Outbound traffic network and port requirements
The Privilege Cloud components communicate with the backend through specific FQDNs and ports which ensure that all their communication is secure and according to the CyberArk protocol.
|
For security reasons, all communication to the Privilege Cloud service must be TLS 1.2 or higher. |
Recommended communication configuration
If your organization requires outbound allowlist firewall rules, we recommend:
-
Dynamic configuration using wildcard-based dynamic firewall rules. These will cover all communication interfaces for outbound interface.
If you are unable to use dynamic configuration, setup one of the following static configurations:
-
Static configuration using Hostname of each component & port
-or-
-
Static configuration using IP of each component & port
Dynamic configuration (recommended)
|
Component |
Network & port details |
||
|---|---|---|---|
|
Privilege Cloud
|
FQDN: https://*.privilegecloud.cyberark.com Port/Protocol:
|
||
|
Cloudflare DNS and WAF |
FQDN: cloudflare.com Port/Protocol: For certificate validation – 443/HTTPS |
||
| Digicert (CA for Cloudflare) | FQDN: http://ocsp.digicert.com Port/Protocol: 80/HTTP |
||
|
Connector Management agent |
FQDNs:
where <Region> is the AWS region where Privilege Cloudis available. |
|
Privilege Cloud uses Cloudflare as a Certificate Authority for SSL certificates. For network requirements regarding access to Cloudflare and certificate validation process, see Cloudflare documentation. |
Static configuration (if dynamic configuration does not apply)
If you are unable to use wildcards, add the following hostnames & port, or IP & port, to your allowlist.
|
Static configuration is not recommended, and you may need to update this list in the future when additional services are added. If using static configuration, we recommend using hostnames and not IPs. |
|
Component |
Network & port details |
|---|---|
|
Privilege Cloud Vault service backend (Required for Connector and related components: CPM, PSM, PSM for SSH, Credential Providers, Central Credential Provider) |
Hostname: vault-<subdomain>.privilegecloud.cyberark.com (subdomain to be provided by CyberArk support.) IP: Provided by CyberArk support. Port: 1858/TCP Communication over 1858/TCP is required to utilize sticky session and maintain the same source IP for the duration of the session |
|
Backend service management (Required for Secure Tunnel) |
Hostname: https://console.privilegecloud.cyberark.com IP: Cloudflare IPs Port:
|
|
Connector (Required for Secure Tunnel) |
Hostname: https://connector-<subdomain>.privilegecloud.cyberark.com (subdomain to be provided by CyberArk support) IP: Provided by CyberArk support Port:
|
|
Privilege Cloud portal (Required for browser access and related components) |
Hostname: https://<subdomain>.Privilegecloud.cyberark.com The <subdomain> is provided by CyberArk support and appears in the first section of the Privilege Cloud Portal URL. IP: Cloudflare IPs Port: 443/HTTPS |
|
(Optional) HTML5 Gateway |
Hostname: https://<subdomain>-webaccess.privilegecloud.cyberark.com (subdomain to be provided by CyberArk support) IP: Cloudflare IPs Port: 443/HTTPS |
| Digicert (CA for Cloudflare) |
Hostname: http://ocsp.digicert.com IP: See Digicert knowledge base Port: 80/HTTP |
| Cloudflare |
Hostname: cloudflare.com IP: cloudflare.com/ips/ See Allowing Cloudflare IP addresses Port: 443/HTTPS |
|
Connector Management agent |
Hostnames:
where <Region> is the AWS region where Privilege Cloudis available. |
Public-facing IP addresses
To secure the service, CyberArk permits inbound traffic only from specific IP addresses. Provide CyberArk support with the public-facing IP addresses for all communication between the Privilege Cloud service to the Connectors, including Secrets Manager, in order to add them to the CyberArk allowlist.
