Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Jira Cloud Firewall Allowlist – Are These Domains Sufficient If We Only Use Jira?

DIDA KHARISMA AKBAR
July 5, 2026

Hello Atlassian Community,

I am reviewing the firewall allowlist requirements described in the Atlassian documentation:

IP addresses and domains for Atlassian cloud apps

Our organization only uses Jira Cloud (we are not using Confluence, Bitbucket, Trello, Opsgenie, etc.).

To minimize the number of domains that must be whitelisted on our firewall, I would like to confirm whether allowing the following domains is sufficient for Jira to function properly, including user authentication, issue management, attachments, notifications, and general UI functionality.

1. Atlassian domains

*.atl-paas.net
*.atlassian.com
*.ss-inf.net
{our-instance}.atlassian.net
*.jira.com

2. Partner domains

*.cloudfront.net
*.awswaf.com
*.cookielaw.org
*.googleapis.com

Questions

  1. If we only use Jira Cloud, are the domains listed above sufficient for normal Jira operation?
  2. Are there any additional domains that should be allowlisted for:
    • User authentication (Atlassian accounts / SSO)
  3. Has anyone successfully implemented a minimal Jira-only firewall allowlist and can share the required domains?

Thank you for your help.

3 answers

1 vote
Marc -Devoteam-
Community Champion
July 5, 2026

Hi @DIDA KHARISMA AKBAR 

Adding to the remarks from @Germán Morales _ Hiera 

If you want to use AI, in relation to all connections between the apps and external MCSP or connections, you will need to add the following to:

And for new app functionality, this includes Jira/Confluence

  • *.launchdarkly.com
  • *.optimizely.com
  • api.statsig.com

  • statsigapi.net

  • events.statsigapi.net

  • prodregistryv2.org

  • featureassets.org

And for error or bug checking on your instance:

  • *.sentry-cdn.com

  • *.ingest.sentry.io

Simply said, you will miss-out on functionality and options, by not adding these as well.

0 votes
Gabriela
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
July 5, 2026

Hi @DIDA KHARISMA AKBAR

Germán and Marc are right that your list is missing entries (recaptcha, gravatar, LaunchDarkly, Sentry, Statsig, teamwork-graph). Rather than hand-maintaining it, which will always drift, pull from Atlassian's own maintained reference. It's split into an Atlassian domains section and a Partner domains section, and every partner entry the two of them named comes straight from there, so it stays current as Atlassian adds services. There's also a machine-readable IP feed at ip-ranges.atlassian.com plus an SNS topic you can subscribe to for change alerts.

On SSO: the bot-check/login domains are already in that list, but your actual IdP endpoints (Okta, Entra ID, etc.) aren't Atlassian's to publish; allowlist those per your identity provider's docs.

IP addresses and domains for Atlassian cloud products

0 votes
Germán Morales _ Hiera
Atlassian Partner
July 5, 2026

@DIDA KHARISMA AKBAR  that page isn't split into per product lists, but each row in the Atlassian domains table says which product uses it. *.atl-paas.net, *.atlassian.com and *.ss-inf.net are tagged for all apps, *.jira.com is tagged Jira and Confluence, so structurally you have the right subset. One difference from the source though: the official row is the wildcard *.atlassian.net, not a single {our-instance}.atlassian.net, worth switching to the wildcard in case Jira loads anything from another *.atlassian.net subdomain beyond your own site.

Two gaps in your Partner domains section are worth adding even for a Jira only setup, since the doc doesn't tie them to any specific product:

  • recaptcha.net, *.recaptcha.net, recaptcha.google.com and *.gstatic.com, used for bot checks during login
  • *.gravatar.com and *.wp.com, used for generic user avatars

The rest of that table, LaunchDarkly, Segment, Sentry, Statsig, Pendo, Intercom, PubNub, Slack edge, isn't marked optional per product either. It backs feature flagging, analytics and error tracking across the UI, blocking it won't necessarily break login but I wouldn't assume it's safe to drop just because you're not running Confluence or Bitbucket.

One config detail the article calls out directly: a rule for *.atlassian.com also has to permit the bare atlassian.com, not just its subdomains, or things fail silently. And since the IP ranges behind these domains do change, last updated April 3 2025 per the doc, if your firewall can't filter by domain you'll also need the IP ranges section of that same page, plus their AWS SNS topic for update notifications rather than a static list.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events