IP Allowlisting
When self-hosting the Transcend Security Gateway (AKA "Sombra"), you can allowlist ingress traffic from Transcend to your Sombra gateway by allowing the following list of IP addresses (Note all IP addresses need to be allowed)
| Region | IP Addresses (CIDR notation) |
|---|---|
| Europe (Ireland + Frankfurt) | 52.215.231.215/32 63.34.48.255/32 34.249.254.13/32 54.75.178.77/32 |
| United States (Virginia + Oregon) | 54.144.160.228/32 3.218.78.195/32 34.199.52.20/32 |
If you do not know which region you are hosted in, it is likely Europe. This is the default hosting region for most Transcend customers. We chose this as the default as there are more laws preventing EU data from transfering to the US compared to US data transferring to the EU. It is possible to localize different data stores by deploying multiple Sombra Gateways to different regions or clouds.
As a note, some customers may prefer to use private DNS to communicate to and from our backend by using AWS PrivateLink. If that would be a more preferrable option and you use AWS, please see our PrivateLink guide
If you are not self-hosting the security gateway, you may want to add IP-restriction on all incoming webhooks and database connections. All traffic will originate from:
| Region | IP Addresses (CIDR notation) | Address |
|---|---|---|
| Europe (Ireland + Frankfurt) | 34.252.15.52/32 99.81.28.239/32 | https://multi-tenant.sombra.transcend.io |
| United States (Virginia + Oregon) | 44.209.5.150/32 54.226.163.189/32 | https://multi-tenant.sombra.us.transcend.io |
Restricting IP ranges for receiving a webhook is always a great idea; however, you should only use this as a secondary form of authentication. It is crucial that you always verify the incoming webhook signature. Please refer to this guide for information on verifying the webhook signature.