Allowlisting, formerly known as whitelisting, is the practice of allowing systems to only connect to specific other machines and blocking all other connections. If no security tooling is in place, all outbound requests to Adyen are allowed. This behavior is fully compatible with the Adyen platform. If you are implementing or planning to implement IP allowlisting, it can affect your integration with our platform.
This page discusses our suggestions with regard to allowlisting implementations and managing outgoing and incoming IP addresses.
Requirements
Before you begin, check if the information on this page applies to you.
| Requirement | Description |
|---|---|
| Integration type | The information on this page is relevant for all Adyen integrations. |
Overview of allowlisting implementations
Besides Domain Name System (DNS) resolution and domain-based allowlisting, any other form requires you to actively maintain and update Adyen’s IP addresses in your network configurations, which is why we recommend against it.
The following table shows an overview of allowlisting implementations and how they can affect your integration.
| Implementation | Effect | Our suggestion |
|---|---|---|
| DNS resolution and domain-based allowlist | Future-proof integration |  Recommended |
| DNS resolution and IP allowlist | Potentially failing connections | - Not recommended |
| Custom DNS record | Failing connections |  Do not use |
| Hardcoded IP addresses | Failing connections. | Do not use |
DNS resolution and domain-based allowlist
We recommend that you use this, because it makes your integration future-proof and is compatible with dynamic infrastructure changes.
Your integration resolves domains and filters based on hostnames. DNS-based allowlisting allows access only to a predefined list of trusted domain names, blocking all others.
You can do this by either:
- Creating a domain allowlist in your web proxy.
- Creating an object that automatically updates your firewall rules.
By adding our top-level domains adyen.com and adyenpayments.com to your allowlist, you can connect to our platform, regardless of underlying IP address changes.
DNS resolution and IP allowlist
We do not recommend this, because it only works if you keep your lists of our IP addresses updated. If the allowlist is stale, and IP addresses change, your integration can break.
Your integration resolves Adyen domains using DNS, but filters by IP address.
You add specific IP addresses to your static allowlist, instead of relying on domains. This method requires more maintenance because you do not rely on DNS. You must keep the IP addresses in your allowlist up to date yourself. If Adyen introduces new IP addresses for a service, your infrastructure blocks all requests to the new IP addresses, and your requests fail. Adyen does not take responsibility for connection failures that result from expired IP address lists.
Custom DNS record
Do not use this, because multiple factors can lead to connection failures.
If you use internal DNS records (for example, adyen-proxy.internal.example.com) or proxies, you will encounter the following issues:
- Your request will contain an SNI header for your custom DNS record (adyen-proxy.internal.example.com) instead of our platform (checkout-live.adyen.com), which can cause our platform or intermediate services to drop the request.
- Your custom DNS record will highly likely contain a single, hardcoded IP address. This will result in the same issues described for hardcoded IP addresses.
Hardcoded IP addresses
Do not use this, because Adyen frequently changes or retires IP addresses during infrastructure updates or DDoS protection service activation.
Using hardcoded IP addresses in your application code is highly likely to cause failures in your system. If you do not update the hardcoded list of IP addresses any time Adyen changes IP addresses, your connections fail. Depending on your development lifecycle, it can take you a significant period of time to resolve your connection failures.
Manage outgoing and incoming IP addresses
Use the following list of outgoing IP addresses and follow our recommendation about incoming IP addresses.
Outgoing IP allowlisting (from you to Adyen)
- Use the following list of outgoing IP addresses. These are the IP addresses to our endpoints.
- 82.199.87.128/26
- 82.199.90.136/29
- 82.199.90.160/27
- 213.52.172.0/25
- 62.146.248.0/21
- 85.184.228.0/22
- 91.212.42.0/24
- 135.84.148.0/22
- 147.12.16.0/20
- 185.101.196.0/22
- Make sure that you always rely on DNS to provide you with the IP address information for the endpoint you are trying to connect to. We can change IP addresses that certain endpoints listen to within our IP ranges, so you can allowlist the ranges provided to accommodate for that.
Incoming IP allowlisting (from Adyen to you)
Adyen’s platform initiates outbound connections to your systems, such as sending webhooks.
If your firewall restricts inbound traffic, you may need to allowlist Adyen’s outgoing IP addresses. We strongly recommend using dynamic DNS-based allowlisting to avoid breakages when IP addresses change due to scaling, failover, or DDoS mitigation.
To dynamically resolve the current IPs Adyen uses for outbound traffic:
-
Run the following command:
dig +short out.adyen.com -
Use the result as the latest, up-to-date list of IPs Adyen can use to connect to your endpoints.