Network Requirements

Overview

If your environment has a firewall, you must configure outbound access from your corporate network to the Delinea Platform. All network requirements—IP addresses, hostnames, CIDR ranges, and ports—are published as machine-readable JSON. This approach lets you:

Automate firewall rule updates
Track changes through the changelog
Convert requirements to your firewall's native format
Stay current without manually checking documentation

Primary Resources

Use the following URLs to access current network requirements and change history.

Resource	URL	Description
Network Requirements (JSON)	https://setup.delinea.app/network-requirements	Current network requirements in JSON format
Changelog	https://setup.delinea.app/network-requirements/changelog	History of changes to network requirements
Changelog RSS Feed	https://setup.delinea.app/network-requirements/feed	RSS feed of changelog updates—subscribe to be notified when network requirements change.

You can also retrieve network requirements directly from your tenant. Replace <tenant> with your tenant: hostname: https://<tenant>.delinea.app/network-requirements

Subscribing to Network Requirement Changes

Network requirements occasionally change—new hostnames, ports, IP ranges, or removed endpoints. Rather than manually checking the changelog, you can subscribe to the Changelog RSS feed to be notified automatically when a new version is published.

Feed URL: https://setup.delinea.app/network-requirements/feed

The feed is low-volume, and each entry summarizes what was added, removed, or changed. It is a standard RSS 2.0 feed and can be consumed by any RSS reader or automation tool.

Example: Subscribe in Slack

If your team coordinates network or firewall changes in Slack, the built-in RSS app delivers each changelog update directly to a Slack channel.

Open the Slack channel where you want updates posted (for example, #network-changes or #delinea-platform).
Run the following slash command:

/feed subscribe https://setup.delinea.app/network-requirements/feed
Slack confirms the subscription. New changelog entries will post automatically when published.

To unsubscribe, run /feed list to view active feeds, then /feed remove <id> for the entry you want to remove.

Key Configuration Notes

SSL Inspection

Disable SSL inspection on all Delinea Platform firewall rules. Services fail if they detect an intermediate certificate.

Distributed Engine Service Bus Endpoints

Distributed Engine Service Bus endpoints are tenant-specific. Retrieve your tenant's endpoints from:

https://<tenant>.delinea.app/view/vault/diagnostics/system/service-bus

Replace <tenant> with your tenant hostname.

Delinea Network Config Tool

The delinea-netconfig CLI tool converts the Platform's network requirements JSON into firewall rules and infrastructure-as-code formats.

GitHub Repository: https://github.com/DelineaXPM/delinea-netconfig

Features

Feature	Description
Interactive TUI	Browse, filter, inspect, and export entries without flags
Output Formats	Exports to CSV, YAML, Terraform, Ansible, AWS Security Groups, Cisco ACL, and PAN-OS XML
Diff & Info	Compare versions and display requirement statistics
Tenant Substitution	Replaces `<tenant>` placeholders with your actual tenant name
Flexible Input	Loads requirements from local files or remote URLs

For installation, usage, and examples, see the GitHub repository.

Tenant IP Restrictions

The Tenant IP Restrictions feature limits access to your Delinea Platform tenant to approved IP addresses or CIDR ranges. This adds a security layer by blocking connections from unapproved networks.

IP restrictions apply to both the Delinea Platform tenant and the integrated Secret Server Cloud instance, ensuring consistent coverage across your environment.

Benefits

Reduced attack surface: Only approved IP addresses can connect to your tenant.
Consistent coverage: Restrictions apply across the Delinea Platform and the integrated Secret Server Cloud instance.

Submit an IP Restriction Request

To enable IP restrictions for your tenant:

Compile the list of IP addresses or CIDR ranges to allow. Follow these requirements before submitting:
- Maximum 110 entries: No more than 110 individual IP addresses or CIDR blocks combined.
- No duplicates: Each IP address must appear only once.
- Exclude Delinea-owned IPs: Do not include any IP addresses owned by Delinea.
- Valid CIDR alignment: CIDR blocks must align with valid start addresses for the specified prefix length.
Verify CIDR block alignment before submitting. The following example shows an invalid and a valid /29 block:
Status CIDR Block Reason
Invalid 192.0.2.20/29 .20 is not a valid start address for a /29 block
Valid 192.0.2.16/29 .16 is a valid start address for a /29 block
Submit a support case to Delinea Support with your approved IP address list.
Delinea Support configures the allowlist for your tenant.

Status	CIDR Block	Reason
Invalid	`192.0.2.20/29`	.20 is not a valid start address for a /29 block
Valid	`192.0.2.16/29`	.16 is a valid start address for a /29 block

Include all required IP addresses before submitting. Omitting necessary IPs causes access disruptions after the restriction takes effect.

Troubleshooting

Symptom	Cause	Resolution
Services fail to connect after enabling firewall rules	SSL inspection is enabled on the firewall rule	Disable SSL inspection for all Delinea Platform rules
IP restriction request is rejected	Request contains duplicates, exceeds 110 entries, includes Delinea IPs, or contains misaligned CIDR blocks	Review all entries against the submission requirements and resubmit
Users lose access after IP restriction is applied	Required IPs were missing from the allowlist	Submit a new support case to add the missing IPs to the allowlist
Distributed Engine cannot reach Service Bus	Tenant-specific Service Bus endpoints are not included in firewall rules	Retrieve your tenant's Service Bus endpoints from `https://<tenant>.delinea.app/view/vault/diagnostics/system/service-bus` and add them to your rules