
Authentication Access — used for authentication and authorization services.
| Region | Domain |
|---|---|
| US | auth.us.hiddenlayer.ai |
| EU | auth.eu.hiddenlayer.ai |
The non-suffixed domains api.hiddenlayer.ai and auth.hiddenlayer.ai are aliases that default to the US region and are equivalent to api.us.hiddenlayer.ai and auth.us.hiddenlayer.ai. Use the region-specific subdomains for consistency across US and EU deployments.
Please ensure that outbound connections to the following IP addresses are permitted. These IPs correspond to our critical infrastructure and must be allowed for proper service operation.
Some IPs below are managed by third-party infrastructure providers (AWS Global Accelerator and Cloudflare) and may change without notice. Domain-based whitelisting is always preferred for long-term stability. Use IP-based rules only if domain whitelisting is not available in your environment.
Authentication — auth.hiddenlayer.ai
| IP Address | Provider |
|---|---|
75.2.71.215 | AWS Global Accelerator (FusionAuth) |
99.83.245.24 | AWS Global Accelerator (FusionAuth) |
API — api.hiddenlayer.ai
| IP Address | Provider |
|---|---|
104.18.26.19 | Cloudflare |
104.18.27.19 | Cloudflare |
| Symptom | Likely Cause | Action |
|---|---|---|
Connection reset by peer after TLS Client Hello on auth.hiddenlayer.ai | Auth endpoint IP not whitelisted | Whitelist auth.hiddenlayer.ai or its IPs |
ConnectError on token refresh in pod logs | auth.hiddenlayer.ai blocked | Verify auth endpoint is reachable from inside the cluster |
GET requests to api.hiddenlayer.ai succeed but POST fails | Method-based firewall rule blocking POST | Ensure all HTTP methods are permitted, not just GET |
Error submitting to MLDR in pod logs | api.hiddenlayer.ai POST blocked | Verify POST is permitted on api.hiddenlayer.ai |
| Interactions not appearing in the console | MLDR submission failing silently | Confirm POST is permitted on api.hiddenlayer.ai |
| Connection resets despite domain being whitelisted | Non-stateful firewall dropping return packets | Confirm firewall has stateful connection tracking enabled |