IP addresses and domains to allowlist in your corporate firewall

These IP addresses and domains could change at any time, so make sure to follow our blog for updates. Our DNS entry is the trusted source of information for our current IP.

Using SSH to commit from behind a corporate firewall may require your network administrator to make specific network configuration changes to permit SSH connectivity from your computer to Bitbucket. Every network configuration is different, so we cannot give you detailed instructions. Bitbucket uses the standard ports for HTTP/HTTPS/SSH which are 80/443/22.

Bitbucket Cloud uses Amazon's CloudFront CDN to deliver static content. The IP address ranges used by CloudFront edge servers can be found in the Amazon CloudFront developer guide.

Valid IP addresses for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.org

Deprecation and removal of IP addresses

We have been gradually moving traffic to use new IP addresses for bitbucket.org starting in July of 2024. Any of the IP addresses marked as (deprecated) below will be removed and unusable as of August 30, 2024.

Most users will not have to do anything special for this change. Your DNS servers should pick up the new IPs within a few minutes, and your systems should start using the new IPs right away.

Atlassian Cloud public IP ranges, including Bitbucket Cloud, are documented in Atlassian cloud IP ranges and domains. You can also can find a machine consumable list at https://ip-ranges.atlassian.com/. However, if you require a smaller list that is specific to Bitbucket, use the following:

IPv4 inbound for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.org

  • 104.192.136.0/21

  • 185.166.140.0/22

  • 13.200.41.128/25

  • 104.192.141.1 (deprecated)

  • 18.205.93.0/25 (deprecated)

  • 18.234.32.128/25 (deprecated)

  • 13.52.5.0/25 (deprecated)

IPv6 inbound for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.org

  • 2401:1d80:320c:3::/64

  • 2401:1d80:320c:4::/64

  • 2401:1d80:320c:5::/64

  • 2401:1d80:3208::/64

  • 2401:1d80:3208:1::/64

  • 2401:1d80:3208:2::/64

  • 2401:1d80:3210::/64

  • 2401:1d80:3210:1::/64

  • 2401:1d80:3210:2::/64

  • 2401:1d80:321c::/64

  • 2401:1d80:321c:1::/64

  • 2401:1d80:321c:2::/64

  • 2401:1d80:322c:2::/64

  • 2401:1d80:322c:3::/64

  • 2401:1d80:322c:5::/64

  • 2401:1d80:3218:1::/64

  • 2401:1d80:3218:3::/64

  • 2401:1d80:3218:4::/64

  • 2401:1d80:3220::/64

  • 2401:1d80:3220:1::/64

  • 2401:1d80:3224::/64

  • 2401:1d80:3224:1::/64

  • 2401:1d80:3224:2::/64

  • 2406:da00:ff00::22cd:e0db (deprecated)

  • 2406:da00:ff00::6b17:d1f5 (deprecated)

  • 2406:da00:ff00::3403:4be7 (deprecated)

  • 2406:da00:ff00::22c3:9b0a (deprecated)

  • 2406:da00:ff00::22c5:2ef4 (deprecated)

  • 2406:da00:ff00::22c2:0513 (deprecated)

  • 2406:da00:ff00::34cc:ea4a (deprecated)

  • 2406:da00:ff00::22e9:9f55 (deprecated)

  • 2406:da00:ff00::22c0:3470 (deprecated)

  • 2406:da00:ff00::34c8:9c5c (deprecated)

  • 2406:da00:ff00::12d0:47c8 (deprecated)

  • 2406:da00:ff00::22ed:a9a3 (deprecated)

  • 2406:da00:ff00::23a8:5071 (deprecated)

  • 2406:da00:ff00::36ec:9434 (deprecated)

  • 2406:da00:ff00::3416:7161 (deprecated)

  • 2406:da00:ff00::36ec:bea6 (deprecated)

  • 2406:da00:ff00::12cd:ae3d (deprecated)

  • 2406:da00:ff00::12cc:b432 (deprecated)

  • 2406:da00:ff00::1714:aa06 (deprecated)

  • 2406:da00:ff00::342d:4312 (deprecated)

  • 2406:da00:ff00::22ee:e721 (deprecated)

  • 2406:da00:ff00::34cf:03c4 (deprecated)

  • 2406:da00:ff00::3657:a859 (deprecated)

  • 2406:da00:ff00::1716:0c22 (deprecated)

  • 2406:da00:ff00::36ec:507a (deprecated)

  • 2406:da00:ff00::3448:67ee (deprecated)

  • 2406:da00:ff00::36ad:fb4d (deprecated)

  • 2406:da00:ff00::22ce:9394 (deprecated)

  • 2406:da00:ff00::12d0:5d6e (deprecated)

  • 2406:da00:ff00::3402:732e (deprecated)

  • 2406:da00:ff00::36d1:8b98 (deprecated)

  • 2406:da00:ff00::3414:6492 (deprecated)

  • 2406:da00:ff00::3437:b4cb (deprecated)

  • 2406:da00:ff00::22e2:3a76 (deprecated)

  • 2406:da00:ff00::34c9:c443 (deprecated)

  • 2406:da00:ff00::3405:6cad (deprecated)

  • 2406:da00:ff00::12ea:0a19 (deprecated)

  • 2406:da00:ff00::23a8:6621 (deprecated)

  • 2406:da00:ff00::3401:9341 (deprecated)

  • 2406:da00:ff00::3654:c786 (deprecated)

  • 2406:da00:ff00::3448:4e57 (deprecated)

  • 2406:da00:ff00::36a4:e08c (deprecated)

  • 2406:da00:ff00::36a4:f8a6 (deprecated)

  • 2406:da00:ff00::22c8:ada3 (deprecated)

  • 2406:da00:ff00::34cd:a4b9 (deprecated)

  • 2406:da00:ff00::23a8:b9b1 (deprecated)

  • 2406:da00:ff00::3402:affc (deprecated)

  • 2406:da00:ff00::12cd:d438 (deprecated)

  • 2406:da00:ff00::34ce:b43b (deprecated)

  • 2406:da00:ff00::342d:1804 (deprecated)

  • 2406:da00:ff00::36ae:07e7 (deprecated)

  • 2406:da00:ff00::3456:314c (deprecated)

  • 2406:da00:ff00::36af:42a0 (deprecated)

  • 2406:da00:ff00::3414:0248 (deprecated)

Valid IP addresses for Bitbucket Pipelines build environments

The servers that execute all steps on Atlassian Cloud Infrastructure, are hosted on Amazon Web Services (AWS).

An exhaustive list of IP addresses that the traffic may come from on AWS can be found by using the following endpoint, filtering to records where the service equals EC2 or S3, and using the us-east-1 and us-west-2 regions. We do not recommend using these IP ranges as a security control.

If you prefer to use a more limited or narrowed IP range, you should utilize the atlassian-ip-ranges that are available in the new larger instances (4x and above).

As a reminder, Atlassian does not recommend configuring IP-based firewalls as the only mechanism to protect access to your infrastructure. As an example In addition to IP-based firewall rules, you should also use a secure means of authentication for any services exposed to Bitbucket Pipelines (e.g., by using OIDC).

Atlassian IP ranges

atlassian-ip-ranges

If you are using steps that are of size 4x or larger, you can opt-in to using atlassian-ip-range at the step or global level(s). These atlassian-ip-rangesare not available in 1x and 2x steps.

By opting in to this range, your step/build will execute on a smaller sub-set of the overall IP Ranges, allowing you to reduce the number of IP addresses in your firewall allowlists.

IPv4 outbound

  • 34.199.54.113/32

  • 34.232.25.90/32

  • 34.232.119.183/32

  • 34.236.25.177/32

  • 35.171.175.212/32

  • 52.54.90.98/32

  • 52.202.195.162/32

  • 52.203.14.55/32

  • 52.204.96.37/32

  • 34.218.156.209/32

  • 34.218.168.212/32

  • 52.41.219.63/32

  • 35.155.178.254/32

  • 35.160.177.10/32

  • 34.216.18.129/32

  • 3.216.235.48/32

  • 34.231.96.243/32

  • 44.199.3.254/32

  • 174.129.205.191/32

  • 44.199.127.226/32

  • 44.199.45.64/32

  • 3.221.151.112/32

  • 52.205.184.192/32

  • 52.72.137.240/32

Valid IP addresses for webhook delivery

To ensure Bitbucket webhooks are delivered successfully to the destination URLs you configured, add the IP address ranges we use for outgoing connections to the internet made on your behalf to your allow list. The exact list of IPs is in the Outgoing Connections section of the Atlassian cloud IP ranges and domains page.

Domains for Atlassian public Docker images

To ensure Atlassian public Docker images are retrieved successfully, allow the following domains:

  • docker-blobs.artifacts.atlassian.com

  • docker-public.packages.atlassian.com

  • d1gyl6kne4u44z.cloudfront.net

  • artifacts-public-docker-pub-s3-production.s3.us-east-1.amazonaws.com

If you want to use your own Docker image registry to run customised images, allow those domains instead.

Valid IP addresses for AWS ECR authentication (with Docker images)

To ensure your authentication of AWS ECR works properly when running a Pipelines build with Docker images, add the IP address ranges we use from the following list: Atlassian cloud IP ranges for AWS ECR.

 

 

Still need help?

The Atlassian Community is here for you.