Network Access Control

Some customers integrate Alcméon in constrained environments where outbound and inbound traffic are severely limited. This page provides the information necessary to system and network administrators to setup the necessary configuration on their side.

Outbound traffic from your environment

The Alcméon application requires access to the domains:

• https://alcmeon.com
• wss://ws.alcmeon.com
• https://track.alcmeon.com
• https://app.giphy.com

The alcmeon.com domains listed above resolve to multiple IP addresses that are dynamically load balanced at the DNS level with a TTL of 10 minutes. In practice, this means that any attempt by system administrators to perform outbound traffic filtering based on IP destination addresses might work temporarily if you list all the addresses you observe but it will fail when these IP addresses change. To make it short: the Alcmeon application is not compatible with firewall rules that track an allow-list of destination IP addresses. Only DNS-based allow-list rules will work.

Inbound Traffic to our servers

Inbound Traffic to our servers can be restricted on a per-customer basis by an allowlist of IPv4 network prefixes. This source IP filter applies only to login operations (once logged in, a valid JWT token delivered to a customer will remain valid for up to 24 hours).

The allowlist is configurable by Administrator users from https://alcmeon.com/c/v3/#/{customer_id}/parameters/sessions-settings

Outbound Traffic from our servers

Traffic initiated by our infrastructure to customer-controlled systems originates from the following IPv4 addresses:

• 51.38.108.126
• 51.89.14.96
• 51.91.22.108
• 54.37.151.233
• 54.38.246.56
• 54.38.247.79
• 54.38.40.107
• 141.95.110.158
• 152.228.211.82
• 188.165.51.134
• 188.165.53.182
• 217.182.82.255
• 217.182.83.42

These addresses are extracted from the FQDN outbound.alcmeon.com.

This policy applies specifically to the following traffic:

• all HTTP requests sent to customer-provided webhooks (External Notifications and subbots)
• uploads of data exports to sFTP servers
• all HTTP requests made to your_environement.zendesk.com

Should the need arise to migrate our outbound traffic to new IP addresses, customers will be notified one month ahead of any scheduled changes.