Networking requirements

Network topology

The diagram below shows the SonarQube Cloud’s network topology:

• The DevOps platform, the SonarScanner, the user (Web browser), the IDE in connected mode, and any other external system, will connect to SonarQube Cloud through the REST API. You must use a reverse proxy if you want to use HTTPS (see HTTPS below).

• An external Identity Provider (other than GitHub, Bitbucket Cloud, or GitLab) can be used with the SAML authentication method.

• SonarQube Cloud authenticates to the DevOps platform via OAuth and sends the quality gate status report via HTTP(S).

• SonarQube Cloud sends quality gate webhooks to the CI/CD platform via HTTP(S).

IP addresses used by SonarQube Cloud

You must ensure that the IP addresses used by SonarQube Cloud are allowed on your third-party applications or services.

Outgoing traffic

Depending on whether you use the SonarQube Cloud's EU or US instance, you must allow the corresponding static IP addresses for outgoing traffic to supported DevOps platforms (GitHub, GitLab, Azure DevOps, and BitBucket Cloud). Ensure these IP addresses are configured as allowed on your DevOps platform service.

EU instance

• 3.77.79.176/28

• 3.253.125.212/30

• 18.97.201.0/29

US instance

• 18.97.29.56/29

• 44.215.145.4/30

Authentication service

In addition, SonarQube Cloud’s authentication service Auth0 may connect from one of the IP addresses listed here. You must ensure the appropriate IP addresses are allowed for your identity provider (DevOps platform service or SSO) based on your use case.

If using GitHub Enterprise Cloud's IP allow list

For GitHub Enterprise Cloud users, if your GitHub organization enforces a strict IP allow list, you must perform the configurations described below.

Allow access by GitHub App

Select the Enable IP allow list configuration for installed GitHub Apps option for your GitHub organization. We have added the outgoing traffic addresses to our GitHub App for SonarQube Cloud, so they will be automatically applied if you enable this option.

Allow access by OAuth App

You must grant the SonarQube Cloud OAuth App a bypass of your organization's IP allow list in GitHub. To do so:

1. Go to Your GitHub Organization > Settings > Third-party access > IP allow list.

2. Locate the section for installed OAuth apps and enable bypass access for the SonarQube Cloud application.

Domain URLs required by SonarQube Cloud

If your pipeline is hosted within an organization that is secured with a firewall or proxy server, you must add certain domain URLs to the allowed external destinations. To do this, add to your firewall an outbound rule that allows the following domain URLs depending on whether you use the SonarQube Cloud's EU or US instance.

EU instance

• sonarcloud.io and *.sonarcloud.io, which would cover notifications.sonarcloud.io used for web sockets.

• analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com

• dna-visualization-scannerdata-eu-central-1-prod.s3.amazonaws.com

• app.getbeamer.com for the latest news on SonarQube Cloud.

• sonarsource.com (if logged out, users are redirected here).

• docs.sonarsource.com to view the product documentation. In addition, *.sonarsource.com would provide access to additional content sometimes referenced in the docs.

US instance

• sonarqube.us and *.sonarqube.us , which would cover notifications.sonarqube.us used for web sockets

• analysis-sensorcache-us-east-1-produs1.s3.us-east-1.amazonaws.com

• dna-visualization-scannerdata-us-east-1-produs1.s3.amazonaws.com

• app.getbeamer.com for the latest news on SonarQube Cloud

• sonarsource.com (if logged out, users are redirected here)

• docs.sonarsource.com to view the product documentation. In addition, *.sonarsource.com would provide access to additional content sometimes referenced in the docs.

Related pages

• Getting started in the US region

• IP allow lists