Allowlisting FQDNs rather than IP addresses
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Allowlisting FQDNs rather than IP addresses
To ensure continuous connectivity to Venafi Cloud services, it is crucial to allowlist domain names instead of specific IP addresses. Venafi Cloud services leverage AWS cloud-first best practices, resulting in endpoints that maintain a static fully qualified domain name (FQDN) while having dynamically assigned IP addresses. These IP addresses are rotated by AWS and can change frequently.
Why allowlisting domains is important
Allowlisting specific IP addresses for Venafi Cloud services is not reliable due to the dynamic nature of IP assignment in the cloud. If you allowlist an IP address obtained via an nslookup command for a Venafi Cloud domain, the connection will eventually fail when AWS rotates the IP addresses.
Instead, allowlist FQDNs to ensure continuous and reliable access to Venafi Cloud services.
By allowlisting FQDNs rather than static IP addresses, you'll ensure that your firewall rules remain effective even as the underlying IP addresses change.
VSatellite domains to allowlist
For a complete list of domains to allowlist, review Network connections:
Warning: Allowlisting IP addresses instead of domains for cloud services hosted in this manner will eventually result in a connection failure. It is not a question of if but when the failure occurs. For any questions or further assistance, please contact CyberArk support.