The PagerDuty Events APIs, which are used for triggering, acknowledging, and resolving incidents, requires that your system be able to make outbound connections to events.pagerduty.com on TCP port 443 (for HTTPS).
events.pagerduty.com resolves to multiple IPs, which you can find by querying the A records using
$ dig a +short events.pagerduty.com events.gslb.pagerduty.com. 188.8.131.52 184.108.40.206 220.127.116.11
In this example, you see that the Events API is accessible at the IPs 18.104.22.168, 22.214.171.124, and 126.96.36.199.
To access our REST API, your system must be able to make outbound connections to
api.pagerduty.com on TCP port 443. Our REST API only allows HTTPS connections; HTTP connections are not allowed for security.
api.pagerduty.com usually resolve to multiple IPs as well, however these IPs will be different than the ones used for our Events API or webhooks.
$ dig a +short api.pagerduty.com 188.8.131.52 184.108.40.206 220.127.116.11
In this example, you see that the REST API is accessible at the IPs 18.104.22.168, 22.214.171.124, and 126.96.36.199.
Webhooks are HTTP or HTTPS calls sent from PagerDuty to your web server on the IP and port of your choosing. The current list of IPs that our webhooks are sent from can be obtained via a HTTPS GET request to the following URL:
The response will be a JSON-encoded list of IP addresses.
curl -s https://app.pagerduty.com/webhook_ips ["188.8.131.52","184.108.40.206","220.127.116.11","18.104.22.168","22.214.171.124","126.96.36.199","188.8.131.52","184.108.40.206","220.127.116.11","18.104.22.168","22.214.171.124","126.96.36.199","188.8.131.52","184.108.40.206","220.127.116.11","18.104.22.168","22.214.171.124"]
A records in the domain name
webhooks.pagerduty.com will also include a list of IP addresses from which one can expect to receive webhooks, but note that it does not cover IPs that are specific to special vendor-specific extensions, i.e. Slack, ServiceNow, MatterMost and Jira Server.
So, effectively, using the address records of
webhooks.pagerduty.com can be used to validate source IPs for generic webhooks (v1 and v2) but not other types of extensions.
These IPs can change at any time without warning.
Please be aware that the IPs above are only examples, and do not necessarily reflect the current IPs in use. If we were to change IPs and your firewall policies were not updated, you will not be able to reach our API endpoints and/or you will stop receiving webhooks from PagerDuty.
As of this writing, there is no fixed pool or dedicated prefix in which these IP addresses reside, and whenever a host in our fleet owning a given IP address is de-provisioned, the IP address is not expected to be used again by PagerDuty.
If you are hardcoding IPs into your firewall, you can use a script to receive updates when the A records for these hostnames change, or perform lookups on the aforementioned hostnames regularly to update your configurations.
If the firewall in question is an EC2 security group, this Python script (requires boto and Python 2.7 or later to run), given an IAM secret key with adequate permissions, can automatically update the security group with the necessary IP addresses to grant access.
If you are using the new Jira extension, you will also need to add the address records of
app.pagerduty.com to any sort of whitelist that controls network egress traffic; this integration makes special API calls that go through that particular hostname.