ZITADEL Cloud Egress IP Addresses
When configuring your firewall or network security groups, you may need to allow traffic from ZITADEL Cloud to your internal infrastructure.
This page lists the static Egress (outgoing) IP addresses used by ZITADEL Cloud regions.
When do I need this?​
You need to allowlist these IP addresses if you use features where ZITADEL initiates a connection to your systems. This is commonly required for the following scenarios:
Identity Providers & Federation​
If you are federating an external Identity Provider (IdP) that sits behind a firewall:
- LDAP / Active Directory: When ZITADEL connects to your LDAP server (typically port
636for LDAPS). - OIDC / OAuth: When ZITADEL connects to your IdP for:
- Discovery: Fetching configuration from
/.well-known/openid-configuration. - Token Exchange: Exchanging the authorization code at the
token_endpoint. - User Info: Retrieving user details from the
userinfo_endpoint. - Keys: Fetching signing keys from the
jwks_uri.
- Discovery: Fetching configuration from
- SAML: If ZITADEL needs to fetch the
metadata.xmlor artifact resolution services from an internal SAML IdP.
Notification Providers​
- SMTP: If you configured a custom SMTP sender pointing to your own mail server.
- Webhook / HTTP provider: If you use a custom gateway for SMS or Emails.
Custom Logic​
IP Addresses by Region​
We recommend allowing the IP address corresponding to the region where your ZITADEL instance is hosted.
| Region | Egress IP Address |
|---|---|
| Switzerland | 34.65.158.196 |
| Europe | 34.107.19.72 |
| United States | 34.69.146.246 |
| Australia | 34.87.243.23 |
tip
To find out which region your ZITADEL Cloud instance is running in, check the ZITADEL Customer Portal.