LogicMonitor Public IP Addresses and DNS Names
Every LogicMonitor customer has a DNS record of [customername].logicmonitor.com. This record resolves to two or more public IP addresses at any given time. Because these IP addresses can and do change over time, it's imperative that your network's firewall(s) permit access to all of our public IP addresses.
There are two methods for whitelisting LogicMonitor's public IP addresses:
- Whitelisting the DNS (recommended). If you have firewalls capable of handling DNS based rules, we recommend whitelisting *.logicmonitor.com in lieu of the below IP ranges for maximum efficiency and flexibility. LogicMonitor uses CloudFront CDN to deliver content.
- Whitelisting all IP addresses. If DNS based whitelisting rules are not an option, then you must whitelist the following set of public IP addresses in its entirety:
Some customers manually update their Collectors' /etc/hosts files with static IP addresses. This is not a recommended (or sustainable) practice because these IP addresses can and do change over time. If for some reason a collector cannot use DNS, then periodic checks (e.g. every five minutes) should be made to ensure the static entry remains up to date.
You will also need outbound TCP port 443 and 80 access. Port 80 is only used if one attempts to access LogicMonitor via a non-secure HTTP address. This will initially reach port 80 and then be redirected to port 443 for encryption. In order to use our remote session functionality, you will also need RDP or SSH on port 443.
Note: Bootstrap executables for Collector installation are delivered via CDN (AWS CloudFront). It is recommended to whitelist the DNS in order to support this process. However, if it is required that IP addresses be whitelisted individually, you will need to review and whitelist CloudFront's IP ranges, as discussed in CloudFront's documentation.
Note: LogicMonitor has four individual proxy endpoints dedicated to routing collected data around disruptions in the public internet to your portal. If your Collectors are unable to reach our data centers, collected data will be rerouted through these proxies until it can be delivered to your portal via the normal path.
The SiteMonitor functionality found on the Websites page is intended to provide you with details about access to your website externally. You get a better test if you are not explicitly watching for traffic from a given IP address. As such, we do not recommend you whitelist the IP addresses of these locations, and they are likely to change more frequently than our other server addresses. If you find that you need to restrict pages to SiteMonitor requests, the best options are:
- Look for the user-agent "LogicMonitor SiteMonitor/1.0". This will be used by all SiteMonitor requests.
- Set your own custom header while formulating the check and filter on that.
However, if you need access to the current list of IP addresses SiteMonitor may check from, see LogicMonitor's External Testing Locations.