Set up inbound allowlist for cloud agents

Cloud agents run web tests and API tests against applications and staging environments behind your corporate firewall. To let cloud agents reach your application without access to the rest of your network, add an inbound allowlist rule. The rule allows traffic from the IP address for your region to your application.

Before you start

To configure the firewall allowlist rule, you need the following:

  • Administrator access to your corporate firewall.

  • Cloud agents set up in your Tosca Cloud subscription.

  • Your application hostname and the port it listens on.

Apply the security guidelines

Before you configure the rule, note the following: 

  • All cloud agents in a region share one outbound IP address. Agents from another tenant in that region can connect to the destinations your rule defines. The cloud agent initiates all connections to your network.

  • Allow the IP only toward the specific application host and port. Do not open it to your wider network. This limits exposure to exactly one endpoint, regardless of how many tenants share the outbound IP.

  • Ensure authentication on your application with SSO, API tokens, mutual TLS (mTLS), or client certificates. The allowlist rule does not identify which tenant or user is behind a connection.

  • Use synthetic test data and dedicated test accounts for all test cases. Avoid production credentials and regulated personal data in test cases for tests runs in Tosca Cloud.

  • Check the data retention policy to confirm that artifact storage fits your data-residency and data-handling requirements. Tosca Cloud stores screenshots, screen recordings, and execution logs from each run.

  • Use a dedicated test or staging environment for cloud agent tests. This limits the impact of test runs and keeps production data out of scope.

  • Include the allowlist rule in your regular firewall reviews and remove it when you no longer use cloud agents for that application. If you notice unexpected traffic from the IP, contact Tricentis Customer Support.

  • Track the Tosca Cloud release notes for advance notice of IP address changes. Tricentis keeps the listed IPs static and communicates any change before it takes effect.

Find your cloud agent source IP address

Find the IP address for your region in the table below. If you're unsure which region your tenant is in, contact Tricentis Customer Support.

Region code

Region

IP address

EUS

East US

9.169.64.59/32

WEU

West Europe

132.164.0.178/32

JPE

Japan East

130.33.175.200/32

AUE

Australia East

4.237.220.5/32

CAC

Canada Central

4.248.203.223/32

SEA

South East Asia

20.205.145.58/32

Add the allowlist rule

In your corporate firewall, you need to add an inbound allowlist rule to allow traffic from the IP address for your region to your application host and port. Refer to your firewall documentation for instructions to create the rule.

To add the allowlist rule, use the following settings: 

  • Source IP: The IP address for your region, for example 9.169.64.59/32 for East US.

  • Destination: Your application host and port, for example app.company.com on port 443, the default HTTPS port.

Verify the connection

Go to Run > Playlists, select a playlist with a test that opens app.company.com, and start a test run. If the test passes, the allowlist rule works.

What's next

Check the outbound network requirements to make sure your firewall also lets your network reach Tosca Cloud.