Need a list of Particle Cloud egress/source IPs to allow in webhook firewall


I have a webhook-receiving application behind a private firewall (not in GCP, AWS, Azure, etc.) and am trying to maintain least privilege access principles by limiting access to only Particle Cloud egress/source IP addresses.

I found the list of ingress (destination) IP addresses for Particle Cloud that devices will connect to (Device --> Particle Cloud) but this is not the piece of the puzzle I need.

I need the source (egress) IP addresses that Particle Cloud uses to call my webhook (Particle Cloud --> webhook/integration).

Even if my webhook-receiving application were hosted in a cloud provider (GCP, etc.) I would still want to follow least privilege access principles and limit access to an allow list in a WAF as there is no need for the entire Internet to access this application.

At the moment I am having to monitor my firewall logs and try to correlate failure counts in the Integrations page along with how frequently my Boron LTE device publishes an event to Particle Cloud to deduce if a source IP is likely genuinely from Particle Cloud or one of the many random IPs constantly trying to scan my endpoint.

I would love to see a list similar to the JSON file already published in the documentation link above for this. For science, I did try using that list of ingress IP addresses in my firewall, in case the Particle Cloud platform performed both ingress/egress message processing using the same IPs. No dice. The egress IPs from Particle Cloud are, so far, not on that ingress IP list.

Thank you!

There is no list of IP addresses for outbound webhooks.

The reason is that we spin up webhook servers as they are needed and release them when they are not. They're currently spun up in AWS East, but there is no guarantee they won't appear somewhere else in the future, so the IP address could be anywhere.


Thanks for your reply! That's a bummer but not surprising. I'm guessing Particle Cloud isn't using something like AWS VPC NAT Gateway then. Oh well. I guess I'll cobble together a Lambda function behind API Gateway and pop received webhook messages into SQS. Maybe I can fly under free tier ceiling.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.