We strongly recommend verifying that your network allows connections to the IP addresses or domains listed in this document. If your application remains stuck in the ‘connecting’ mode or encounters network errors, review your firewall or proxy settings and update the allowlist configuration to permit connections to F5 Distributed Cloud network and associated locations such as docker registry. For automation purposes, you can download the subnet ranges and domains to be included in your network configuration by clicking here.
Public IPv4 Subnet Ranges
Configure your network firewall to allow connections from or to the IP address ranges specified in the following table:
| Geography | Protocol | Ports | IP Address | Notes |
|---|---|---|---|---|
| Americas | TCP | 80, 443 | 5.182.215.0/25 84.54.61.0/25 23.158.32.0/25 84.54.62.0/25 185.94.142.0/25 185.94.143.0/25 159.60.190.0/24 159.60.168.0/24 |
|
| UDP | 4500 | 5.182.215.0/25 84.54.61.0/25 23.158.32.0/25 84.54.62.0/25 185.94.142.0/25 185.94.143.0/25 159.60.190.0/24 |
IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. | |
| Europe | TCP | 80, 443 | 5.182.213.0/25 5.182.212.0/25 5.182.213.128/25 5.182.214.0/25 84.54.60.0/25 185.56.154.0/25 159.60.160.0/24 159.60.162.0/24 159.60.188.0/24 |
|
| UDP | 4500 | 5.182.213.0/25 5.182.212.0/25 5.182.213.128/25 5.182.214.0/25 84.54.60.0/25 185.56.154.0/25 159.60.160.0/24 159.60.162.0/24 159.60.188.0/24 |
IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. | |
| Asia | TCP | 80, 443 | 103.135.56.0/25 103.135.57.0/25 103.135.56.128/25 103.135.59.0/25 103.135.58.128/25 103.135.58.0/25 159.60.189.0/24 159.60.166.0/24 159.60.164.0/24 |
|
| UDP | 4500 | 103.135.56.0/25 103.135.57.0/25 103.135.56.128/25 103.135.59.0/25 103.135.58.128/25 103.135.58.0/25 159.60.189.0/24 159.60.166.0/24 159.60.164.0/24 |
IPSec/UDP 4500 is optional as SSL for tunneling to global network is supported. |
Public IPs for Secondary DNS zone transfer
Allow the following IP addresses for successful zone transfers if you use the F5 Distributed Cloud DNS zone management service:
- 52.14.213.208
- 3.140.118.214
Public IPs for Global Log Receiver
Allow the following IP ranges for successful functioning of the global log receiver:
- 193.16.236.68/32
- 185.160.8.156/32
Public IPs for DNSLB Health Checks
- 18.142.173.13
- 13.214.108.35
- 13.215.164.186
- 3.72.163.92
- 3.123.183.172
- 3.67.212.129
- 35.176.105.69
- 18.168.190.181
- 35.176.214.241
- 54.146.175.34
- 52.0.217.222
- 34.239.223.87
- 52.34.2.190
- 44.227.27.164
- 35.84.99.9
Public IPs for Container Registries
Also, ensure that you allow the following ranges to enable access to the various container registries:
- 23.158.32.48/29
- 84.54.60.0/29
- 84.54.61.48/29
- 84.54.62.48/29
- 103.135.56.48/29
- 103.135.56.176/29
- 103.135.57.48/29
- 103.135.58.0/29
- 103.135.58.128/29
- 103.135.59.0/29
- 159.60.164.0/29
- 159.60.166.0/29
- 185.56.154.0/29
- 185.94.142.0/29
- 185.94.143.0/29
- 185.160.8.152/29
- 185.160.8.160/29
- 185.160.8.168/29
- 185.160.8.176/29
- 193.16.236.64/29
- 193.16.236.88/29
- 193.16.236.104/29
Allowed Domains
Add the following domains to your allowlist to enable firewall or proxy to allow connections from or to the domains:
| Location | Protocol | Port | Address | Notes |
|---|---|---|---|---|
| F5 Distributed Cloud | TCP | 80, 443 | *.ves.volterra.io downloads.volterra.io |
This specifies the F5 Distributed Cloud domain. |
| F5 Distributed Cloud AI Model Updates | TCP | 80, 443 | *.blob.core.windows.net | This specifies the domain for obtaining the AI model updates. |
| Azure Registry | TCP | 80, 443 | volterra.azurecr.io vesio.azureedge.net *.azure.com |
This specifies the domain for the Azure Registry. |
| Microsoft | TCP | 80, 443 | *.microsoftonline.com | This specifies the Microsoft domains. |
| AWS | TCP | 80, 443 | *.amazonaws.com | This specifies AWS domains. |
| Docker Registry | TCP | 80, 443 | docker.io docker.com |
This specifies the domain for the Docker Registry. |
| Google Registry | TCP | 80, 443 | *.gcr.io gcr.io storage.googleapi.com |
This specifies the domain for the Google Registry. |
| Redhat Registry | TCP | 80, 443 | update.release.core-os.net quay.io |
This specifies the domain for the Redhat Registry. |
| Webroot URL Classification Database | TCP | 80, 443 | api.bcti.brightcloud.com | This specifies the domain for webroot URL classification database. |
| CDN Domains | UDP | 53 | traffic-router-0.cdn-gc.ves.volterra.io traffic-router-1.cdn-gc.ves.volterra.io cdn.ves.volterra.io |
Domains for F5 Distributed Cloud Content Delivery Network. |
IP Addresses for Site Provisioning
If your firewall does not support domain-based permissions, you can use the following list of outbound IPs that the Customer Edge (CE) Site needs to communicate with for initial provisioning. A DNS server is required for a Site to function correctly in resolving queries. Additionally, note that port 65500 is reserved for local UI and API access, so you may want to consider blocking or allowing this port as needed.
Note: IPs have the potential to change without F5 being aware of it. For this reason, using domain-based permissions is the preferred method rather than using this list.
- 20.33.0.0/16
- 74.125.0.0/16
- 18.64.0.0/10
- 52.223.128.0/18
- 20.152.0.0/15
- 13.107.238.0/24
- 142.250.0.0/15
- 20.34.0.0/15
- 52.192.0.0/12
- 52.208.0.0/13
- 52.223.0.0/17
- 18.32.0.0/11
- 3.208.0.0/12
- 13.107.237.0/24
- 20.36.0.0/14
- 52.222.0.0/16
- 52.220.0.0/15
- 3.0.0.0/9
- 100.64.0.0/10
- 54.88.0.0/16
- 52.216.0.0/14
- 108.177.0.0/17
- 20.40.0.0/13
- 54.64.0.0/11
- 172.253.0.0/16
- 20.64.0.0/10
- 20.128.0.0/16
- 172.217.0.0/16
- 173.194.0.0/16
- 20.150.0.0/15
- 20.48.0.0/12
- 72.19.3.0/24
- 18.128.0.0/9
- 23.20.0.0/14
- 13.104.0.0/14
- 13.96.0.0/13
- 13.64.0.0/11
- 13.249.0.0/16
- 34.192.0.0/10
- 3.224.0.0/12
- 54.208.0.0/13
- 54.216.0.0/14
- 108.156.0.0/14
- 54.144.0.0/12
- 54.220.0.0/15
- 54.192.0.0/12
- 54.160.0.0/11
Source:
https://docs.cloud.f5.com/docs/reference/network-cloud-ref