# Networking requirements

## Network topology

The diagram below shows the SonarQube Cloud’s network topology:

* The DevOps platform, the SonarScanner, the user (Web browser), the IDE in connected mode, and any other external system, will connect to SonarQube Cloud through the REST API. You must use a reverse proxy if you want to use HTTPS (see HTTPS below).
* An external Identity Provider (other than GitHub, Bitbucket Cloud, or GitLab) can be used with the SAML authentication method.
* SonarQube Cloud authenticates to the DevOps platform via OAuth and sends the quality gate status report via HTTP(S).
* SonarQube Cloud sends quality gate webhooks to the CI/CD platform via HTTP(S).

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/LFFaSoU6cA03zwGqCchB" alt="SonarQube Data Center Edition network topology"><figcaption></figcaption></figure>

{% hint style="info" %}
The CI platform may be integrated into the DevOps platform.
{% endhint %}

## IP addresses used by SonarQube Cloud <a href="#ip-addresses-used-by-sonarqube" id="ip-addresses-used-by-sonarqube"></a>

You must ensure that the IP addresses used by SonarQube Cloud are allowed on your third-party applications or services.

{% hint style="warning" %}
If you use the GitHub Enterprise Cloud's IP allow list feature, a specific configuration is required in your GitHub organization. See below.
{% endhint %}

### Outgoing traffic

Depending on whether you use the SonarQube Cloud's EU or [US instance](/sonarqube-cloud/getting-started/getting-started-in-us-region.md), you must allow the corresponding static IP addresses for outgoing traffic to supported DevOps platforms (GitHub, GitLab, Azure DevOps, and BitBucket Cloud). Ensure these IP addresses are configured as allowed on your DevOps platform service.

#### EU instance

* 3.77.79.176/28
* 3.253.125.212/30
* 18.97.201.0/29

#### US instance

* 18.97.29.56/29
* 44.215.145.4/30

### Authentication service

In addition, SonarQube Cloud’s authentication service Auth0 may connect from one of the IP addresses listed [here](https://auth0.com/docs/secure/security-guidance/data-security/allowlist). You must ensure the appropriate IP addresses are allowed for your identity provider (DevOps platform service or SSO) based on your use case.

### If using GitHub Enterprise Cloud's IP allow list

For GitHub Enterprise Cloud users, if your GitHub organization enforces a strict IP allow list, you must perform the configurations described below.

#### Allow access by GitHub App

Select the [Enable IP allow list configuration for installed GitHub Apps](https://docs.github.com/en/enterprise-cloud@latest/admin/configuration/hardening-security-for-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list#allowing-access-by-github-apps) option for your GitHub organization. We have added the outgoing traffic addresses to our GitHub App for SonarQube Cloud, so they will be automatically applied if you enable this option.

#### Allow access by OAuth App

You must grant the SonarQube Cloud OAuth App a bypass of your organization's IP allow list in GitHub. To do so:

1. Go to *Your GitHub Organization* > **Settings** > **Third-party access** > **IP allow list**.
2. Locate the section for installed OAuth apps and enable bypass access for the SonarQube Cloud application.

## Domain URLs required by SonarQube Cloud

If your pipeline is hosted within an organization that is secured with a firewall or proxy server, you must add certain domain URLs to the allowed external destinations. To do this, add to your firewall an outbound rule that allows the following domain URLs depending on whether you use the SonarQube Cloud's EU or US instance.

### EU instance

* `sonarcloud.io` and `*.sonarcloud.io`, which would cover `notifications.sonarcloud.io` used for web sockets.
* `analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com`
* `dna-visualization-scannerdata-eu-central-1-prod.s3.amazonaws.com`
* `app.getbeamer.com` for the latest news on SonarQube Cloud.
* `sonarsource.com` (if logged out, users are redirected here).
* `docs.sonarsource.com` to view the product documentation. In addition, `*.sonarsource.com` would provide access to additional content sometimes referenced in the docs.

### US instance

* `sonarqube.us` and `*.sonarqube.us` , which would cover `notifications.sonarqube.us` used for web sockets
* `analysis-sensorcache-us-east-1-produs1.s3.us-east-1.amazonaws.com`
* `dna-visualization-scannerdata-us-east-1-produs1.s3.amazonaws.com`
* `app.getbeamer.com` for the latest news on SonarQube Cloud
* `sonarsource.com` (if logged out, users are redirected here)
* `docs.sonarsource.com` to view the product documentation. In addition, `*.sonarsource.com` would provide access to additional content sometimes referenced in the docs.

## Related pages

* [Getting started in the US region](/sonarqube-cloud/getting-started/getting-started-in-us-region.md)
* [IP allow lists](/sonarqube-cloud/administering-sonarcloud/enterprise-security/ip-allow-lists.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-cloud/appendices/networking-requirements.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.