Outbound traffic network and port requirements
The Privilege Cloud components communicate with the backend through specific FQDNs and ports which ensure that all their communication is secure and according to the CyberArk protocol.
|
For security reasons, all communication to the Privilege Cloud service must be TLS 1.2 or higher. |
Recommended communication configuration
If your organization requires outbound allowlist firewall rules, we recommend:
-
Dynamic configuration using wildcard-based dynamic firewall rules. These will cover all communication interfaces for outbound interface.
If you are unable to use dynamic configuration, setup one of the following static configurations:
-
Static configuration using Hostname of each component & port
-or-
-
Static configuration using IP of each component & port
Dynamic configuration (recommended)
|
Component |
Network & port details |
|---|---|
|
Privilege Cloud
|
FQDN: https://*.privilegecloud.cyberark.com Port/Protocol: 443/HTTPS/TCP (for REST/API calls) Port/Protocol: 1858/TCP Communication to the backend on port 1858/TCP is supported for both sticky and non-sticky sessions. |
|
Cloudflare DNS and WAF |
FQDN: cloudflare.com Port/Protocol: 443/HTTPS (for certificate validation) |
| Digicert (CA for Cloudflare) |
FQDN: http://ocsp.digicert.com Port/Protocol: 80/HTTP |
|
Privilege Cloud uses Cloudflare as a Certificate Authority for SSL certificates. For network requirements regarding access to Cloudflare and the certificate validation process, see Cloudlfare documentation. |
Static configuration (if dynamic configuration does not apply)
If you are unable to use wildcards, add the following FQDNs & port, or IP & port, to your allowlist.
|
Static configuration is not recommended, and you may need to update this list in the future when additional services are added. If using static configuration, we recommend using FQDNs and not IPs. |
|
Component |
Network & port details |
|---|---|
|
Privilege Cloud Vault service backend (Required for Connector and related components: CPM, PSM, PSM for SSH, Credential Providers, Central Credential Provider) |
FQDN: vault-<subdomain>.privilegecloud.cyberark.com (subdomain to be provided by CyberArk support.) IP: Provided by CyberArk support. Port: 1858/TCP Communication to the backend on port 1858/TCP is supported for both sticky and non-sticky sessions. |
|
Backend service management (Required for Secure Tunnel) |
FQDN: https://console.privilegecloud.cyberark.com Port: 443/HTTPs (for REST/API calls) |
|
Connector (Required for Secure Tunnel) |
FQDN: https://connector-<subdomain>.privilegecloud.cyberark.com (subdomain to be provided by CyberArk support) IP: Provided by CyberArk support Port: 443/HTTPs (for REST/API calls) |
|
Privilege Cloud portal (Required for browser access and related components) |
FQDN: https://<subdomain>.Privilegecloud.cyberark.com The <subdomain> is provided by CyberArk support and appears in the first section of the Privilege Cloud Portal URL. IP: CloudFront IPs
Open CloudFront IPs based on regions where your organization users need access to the service. See amazonaws ip ranges. Port: 443/HTTPS |
|
(Optional) HTML5 Gateway |
FQDN: https://<subdomain>-webaccess.privilegecloud.cyberark.com (subdomain to be provided by CyberArk support) Port: 443/HTTPS |
| Digicert (CA for Cloudflare) |
FQDN: http://ocsp.digicert.com IP: See Digicert knowledge base Port: 80/HTTP |
| Cloudflare |
FQDN: cloudflare.com Port: 443/HTTPS |
Public-facing IP addresses
To secure the service, CyberArk permits inbound traffic only from specific IP addresses. Provide CyberArk support with the public-facing IP addresses for all communication between the Privilege Cloud service to the Connectors, including Secrets Manager, in order to add them to the CyberArk allowlist.
