Network Requirements
Overview
If your environment has a firewall, you must configure outbound access from your corporate network to the Delinea Platform. Delinea publishes all network requirements (IP addresses, hostnames, CIDR ranges, and ports) as machine-readable JSON. This approach enables you to:
- Automate firewall rule updates
- Track changes via the changelog
- Convert requirements to your firewall's native format
- Stay current without manually checking documentation
Primary Resources
| Resource | URL | Description |
|---|---|---|
| Network Requirements (JSON) | https://setup.delinea.app/network-requirements | Current network requirements in JSON format |
| Changelog | https://setup.delinea.app/network-requirements-changelog | History of changes to network requirements |
You can also access this same information from your own Platform tenant using the following URL, after replacing <tenant> with your tenant hostname: https://<tenant>.delinea.app/network-requirements.
Key Configuration Notes
- Disable SSL Inspection: Disable SSL inspection on all Delinea Platform firewall rules. Services fail if they detect an intermediate certificate.
- Distributed Engine Service Bus Endpoints: Distributed Engine Service Bus endpoints are tenant-specific. Retrieve your tenant's endpoints from the following URL after replacing
<tenant>with your tenant hostname:https://<tenant>.delinea.app/view/vault/diagnostics/system/service-bus
Delinea Network Config Tool
The delinea-netconfig CLI tool converts the Delinea network requirements JSON into firewall rules and infrastructure-as-code formats.
GitHub Repository: https://github.com/DelineaXPM/delinea-netconfig
Features
- Interactive TUI: Browse, filter, inspect, and export entries without remembering flags
- Seven Output Formats : CSV, YAML, Terraform, Ansible, AWS Security Groups, Cisco ACL, PAN-OS XML
- Diff & Info: Compare versions and show statistics
- Tenant Substitution: Replace
<tenant>placeholders with your actual tenant name - Flexible Input: Load from local files or remote URLs
See the README file on GitHub for comprehensive information including step-by-step instructions, usage, and examples.
Tenant IP Restrictions
The Tenant IP Restrictions feature ensures that only trusted network IP addresses or CIDR ranges can connect to your Delinea Platform tenant. By limiting access to approved network ranges, this feature adds an extra layer of security to your environment.
Key Benefits
- Enhanced Security: Only approved IP addresses can connect to your tenant, reducing the risk of unauthorized access.
- Comprehensive coverage: The IP restrictions apply across the Delinea Platform tenant and the integrated Secret Server Cloud instance, ensuring comprehensive protection across the entire environment.
Submitting an IP Restriction Request
To enable IP restrictions for your Platform tenant, submit a support case to Delinea Support with the list of allowed IP addresses or CIDR ranges. Delinea Support will assist in configuring the allowlist for your tenant.
When submitting a request, ensure the following; failure to meet these requirements may result in delays or rejection of the request:
- Maximum 50 entries: No more than 50 individual IP addresses or CIDR blocks combined.
- No duplicate addresses: The request must not contain any duplicate IP addresses.
- Exclude Delinea-owned IPs: Do not include any IP addresses owned by Delinea.
- CIDR Block Standards: CIDR blocks must follow strict standards. The example in the following table displays two /29 blocks: one valid and one invalid.
| Status | CIDR Block | Reason |
|---|---|---|
| Invalid | 192.0.2.20/29
|
.20 is not a valid start address for a /29 block |
| Valid | 192.0.2.16/29
|
.16 is a valid start address for a /29 block |
Ensure that all necessary IPs are included to avoid unintended access disruptions.
