Specify IP addresses for app access
Use an IP allowlist to specify which IP addresses users must use to access content in Jira, Jira Service Management, Confluence, Compass and Atlassian Analytics.
If your organization uses restrictive firewall or proxy server settings, you or your network administrator may need to allowlist certain domains and IP address ranges.
Who can do this? |
IP allowlist controls apply to:
Compass
Confluence spaces and pages (including public links)
Confluence administration
Jira tasks, issues, projects and forms (including public forms)
Jira Service Management customer and agent-facing portals within the same site URL
Jira administration
Atlassian Analytics
Rovo*
If users attempt to access these pages from an IP addresses that is not in the allowlist, they’ll see a message explaining why they don’t have access. Users also won't be able to access that app programmatically via the APIs.
If users access your apps from a Chrome browser, it's possible that their IP address doesn't update when they connect to a different network. This is an issue if their new address is in an allowlist. If this happens, tell your users to clear their browser's cache by entering these keys: Ctrl/Cmd + Shift + R.
Rovo*
Rovo is designed to serve you information across apps. However, IP allowlist controls for individual apps, such as Jira and Confluence, don’t apply to all Rovo features.
Admins can apply IP allowlisting controls to Rovo experiences at the organization level. These controls apply to specific Rovo experiences such as:
Rovo Chat and Search accessed via Projects, Goals, Teams, Home, and Studio apps
Rovo browser extension
Rovo bookmarks
The IP allowlisting controls are designed so that only users from approved IP addresses can interact with these Rovo experiences.
Rovo IP allowlisting controls don’t yet apply to Rovo MCP (currently in beta).
IP allowlists for Rovo apply to these experiences at the organization level. i.e. if you have multiple sites in your organization, the same IP conditions will apply to the above Rovo experiences regardless of the site.
Once configured, if a user interacts with Rovo from an IP address that is not in the allowlist for Rovo experiences, the user will see an error message.
View your IP allowlists
To view your IP allowlists:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Device security > IP allowlists.
You will be able to access admin.atlassian.com even if the IP is outside the range of the allowlist.
Add an allowlist
To add an allowlist:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Device security > IP allowlists.
Select Create allowlist.
Enter a Name for the allowlist.
Select the names of the apps you’d like to add to the allowlist.
Enter the IP addresses to allow. You can enter up to 500 IP addresses, separated by commas.
Choose whether to enable the allowlist immediately, or later.
Select Create to save the details.
What values can you add?
You can set up 500 IP addresses or network blocks per app. We support IPv4 for individual IP address. If you're entering a network block, we support the CIDR notation standard for specifying a block of IP addresses. Refer to CIDR notation more details about how to use CIDR notation.
Some examples of values that you can add.
Type | Examples |
|---|---|
IPv4 | 104.192.143.1 |
CIDR block | 104.192.143.0/28 |
IP allowlist exceptions
In some cases, we cannot restrict access for users in your IP allowlist to specific information in Jira, Jira Service Management, and Confluence.
Regardless of your IP allowlists, users can always see the following information types:
Information types | How to find information | Example |
|---|---|---|
Recent history in home.atlassian.com | To find Recent history, go to home.atlassian.com |
When a user goes to home.atlassian.com in Jira, they can see recent history for both sites whether or not they are part of the IP allowlist |
Notification details | To find Notifications, you select the {icon} to see notification details. | |
Smart Links that anyone shares in Confluence or Jira | To create a Smart Link, you copy and paste the URL to any page. | |
We also don't apply your IP allowlist restrictions to the following:
Application links that use 2LO
Connect applications
Forge apps with 2LO and 3LO
OAuth 2.0 (3LO) apps
Third-party security tools
If your organization uses security platforms like Zscaler [Source IP Anchoring] that proxy internet traffic, you may need to exclude Atlassian domains (*.atlassian.com, *.atlassian.net, *.atl-paas.net) from proxying in your platform's configuration or add your security platform's IP ranges to your allowlists. These platforms may use different IP addresses for application access and other content, such as media, which can block some content even if users can access the main application. Contact your security platform provider for specific IP ranges and configuration guidance.
Performance tip: For optimal performance, configure your security platform to skip TLS/HTTPS inspection on *.atl-paas.net domains.
Was this helpful?