Hello Atlassian Community,
I am reviewing the firewall allowlist requirements described in the Atlassian documentation:
IP addresses and domains for Atlassian cloud apps
Our organization only uses Jira Cloud (we are not using Confluence, Bitbucket, Trello, Opsgenie, etc.).
To minimize the number of domains that must be whitelisted on our firewall, I would like to confirm whether allowing the following domains is sufficient for Jira to function properly, including user authentication, issue management, attachments, notifications, and general UI functionality.
*.atl-paas.net
*.atlassian.com
*.ss-inf.net
{our-instance}.atlassian.net
*.jira.com*.cloudfront.net
*.awswaf.com
*.cookielaw.org
*.googleapis.comThank you for your help.
Adding to the remarks from @Germán Morales _ Hiera
If you want to use AI, in relation to all connections between the apps and external MCSP or connections, you will need to add the following to:
*.intercomcdn.com
*.intercom.io
And for new app functionality, this includes Jira/Confluence
api.statsig.com
statsigapi.net
events.statsigapi.net
prodregistryv2.org
featureassets.org
And for error or bug checking on your instance:
*.sentry-cdn.com
*.ingest.sentry.io
Simply said, you will miss-out on functionality and options, by not adding these as well.
Germán and Marc are right that your list is missing entries (recaptcha, gravatar, LaunchDarkly, Sentry, Statsig, teamwork-graph). Rather than hand-maintaining it, which will always drift, pull from Atlassian's own maintained reference. It's split into an Atlassian domains section and a Partner domains section, and every partner entry the two of them named comes straight from there, so it stays current as Atlassian adds services. There's also a machine-readable IP feed at ip-ranges.atlassian.com plus an SNS topic you can subscribe to for change alerts.
On SSO: the bot-check/login domains are already in that list, but your actual IdP endpoints (Okta, Entra ID, etc.) aren't Atlassian's to publish; allowlist those per your identity provider's docs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@DIDA KHARISMA AKBAR that page isn't split into per product lists, but each row in the Atlassian domains table says which product uses it. *.atl-paas.net, *.atlassian.com and *.ss-inf.net are tagged for all apps, *.jira.com is tagged Jira and Confluence, so structurally you have the right subset. One difference from the source though: the official row is the wildcard *.atlassian.net, not a single {our-instance}.atlassian.net, worth switching to the wildcard in case Jira loads anything from another *.atlassian.net subdomain beyond your own site.
Two gaps in your Partner domains section are worth adding even for a Jira only setup, since the doc doesn't tie them to any specific product:
The rest of that table, LaunchDarkly, Segment, Sentry, Statsig, Pendo, Intercom, PubNub, Slack edge, isn't marked optional per product either. It backs feature flagging, analytics and error tracking across the UI, blocking it won't necessarily break login but I wouldn't assume it's safe to drop just because you're not running Confluence or Bitbucket.
One config detail the article calls out directly: a rule for *.atlassian.com also has to permit the bare atlassian.com, not just its subdomains, or things fail silently. And since the IP ranges behind these domains do change, last updated April 3 2025 per the doc, if your firewall can't filter by domain you'll also need the IP ranges section of that same page, plus their AWS SNS topic for update notifications rather than a static list.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.