This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes the required configuration for:
The simplest mechanism to configure a firewall to allow Power Automate cloud flows to call external services through connectors is to use Azure service tags. The primary service tag for Logic Apps connectors is AzureConnectors, as described in Power Platform outbound IP addresses.
Depending on the firewall you're using, you don't need to monitor and manually update IP ranges, The following table describes the recommended tracking method for each firewall type.
| Firewall | Tracking method |
|---|---|
| Azure | Use Azure service tags. By using service tags in your network security group rules, you don't need to constantly monitor and manually update IP ranges for each service. |
| On-premises | Use the Service Tags with an on-premises firewall so you don't need to monitor and manually update IP ranges. The Service Tag Discovery API provides access to the latest IP address ranges associated with each service tag, enabling you to stay current with changes. |
For configuration details, use the links in the following table.
The following two sections list the network configuration required for Power Automate to connect to services in your network. This configuration is needed only if you're restricting inbound or outbound IP addresses on your network (for example, through a firewall).
Power Automate flows are comprised of actions. Actions can utilize both connector actions and native actions such as 'HTTP' and 'HTTP + Swagger'. To enable connector actions to call services hosted in your network, allow traffic into your network from the AzureConnectors service tag.
For flows consisting of actions including 'HTTP' and 'HTTP + Swagger' actions, allow traffic from all the following service tags:
| Service tag | Required? |
|---|---|
| LogicApps | yes |
| PowerPlatformPlex | yes |
This section contains information on providing your makers and users access to the build and use experiences within Power Automate.
The Power Automate web portal is also known as the maker portal.
The following table lists the services to which Power Automate connects. Ensure none of these services is blocked on your network.
| Domains | Protocols | Uses |
|---|---|---|
| login.microsoft.com login.windows.net login.microsoftonline.com login.live.com secure.aadcdn.microsoftonline-p.com |
https | Access to authentication and authorization endpoints. |
| graph.microsoft.com | https | Access to Microsoft Graph for getting user information such as a profile photo. |
| *.azure-apim.net | https | Access to the Runtime for connectors. |
| *.azure-apihub.net | https | Access to the Runtime for connectors. |
| *.blob.core.windows.net | https | Location of exported flows. |
| *.flow.microsoft.com *.logic.azure.com |
https | Access to the Power Automate site. |
| *.powerautomate.com | https | Access to Power Automate site. |
| *.powerapps.com | https | Access to the Power Apps site. |
| *.azureedge.net | https | Access to Power Automate CDN. |
| *.azurefd.net | https | Access to Power Automate CDN. |
| *.microsoftcloud.com | https | Access to NPS (Net Promoter Score). |
| webshell.suite.office.com | https | Access to Office for header and search. Learn more in Office 365 URLs and ranges. |
| *.dynamics.com | https | Access to Dataverse tables. |
| go.microsoft.com | https | Access to the Power Automate to check for updates. |
| download.microsoft.com | https | Access to the Power Automate to check for updates. |
| login.partner.microsoftonline.cn | https | Access to the Power Automate for desktop cloud discovery. |
| s2s.config.skype.com use.config.skype.com config.edge.skype.com |
https | Access to preview features managed through flighting and configuration endpoints. |
| s2s.config.ecs.infra.gov.teams.microsoft.us | https | Access to preview features managed through flighting and configuration endpoints for US government cloud. |
| *.api.powerplatform.com *.api.powerplatformusercontent.com *.api.bap.microsoft.com *.logic.azure.com |
https | Access to several Power Platform APIs. |
| *.api.gov.powerplatform.microsoft.us *.gov.api.bap.microsoft.us *.logic.azure.us |
https | Access to several Power Platform APIs (U.S. Government - GCC only). |
| *.api.high.powerplatform.microsoft.us *.high.api.bap.microsoft.us *.logic.azure.us |
https | Access to several Power Platform APIs (U.S. Government - GCC High only). |
| *.api.appsplatform.us *.api.bap.appsplatform.us *.logic.azure.us |
https | Access to several Power Platform APIs (U.S. Government - DoD only). |
| *.api.powerplatform.partner.microsoftonline.cn *.api.bap.partner.microsoftonline.cn *.logic.azure.cn |
https | Access to several Power Platform APIs (21Vianet - China only). |
The following table lists additional endpoints you need when using Power Automate mobile app.
| Domains | Protocols | Uses |
|---|---|---|
| *.events.data.microsoft.com | https | Send telemetry for all production regions and supported US sovereign clouds from the mobile app. |
| collector.azure.cn | https | Send telemetry for the Mooncake region from the mobile app. |
| officeapps.live.com | https | Access to authentication and authorization endpoints for the mobile app. |
We recommend allowlisting the list of domains in the Use the Power Automate web portal section to ensure your makers and admins can take advantage of the Power Automate services. For customers looking to narrowly allow network traffic to support the When an HTTP request is received trigger, allowlist the following domains in your firewall's outbound configuration.
| Domains | Protocols | Uses |
|---|---|---|
| *.api.powerplatform.com *.logic.azure.com |
https | Access to several Power Platform APIs. |
| *.api.gov.powerplatform.microsoft.us *.logic.azure.us |
https | Access to several Power Platform APIs (U.S. Government - GCC only). |
| *.api.high.powerplatform.microsoft.us *.logic.azure.us |
https | Access to several Power Platform APIs (U.S. Government - GCC High only). |
| *.api.appsplatform.us *.logic.azure.us |
https | Access to several Power Platform APIs (U.S. Government - DoD only). |
| *.api.powerplatform.partner.microsoftonline.cn *.logic.azure.cn |
https | Access to several Power Platform APIs (21Vianet - China only). |
The following table lists endpoint data requirements for connectivity from a user's machine for desktop flows runs. Ensure that you authorize global endpoints and the endpoints corresponding to your cloud.
| Domains | Protocols | Uses |
|---|---|---|
| server.events.data.microsoft.com | https | Handles telemetry for users outside EMEA, US government, and Chinese clouds. Works as the fallback telemetry endpoint. |
| msedgedriver.azureedge.net chromedriver.storage.googleapis.com |
https | Access to desktop flows WebDriver downloaders. WebDriver is used to automate your browser (Microsoft Edge and Google Chrome). |
| Domains | Protocols | Uses |
|---|---|---|
| *.builds.dotnet.microsoft.com | https | Downloads the .NET 8 runtime if it isn't already installed on the machine. |
| Domains | Protocols | Uses |
|---|---|---|
| ocsp.digicert.com ocsp.msocsp.com mscrl.microsoft.com crl3.digicert.com crl4.digicert.com |
http | Access to the CRL server for the public cloud. Needed when connecting through the on-premises data gateway. |
| *.servicebus.windows.net | https | Listens on Service Bus Relay over TCP. Needed for machine connectivity. |
| *.gateway.prod.island.powerapps.com | https | Needed for machine connectivity. |
| emea.events.data.microsoft.com | https | Handles telemetry for EMEA users. |
| *.api.powerplatform.com | https | Access to several Power Platform APIs (mandatory for cloud connectors utilization in desktop flows). |
| *.dynamics.com | https | Access to Dataverse tables (mandatory for custom actions in desktop flows)(also valid for GCC). |
Note
If you don’t want to allow the public endpoint *.servicebus.windows.net, you can allow the list of namespaces individually. Learn more about namespace endpoints in Allowlist of namespaces endpoints required for desktop flows runtime.
| Domains | Protocols | Uses |
|---|---|---|
| ocsp.digicert.com crl3.digicert.com crl4.digicert.com |
http | Access to the CRL server for US government cloud. Needed when connecting through the on-premises data gateway. |
| *.servicebus.usgovcloudapi.net | https | Listens on Service Bus Relay for US government cloud. Needed for machine connectivity. |
| *.gateway.gov.island.powerapps.us | https | Needed for machine connectivity for US government cloud (GCC and GCCH). |
| *.gateway.gov.island.appsplatform.us | https | Needed for machine connectivity for US government cloud (DOD). |
| tb.events.data.microsoft.com | https | Handles telemetry for US government users. |
| *.api.gov.powerplatform.microsoft.us | https | Access to several Power Platform APIs (mandatory for cloud connector action in desktop flows) (US Government - GCC only). |
| *.api.high.powerplatform.microsoft.us | https | Access to several Power Platform APIs (mandatory for cloud connector actions in desktop flows) (US Government - GCC High only). |
| *.api.appsplatform.us | https | Access to several Power Platform APIs (mandatory for cloud connector actions in desktop flows) (US Government - DoD only). |
| *.microsoftdynamics.us | https | Access to Dataverse tables (mandatory for custom actions in desktop flows)(US Government - GCC High only). |
| *.crm.appsplatform.us | https | Access to Dataverse tables (mandatory for custom actions in desktop flows)(US Government - DoD only). |
| *.dynamics.com | https | Access to Dataverse tables (mandatory for custom actions in desktop flows)(also valid for public clouds). |
| Domains | Protocols | Uses |
|---|---|---|
| crl.digicert.cn ocsp.digicert.cn |
http | Access to the CRL servers for 21Vianet operated cloud. Needed when connecting through the on-premises data gateway. |
| apac.events.data.microsoft.com | https | Handles telemetry for users in China. |
| *.gateway.mooncake.island.powerapps.cn | https | Needed for machine connectivity (21Vianet - China only). |
| *.api.powerplatform.partner.microsoftonline.cn | https | Access to several Power Platform APIs (mandatory for cloud connector actions in desktop flows) (21Vianet - China only). |
| *.dynamics.cn | https | Access to Dataverse tables (DesktopFlow modules feature)(21Vianet - China only). |
| *.api.powerautomate.cn | https | Access to Power Automate (21Vianet - China only). |
Learn more about approvals email routing in Power Automate approval email delivery information.
If you need to authorize IP addresses for your Azure SQL database, use the Power Platform outbound IP addresses.
Training
Learning path
Solution Architect: Design Microsoft Power Platform solutions - Training
Learn how a solution architect designs solutions.
Certification
Microsoft Certified: Power Automate RPA Developer Associate - Certifications
Demonstrate how to improve and automate workflows with Microsoft Power Automate RPA developer.
Events
Sep 15, 6 AM - Sep 17, 3 PM
The best Power BI community-led event. Sept 2025. Use code FABLEARN to save €200.
Get registeredAsk Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign in