{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"type":"markdown"},"seo":{"title":"Network Requirements","siteUrl":"https://docs.hiddenlayer.ai","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"network-requirements","__idx":0},"children":["Network Requirements"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In this document you will find all of the necessary domains and IP addresses to be whitelisted for both Ingress and Egress. To ensure secure access to our services, please whitelist the domains and IP addresses as outlined below. These are necessary for accessing various functionalities within our system."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Stateful Firewall Required"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Your firewall must support ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["stateful connection tracking"]},". A stateless firewall will drop the return packets from HiddenLayer's endpoints, causing TLS handshake failures and connection resets even if an outbound allow rule is in place."]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"All HTTP Methods Must Be Permitted"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Firewall rules must allow ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["both GET and POST"]}," methods to all domains listed below. Method-based filtering that permits GET but blocks POST will prevent interaction data from being submitted to the console."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"ingress","__idx":1},"children":["Ingress"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"general-whitelisting-domains","__idx":2},"children":["General Whitelisting Domains"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For broad access to all environments, you can whitelist the following wildcard domain. This covers all necessary subdomains for general access."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Domain"},"children":["Domain"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["*.hiddenlayer.ai"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"specific-access-domains","__idx":3},"children":["Specific Access Domains"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For more fine-grained control, the following service-specific subdomains should be whitelisted:"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Console Access"]}," — used for accessing the management console."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Region"},"children":["Region"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Domain"},"children":["Domain"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["US"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["console.us.hiddenlayer.ai"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["EU"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["console.eu.hiddenlayer.ai"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API Access"]}," — used for interacting with our APIs and submitting interaction data."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Region"},"children":["Region"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Domain"},"children":["Domain"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["US"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["api.us.hiddenlayer.ai"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["EU"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["api.eu.hiddenlayer.ai"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication Access"]}," — used for authentication and authorization services."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Region"},"children":["Region"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Domain"},"children":["Domain"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["US"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["auth.us.hiddenlayer.ai"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["EU"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["auth.eu.hiddenlayer.ai"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Region-Specific Endpoints"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The non-suffixed domains ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["api.hiddenlayer.ai"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["auth.hiddenlayer.ai"]}," are aliases that default to the US region and are equivalent to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["api.us.hiddenlayer.ai"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["auth.us.hiddenlayer.ai"]},". Use the region-specific subdomains for consistency across US and EU deployments."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"egress","__idx":4},"children":["Egress"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"ip-addresses","__idx":5},"children":["IP Addresses"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Please ensure that outbound connections to the following IP addresses are permitted. These IPs correspond to our critical infrastructure and must be allowed for proper service operation."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"IPs May Change"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Some IPs below are managed by third-party infrastructure providers (AWS Global Accelerator and Cloudflare) and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["may change without notice"]},". Domain-based whitelisting is always preferred for long-term stability. Use IP-based rules only if domain whitelisting is not available in your environment."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication — ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["auth.hiddenlayer.ai"]}]}]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"IP Address"},"children":["IP Address"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Provider"},"children":["Provider"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["75.2.71.215"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["AWS Global Accelerator (FusionAuth)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["99.83.245.24"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["AWS Global Accelerator (FusionAuth)"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API — ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["api.hiddenlayer.ai"]}]}]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"IP Address"},"children":["IP Address"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Provider"},"children":["Provider"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["104.18.26.19"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Cloudflare"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["104.18.27.19"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Cloudflare"]}]}]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"troubleshooting","__idx":6},"children":["Troubleshooting"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Symptom"},"children":["Symptom"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Likely Cause"},"children":["Likely Cause"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Action"},"children":["Action"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Connection reset by peer"]}," after TLS Client Hello on ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["auth.hiddenlayer.ai"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Auth endpoint IP not whitelisted"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Whitelist ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["auth.hiddenlayer.ai"]}," or its IPs"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["ConnectError"]}," on token refresh in pod logs"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["auth.hiddenlayer.ai"]}," blocked"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Verify auth endpoint is reachable from inside the cluster"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["GET requests to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["api.hiddenlayer.ai"]}," succeed but POST fails"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Method-based firewall rule blocking POST"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Ensure all HTTP methods are permitted, not just GET"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Error submitting to MLDR"]}," in pod logs"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["api.hiddenlayer.ai"]}," POST blocked"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Verify POST is permitted on ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["api.hiddenlayer.ai"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Interactions not appearing in the console"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["MLDR submission failing silently"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Confirm POST is permitted on ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["api.hiddenlayer.ai"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Connection resets despite domain being whitelisted"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Non-stateful firewall dropping return packets"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Confirm firewall has stateful connection tracking enabled"]}]}]}]}]}]},"headings":[{"value":"Network Requirements","id":"network-requirements","depth":1},{"value":"Ingress","id":"ingress","depth":2},{"value":"General Whitelisting Domains","id":"general-whitelisting-domains","depth":3},{"value":"Specific Access Domains","id":"specific-access-domains","depth":3},{"value":"Egress","id":"egress","depth":2},{"value":"IP Addresses","id":"ip-addresses","depth":3},{"value":"Troubleshooting","id":"troubleshooting","depth":2}],"frontmatter":{"seo":{"title":"Network Requirements"}},"lastModified":"2026-03-12T16:52:44.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/docs/products/runtime/network_requirements","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}