Questions about Inbound and Outbound firewall rules needed to the instances and datacenters
ProblemVery often if happens customers need to confirm whether their instances are actually located in certain datacenters (DCs) or not. Also, my IP information shows the IPs in a CIDR format that could could be confusing. This trigger several questions.
SymptomsCertain geolocation services online will show the Ips registered for the instances are in the US. Also, when reviewing the IP information in Hi, the information shows on a format IP/netmask that could be confusing.
ResolutionHere are a few questions commonly asked related to firewall rules to open.
Which IPs do I have to open?
Answer. The recommended solution it to open up to all the ServiceNow IPs, which allows customer support to troubleshot and the greatest amount of flexibility and accommodation for migrations or datacenter moves.
Our full ServiceNow CIDR IP ranges (recommended):
- CIDR 199.91.136.0/21, equivalent to to 199.91.136.xxx
- CIDR 37.98.232.0/21, equivalent to to 37.98.232.xxx
- CIDR 149.96.0.0/17, equivalent to 149.96.0.1 to 149.96.127.254
- CIDR 103.23.64.0/22, equivalent to 103.23.64.xxx
For a more granular range, please use my IP information on Hi:
* Finding the IP information for your instance: https://hi.service-now.com/kb_view.do?sysparm_article=KB0538621
For example, consider the following extract for one instance:
Here are some additional questions and answers:
Q. If our instance are located in AMS and LHR DC, then why the IP on which our instance resolves is an IP of US (United States)?
Answer. As service-now is a US based company so as part of the cloud space IP registration all our IPs are registered in US but do not refer to the WHOIS website as that site is outdated. You can share the KB article about ServiceNow Customer IP ranges over the datacenters to the customer so that he believe us that the IP to which his instance resolves actually belongs to the cloud space allocation of that specific DC.
NOTE: All our DC have their own cloud space IP allocation even when the geolocations shows in US incorrectly.
Q. What IP should we use when we need to establish an integration to customer network?
Answer. It depends if the customer has a VPN or not. Most customer do not have a VPN
Here are the reasons not to have a VPN
On this case (see above screenshot), the recommended solution is to open 37.98.232.0/21 and 199.91.136.0/21 for the primary and failover datacenter plus the IP addresses (VIP) of the instances.
Alternatively, (based on the screenshot) a more granular range can be achieved. IP depending on whether the customer has a VPN connection with us or not:
Without VPN: 37.98.232.8/29 and 199.91.137.8/29, plus your OWN VIPs (on this case 149.96.66.107)
With VPN: 37.98.232.22 and 199.91.137.22
Q. What IP should we use when we need a 3rd Party to connect to service NOW (As web service)
Answer. For all inbound connection to the instance, customer should send traffic to the IP on which his instance resolves, thus you OWN instance IPs (on this case 149.96.66.107)
It would be wise to open up the ranges, to cover IP moves, on this case the 149.x.x.x series
More information:
* KB0598826 IP address information - access and integration articles