IP allow lists

How to manage your IP and domain allow lists related to SonarQube Cloud.

Restricting the IP allow list for SonarQube Cloud

This feature requires the Enterprise license and is currently in beta, subject to the terms here.

For SonarQube Cloud enterprises using Single Sign-On (SSO) authentication, access can be restricted to an allowed list of IP addresses. This restriction applies to the SSO user authentication and to the tokens generated by SSO users.

While the IP allow list feature is in beta, the defined IP range will not block the following:

API access using Scoped Organization Tokens.
Smart notifications in SonarQube for IDE when connected to SonarQube Cloud.
Update of the Latest activity view on the project overview page for logged-in users.

To authenticate with SonarQube Cloud, the analysis step of your CI pipeline will be subject to this restriction. This means you need to allow the IP address(es) of your CI-based runner.

Proceed as follows:

Retrieve your enterprise. For more details, see Retrieving and viewing your enterprise.
Go to Administration > IP allow list.
Enter the allowed IP addresses separated by a comma. Both IPv4 and IPv6 addresses with or without CIDR notation are supported. Examples:
- 192.0.2.0
- 198.51.100.0/24
- 2001:0db8:130f:0000:0000:09c0:876a:130b
- 2001:db8:130f::9c0:876a:130b
- 2001:db8:abcd::/48
Select Save.

Enter the list of allowed IP addresses in the box to restrict access to your SonarQube Cloud enterprise to this list.

IP addresses used by SonarQube Cloud

SonarQube Cloud currently allows the following static IP addresses for outgoing calls to supported DevOps platforms (GitHub, GitLab, Azure DevOps, and BitBucket Cloud). You must ensure these IP addresses are allowed for your DevOps platform service.

3.68.134.44
3.74.220.70
3.74.69.101
18.196.105.168
3.122.211.192
35.158.229.250
3.253.125.212/30

For GitHub users, we have added those addresses to our GitHub App for SonarQube Cloud, so they will be automatically applied if you have selected the Enable IP allow list configuration for installed GitHub Apps option for your GitHub organization.

In addition, SonarQube Cloud’s authentication service may connect from one of the IP addresses listed here. You must ensure the appropriate IP addresses are allowed for your identity provider (DevOps platform service or SSO) based on your use case.

If your network is secured with a firewall or proxy server

If you can’t access SonarQube Cloud on your network and your pipeline is hosted within an organization that is secured with a firewall or proxy server, you must add certain IP addresses and domain URLs to the allowed external destinations. To do this, add to your firewall an outbound rule that allows the following domain URLs:

sonarcloud.io and *.sonarcloud.io, which would cover notifications.sonarcloud.io used for web sockets.
analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com
app.getbeamer.com for the latest news on SonarQube Cloud.
sonarsource.com (if logged out, users are redirected here).
docs.sonarsource.com to view the product documentation. In addition, *.sonarsource.com would provide access to additional content sometimes referenced in the docs.

PreviousAdvanced administration NextDesign and Architecture

Last updated 4 hours ago

Was this helpful?