Outbound traffic network and port requirements

The Privilege Cloud components and CyberArk Identity Connector communicate through the internet with the CyberArk cloud environment through specific FQDNs and ports which ensure that all their communication is secure and according to the CyberArk protocol.

This topic presents the FQDNs, ports and protocols that should be configured to enable these communications.


For security reasons, all communication to the Privilege Cloud service must be TLS 1.2 or higher.

Recommended communication configuration

If your organization requires outbound allowlist firewall rules, we recommend:

  • Dynamic configuration using wildcard-based dynamic firewall rules. These will cover all communication interfaces for outbound interface.

If you are unable to use dynamic configuration, setup one of the following static configurations:

  • Static configuration using Hostname of each component & port


  • Static configuration using IP of each component & port

Dynamic configuration (recommended)


Privilege Cloud uses AWS as a Certificate Authority for SSL certificates. For more details, see Amazon trust services.

Static configuration (if dynamic configuration does not apply)

Public-facing IP addresses

To secure the service, CyberArk permits inbound traffic only from specific IP addresses. Provide CyberArk support with the public-facing IP addresses for all communication between the Privilege Cloud service to the Connectors, including Secrets Manager, in order to add them to the CyberArk allowlist.

CyberArk Identity Connector configuration