PagerDuty supports safelisting IP addresses, however, we’d like to highlight that this method of ensuring webhook delivery security is no longer best practice. We have added TLS 1.2 and custom headers to our webhooks which will ensure webhooks are delivered from PagerDuty. If you are migrating away from using IP safelisting and have questions about PagerDuty’s webhook deliverability, please contact our Support team.
The EU Service Region
Please make sure to safelist IPs resolving to the URLs corresponding to [your service region] (doc:service-regions) (currently available regions are US and EU).
PagerDuty’s Events API, which is used for triggering, acknowledging and resolving incidents, requires that your system be able to make outbound connections to
events.pagerduty.com on TCP port 443 (for HTTPS).
events.eu.pagerduty.com resolve to multiple IPs, which you can find by querying the A records using
$ dig a +short events.pagerduty.com 220.127.116.11 18.104.22.168 22.214.171.124
In this example, you see that the Events API is accessible in the US region at the IPs
$ dig a +short events.eu.pagerduty.com 126.96.36.199 188.8.131.52 184.108.40.206
In this example, you see that the Events API is accessible in the EU region at the IPs
To access our REST API, your system must be able to make outbound connections to
api.eu.pagerduty.com on TCP port 443. Our REST API only allows HTTPS connections; for security’s sake, HTTP connections are not allowed.
$ dig a +short api.pagerduty.com 220.127.116.11 18.104.22.168 22.214.171.124
Taking the example of the US service region, you see that the REST API is accessible at the IPs
$ dig a +short api.eu.pagerduty.com 126.96.36.199 188.8.131.52 184.108.40.206
Taking the example of the EU service region, you see that the REST API is accessible at the IPs
The EU Service Region
Customers using REST API-based integrations may need to safelist IPs resolving to both
Webhooks are HTTP or HTTPS calls sent from PagerDuty to your web server on the IP and port of your choosing. Please see the current list of IPs that PagerDuty uses to send webhooks in our developer documentation, Webhook IPs.
You should not expect the IP addresses in the developer documentation Webhook IPs to change, as they are a fixed list of IPs. This means you can safely hardcode them into your firewall or ACL.
Prior to May 5th, 2022 the list of Webhooks IPs was subject to change without notice. With that in mind, we provided a couple scripts to notify you and automatically update EC2 security groups when that happened. Since you should not expect Webhook IPs to change, we’ve removed reference to these scripts and they’ve been retired.
If you are using the Jira Server integration, depending on the service region for your account, you will also need to add the address records of
app.eu.pagerduty.com to any sort of safelist that controls network egress traffic; this integration will make API calls to PagerDuty that go directly to the hostname of your account's service region.
Updated about 1 year ago