Safelist IPs
Learn about PagerDuty's best practices for IP safelisting
Best Practice
PagerDuty supports safelisting IP addresses. However, we’d like to highlight that this method of ensuring webhook delivery security is no longer best practice. We’ve added TLS 1.2 and custom headers to our webhooks, which will ensure that webhooks deliver from PagerDuty. If you’re migrating away from using IP safelisting and have questions about PagerDuty’s webhook deliverability, please contact our Support Team.
The EU Service Region
Please make sure to safelist IPs resolving to the URLs corresponding to your service region (currently available regions are US and EU).
Events API
PagerDuty’s Events API is is used for triggering, acknowledging and resolving incidents. To access our Events API, your system must be able to make outbound connections to events.pagerduty.com
on TCP port 443 (for HTTPS).
events.pagerduty.com
and events.eu.pagerduty.com
resolve to multiple IPs, which you can find by querying the A records using dig
or nslookup
.
Example Query 1 (US)
$ dig a +short events.pagerduty.com
35.167.69.145
44.231.93.240
44.233.86.211
In this example, you see that the Events API is accessible in the US region at the IPs 35.167.69.145
, 44.231.93.240
and 44.233.86.211
.
Example Query 1 (EU)
$ dig a +short events.eu.pagerduty.com
18.159.153.65
18.198.156.244
35.159.34.57
In this example, you see that the Events API is accessible in the EU region at the IPs 18.159.153.65
, 18.198.156.244
and 35.159.34.57
.
REST API
To access our REST API, your system must be able to make outbound connections to api.pagerduty.com
and/or api.eu.pagerduty.com
on TCP port 443. Our REST API only allows HTTPS connections; for security’s sake, HTTP connections are not allowed.
api.pagerduty.com
and api.eu.pagerduty.com
resolve to multiple IPs as well, however these IPs will be different than the ones used for our Events API or webhooks.
While we don't expect the IPs used by the REST API to change often, it's possible that they will from time to time. To help with this, we provide a list of the REST API IPs. Any changes to these IPs will be reflected in that list at least 30 days before they take effect, giving you ample time to update any filtering you may have in place.
Note that while multiple IPs are listed, not all of them may be in use at a given time. To avoid interruptions, please do not use DNS lookups to determine the IPs to filter.
Webhooks
Webhooks are HTTP or HTTPS calls sent from PagerDuty to your web server on the IP and port of your choosing. Please see the current list of IPs that PagerDuty uses to send webhooks in our developer documentation, Webhook IPs.
Firewalls and Access Control Lists (ACLs)
You should not expect the IP addresses in the developer documentation Webhook IPs to change, as they are a fixed list of IPs. This means you can safely hardcode them into your firewall or ACL.
Webhook IPs
Prior to May 5th, 2022, the list of Webhooks IPs was subject to change without notice. With that in mind, we provided scripts to notify you and automatically update EC2 security groups when that happened. Since you should not expect Webhook IPs to change, we’ve removed reference to these scripts and they have been retired.
Incident Workflow Actions
Incident Workflow actions that make external HTTP requests, including Web API actions (e.g., Send GET Request, Send POST Request, etc.), will originate from the list of IP addresses in our developer documentation Webhook IPs.
Jira Server Integration
If you are using the Jira Server integration, depending on the service region for your account, you will also need to add the address records of app.pagerduty.com
or app.eu.pagerduty.com
to any sort of safelist that controls network egress traffic. This integration will make API calls to PagerDuty that go directly to the hostname of your account's service region.
Updated about 1 month ago