Products
Get started
Documentation
Resources
Atlassian Support
/
Bitbucket
/
Resources
/
Manage your plans and settings in Bitbucket Cloud
Cloud

IP addresses to allowlist in your corporate firewall

These IP addresses could change at any time, so make sure to follow our blog for updates. Our DNS entry is the trusted source of information for our current IP.

Using SSH to commit from behind a corporate firewall may require your network administrator to make specific network configuration changes to permit SSH connectivity from your computer to Bitbucket. Every network configuration is different, so we cannot give you detailed instructions. Bitbucket uses the standard ports for HTTP/HTTPS/SSH which are 80/443/22.

Bitbucket Cloud uses Amazon's CloudFront CDN to deliver static content. The IP address ranges used by CloudFront edge servers can be found in the Amazon CloudFront developer guide.

Valid IP addresses for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.org

Deprecation and removal of IP addresses

We have been gradually moving traffic to use new IP addresses for bitbucket.org starting in July of 2024. Any of the IP addresses marked as (deprecated) below will be removed and unusable as of August 30, 2024.

Most users will not have to do anything special for this change. Your DNS servers should pick up the new IPs within a few minutes, and your systems should start using the new IPs right away.

Atlassian Cloud public IP ranges, including Bitbucket Cloud, are documented in Atlassian cloud IP ranges and domains. You can also can find a machine consumable list at https://ip-ranges.atlassian.com/. However, if you require a smaller list that is specific to Bitbucket, use the following:

IPv4 inbound for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.org

  • 104.192.136.0/21

  • 185.166.140.0/22

  • 13.200.41.128/25

  • 18.205.93.0/25 (deprecated)

  • 18.234.32.128/25 (deprecated)

  • 13.52.5.0/25 (deprecated)

IPv6 inbound for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.org

  • 2401:1d80:320c:3::/64

  • 2401:1d80:320c:4::/64

  • 2401:1d80:320c:5::/64

  • 2401:1d80:3208::/64

  • 2401:1d80:3208:1::/64

  • 2401:1d80:3208:2::/64

  • 2401:1d80:3210::/64

  • 2401:1d80:3210:1::/64

  • 2401:1d80:3210:2::/64

  • 2401:1d80:321c::/64

  • 2401:1d80:321c:1::/64

  • 2401:1d80:321c:2::/64

  • 2401:1d80:322c:2::/64

  • 2401:1d80:322c:3::/64

  • 2401:1d80:322c:5::/64

  • 2401:1d80:3218:1::/64

  • 2401:1d80:3218:3::/64

  • 2401:1d80:3218:4::/64

  • 2401:1d80:3220::/64

  • 2401:1d80:3220:1::/64

  • 2401:1d80:3224::/64

  • 2401:1d80:3224:1::/64

  • 2401:1d80:3224:2::/64

  • 2406:da00:ff00::22cd:e0db (deprecated)

  • 2406:da00:ff00::6b17:d1f5 (deprecated)

  • 2406:da00:ff00::3403:4be7 (deprecated)

  • 2406:da00:ff00::22c3:9b0a (deprecated)

  • 2406:da00:ff00::22c5:2ef4 (deprecated)

  • 2406:da00:ff00::22c2:0513 (deprecated)

  • 2406:da00:ff00::34cc:ea4a (deprecated)

  • 2406:da00:ff00::22e9:9f55 (deprecated)

  • 2406:da00:ff00::22c0:3470 (deprecated)

  • 2406:da00:ff00::34c8:9c5c (deprecated)

  • 2406:da00:ff00::12d0:47c8 (deprecated)

  • 2406:da00:ff00::22ed:a9a3 (deprecated)

  • 2406:da00:ff00::23a8:5071 (deprecated)

  • 2406:da00:ff00::36ec:9434 (deprecated)

  • 2406:da00:ff00::3416:7161 (deprecated)

  • 2406:da00:ff00::36ec:bea6 (deprecated)

  • 2406:da00:ff00::12cd:ae3d (deprecated)

  • 2406:da00:ff00::12cc:b432 (deprecated)

  • 2406:da00:ff00::1714:aa06 (deprecated)

  • 2406:da00:ff00::342d:4312 (deprecated)

  • 2406:da00:ff00::22ee:e721 (deprecated)

  • 2406:da00:ff00::34cf:03c4 (deprecated)

  • 2406:da00:ff00::3657:a859 (deprecated)

  • 2406:da00:ff00::1716:0c22 (deprecated)

  • 2406:da00:ff00::36ec:507a (deprecated)

  • 2406:da00:ff00::3448:67ee (deprecated)

  • 2406:da00:ff00::36ad:fb4d (deprecated)

  • 2406:da00:ff00::22ce:9394 (deprecated)

  • 2406:da00:ff00::12d0:5d6e (deprecated)

  • 2406:da00:ff00::3402:732e (deprecated)

  • 2406:da00:ff00::36d1:8b98 (deprecated)

  • 2406:da00:ff00::3414:6492 (deprecated)

  • 2406:da00:ff00::3437:b4cb (deprecated)

  • 2406:da00:ff00::22e2:3a76 (deprecated)

  • 2406:da00:ff00::34c9:c443 (deprecated)

  • 2406:da00:ff00::3405:6cad (deprecated)

  • 2406:da00:ff00::12ea:0a19 (deprecated)

  • 2406:da00:ff00::23a8:6621 (deprecated)

  • 2406:da00:ff00::3401:9341 (deprecated)

  • 2406:da00:ff00::3654:c786 (deprecated)

  • 2406:da00:ff00::3448:4e57 (deprecated)

  • 2406:da00:ff00::36a4:e08c (deprecated)

  • 2406:da00:ff00::36a4:f8a6 (deprecated)

  • 2406:da00:ff00::22c8:ada3 (deprecated)

  • 2406:da00:ff00::34cd:a4b9 (deprecated)

  • 2406:da00:ff00::23a8:b9b1 (deprecated)

  • 2406:da00:ff00::3402:affc (deprecated)

  • 2406:da00:ff00::12cd:d438 (deprecated)

  • 2406:da00:ff00::34ce:b43b (deprecated)

  • 2406:da00:ff00::342d:1804 (deprecated)

  • 2406:da00:ff00::36ae:07e7 (deprecated)

  • 2406:da00:ff00::3456:314c (deprecated)

  • 2406:da00:ff00::36af:42a0 (deprecated)

  • 2406:da00:ff00::3414:0248 (deprecated)

Valid IP addresses for Bitbucket Pipelines build environments

The machines that execute all steps on Atlassian Cloud Infrastructure, not just steps opted into atlassian-ip-ranges ranges, are hosted on Amazon Web Services. SSH keyscans are also performed from within this environment.

An exhaustive list of IP addresses that the traffic may come from on AWS can be found by using the following endpoint, filtering to records where the service equals EC2, and using the us-east-1 and us-west-2 regions.

As a reminder, Atlassian does not recommend configuring IP-based firewalls as the only mechanism to protect access to your infrastructure. As an example In addition to IP-based firewall rules, you should also use a secure means of authentication for any services exposed to Bitbucket Pipelines (e.g., by using OIDC).

If you prefer to use a more limited or narrowed IP range, you can utilize the atlassian-ip-ranges that are available in the new larger instances (4x and above).

Atlassian IP ranges

atlassian-ip-ranges

If you are using steps that are of size 4x or larger, you can opt-in to using atlassian-ip-range at the step or global level(s).

By opting in to this range, your step/build will execute on a smaller sub-set of the overall IP Ranges, allowing you to reduce the number of IP addresses you need to allowlist in your firewalls. SSH keyscans are also performed from within this more limited set of IP’s. 

IPv4 outbound

  • 34.199.54.113/32

  • 34.232.25.90/32

  • 34.232.119.183/32

  • 34.236.25.177/32

  • 35.171.175.212/32

  • 52.54.90.98/32

  • 52.202.195.162/32

  • 52.203.14.55/32

  • 52.204.96.37/32

  • 34.218.156.209/32

  • 34.218.168.212/32

  • 52.41.219.63/32

  • 35.155.178.254/32

  • 35.160.177.10/32

  • 34.216.18.129/32

  • 3.216.235.48/32

  • 34.231.96.243/32

  • 44.199.3.254/32

  • 174.129.205.191/32

  • 44.199.127.226/32

  • 44.199.45.64/32

  • 3.221.151.112/32

  • 52.205.184.192/32

  • 52.72.137.240/32

Valid IP addresses for webhook delivery

To ensure Bitbucket webhooks are delivered successfully to the destination URLs you configured, add the IP address ranges we use for outgoing connections to the internet made on your behalf to your allow list. The exact list of IPs is in the Outgoing Connections section of the Atlassian cloud IP ranges and domains page.

Valid IP addresses for AWS ECR authentication (with Docker images)

To ensure your authentication of AWS ECR works properly when running a Pipelines build with Docker images, add the IP address ranges we use from the following list: Atlassian cloud IP ranges for AWS ECR.

 

 

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageValid IP addresses for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.orgValid IP addresses for Bitbucket Pipelines build environmentsAtlassian IP rangesValid IP addresses for webhook deliveryValid IP addresses for AWS ECR authentication (with Docker images)
CommunityQuestions, discussions, and articles