ContextQMD
Back to Zitadel

ZITADEL Cloud Egress IP Addresses

apps/docs/content/guides/manage/cloud/egress.mdx

5.0.0-base2.1 KB
Original Source

When configuring your firewall or network security groups, you may need to allow traffic from ZITADEL Cloud to your internal infrastructure.

This page lists the static Egress (outgoing) IP addresses used by ZITADEL Cloud regions.

When do I need this?

You need to allowlist these IP addresses if you use features where ZITADEL initiates a connection to your systems. This is commonly required for the following scenarios:

Identity Providers & Federation

If you are federating an external Identity Provider (IdP) that sits behind a firewall:

  • LDAP / Active Directory: When ZITADEL connects to your LDAP server (typically port 636 for LDAPS).
  • OIDC / OAuth: When ZITADEL connects to your IdP for:
    • Discovery: Fetching configuration from /.well-known/openid-configuration.
    • Token Exchange: Exchanging the authorization code at the token_endpoint.
    • User Info: Retrieving user details from the userinfo_endpoint.
    • Keys: Fetching signing keys from the jwks_uri.
  • SAML: If ZITADEL needs to fetch the metadata.xml or artifact resolution services from an internal SAML IdP.

Notification Providers

  • SMTP: If you configured a custom SMTP sender pointing to your own mail server.
  • Webhook / HTTP provider: If you use a custom gateway for SMS or Emails.

Custom Logic

IP Addresses by Region

We recommend allowing the IP address corresponding to the region where your ZITADEL instance is hosted.

RegionEgress IP Address
Switzerland34.65.158.196
Europe34.107.19.72
United States34.69.146.246
Australia34.87.243.23
<Callout type="info">

To find out which region your ZITADEL Cloud instance is running in, check the ZITADEL Customer Portal.

</Callout>