Allowlisting Celonis domain names, IP addresses, and third-party domains
This page provides information on adding IPs addresses and domains to your firewall allowlisting for the Celonis Platform, which are required to connect to and from your data sources. Review all items in Before you start previous to making changes to your firewall allowlisting.
Before you start
This section includes important information related to configuring allowlisting for Celonis IPs addresses and domains. Review all items before making changes to your firewall allowlist.
Celonis does not recommend using IP allowlisting for Celonis IPs as destination Instead, if your firewall allows filtering rules, Celonis recommends allowlisting fully qualified domain names (FQDNs), such as
<teamname>.<realm>.celonis.cloud
.Note
FQDNs are preferred over IP addresses in allowlists because they support dynamic resolution, enabling load balancing, failover, and cloud infrastructure changes without manual updates.
IP addresses used for Celonis IPs as origin are subject to change with a two-week notice. These notices are posted in the Celonis Platform release notes.
Important
If you rely on IP allowlisting, this may require ongoing maintenance and can lead to service interruptions if the allowlist is not updated when IPs change. Additionally, system administrators may need to add both global and realm-specific Celonis IPs to your organization's allowlist.
If you restrict access to specific domains that users' web browsers can access, you may also need to allowlist specific third-party domains used by Celonis, additional to your Celonis Team FQDN. For more information, see the third-party domains .
Important
If you do not add these domains, some Celonis Platform will not be available.
If you are using a BICC connector, any IP address changes require you to update the fingerprint for the service account.
Important
If the fingerprint is not updated when IP address changes occur, data extractions will fail until the fingerprint is updated.
To check the status of Celonis services, go to https://status.celonis.com/.
Celonis IPs as destination
If you need to allowlist Celonis Platform IP addresses, instead of using FQDNs, for sending data to Celonis Platform (such as when using Celonis Uplink Extractors or sending extracted data via Data Push API), add the IP addresses below to your firewall allowlist, based on your IP protocol stack:
Important
If you are using a dual-stack configuration, add both the IPv4 and IPv6 address lists to your firewall allowlist to avoid connectivity issues when DNS resolves to either protocol.
Celonis IPv4 destination addresses
Comma-separated:
162.159.140.65,172.66.0.65,172.65.64.56,172.65.64.57
New-line separated:
162.159.140.65 172.66.0.65 172.65.64.56 172.65.64.57
Celonis IPv6 destination addresses
Comma-separated:
2606:4700:7::41,2a06:98c1:58::41,2606:4700:78::4,2606:4700:78::5
Newline-separated :
2606:4700:7::41 2a06:98c1:58::41 2606:4700:78::4 2606:4700:78::5
Celonis IPs as origin
If you need to access your own services—such as web services or mail servers—hosted either on-premises or in a SaaS environment (like Salesforce or Snowflake), you can allowlist IP addresses based on the realm where your Celonis team resides. Your realm can be found in the URL of your Celonis Team instance, <teamname>.<realm>.celonis.cloud
.
Note
The Celonis IPs as origin for the eu-2, eu-3, jp-1, uk-1, and us-2 realms have been updated. Review and update your allowlist accordingly, ensuring the new IP addresses are added. For more details, see the April 2025 Release Notes and May 2025 Release Notes.
Realm | Celonis Platform IPs as origin |
---|---|
eu-1 |
|
eu-2 |
|
eu-3 |
|
eu-4 |
|
eu-5 |
|
uk-1 |
|
us-1 |
|
us-2 |
|
us-3 |
|
jp-1 |
|
br-1 |
|
au-1 | No static IP |
in-1 | No static IP |
ch-1 | No static IP |
Third-party domains
Celonis Platform uses several third-party services. The domains for these third-party services may need to be added to your allowlist by your IT admin.
Third-party domain | Description | Can be deactivated if needed? |
---|---|---|
static.celonis.cloud | This domain is required to serve static assets such as JavaScript files, images, logos, etc. | No |
id.celonis.cloud | This domain is required when users access the Celonis Platform using Single Sign On via Celonis ID. | No |
rum.browser-intake-datadoghq.com | This domain is required for monitoring application performance from a customer perspective. | No |
res.cloudinary.com | This domain is required for delivering image and video content as part of the AppCues integration. | Yes |
fast.appcues.com | This domain is required for targeted notification banners to inform users about new features, maintenance windows, and other time sensitive information. | Yes |
api.appcues.net | This domain is required for targeted notification banners to inform users about new features, maintenance windows, and other time sensitive information. | Yes |
fonts.googleapis.com | This domain is required for delivering fonts as part of the AppCues integration. | Yes |
fonts.gstatic.com | This domain is required for delivering fonts as part of the AppCues integration. | Yes |
api.userlane.com | This is a content delivery network used for Training and Academy Celonis Platform environments only. | Yes |
cdn.userlane.com | This is a content delivery network used for Training and Academy Celonis Platform environments only. | Yes |
imgcdn.userlane.com | This is a content delivery network used for Training and Academy Celonis Platform environments only. | Yes |
auth.userlane.com | This is a content delivery network used for Training and Academy Celonis Platform environments only. | Yes |