Breadcrumbs

How to find the IP address(es) you need to allowlist for Safeguard

If you use Safeguard IP Address Restrictions, you must add the public IP address(es) from which your systems connect to CM.com. This article explains how to find the correct IP(s) and what to do in common setups (cloud, NAT, proxies, partners).

For background on the feature, see:
https://knowledgecenter.cm.com/knowledge-center/communications-platform/safeguard/what-is-ip-address-restrictions

What IP address do you need? (important)

You must allowlist the public outbound IP address that CM.com sees as the source of your API call.

This is often not:

  • Your server’s private IP (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)

  • Your developer laptop’s IP (unless that laptop is truly sending production traffic)

  • Your office Wi‑Fi IP (unless your production traffic truly leaves from there)

It is usually:

  • A NAT gateway / firewall / egress proxy public IP

  • A cloud public egress IP (or a range)

Option 1 — Check your public IP from the sending server (recommended)

Run a command from the same machine/container that sends requests to CM.com.

Linux / macOS

curl https://api.ipify.org

Windows (PowerShell)

(Invoke-WebRequest -UseBasicParsing https://api.ipify.org).Content

The result is the public IP address that external services (like CM.com) will typically see.

Tip: If you have multiple production instances, run this on each (or validate via your network team), because different instances may have different egress IPs.

Option 2 — If you use a proxy, gateway, VPN, or partner

If your traffic goes through a:

  • Corporate proxy

  • API gateway

  • Firewall / NAT

  • Third-party provider sending on your behalf

…then you must allowlist the proxy/NAT/partner egress IP(s) (not the internal systems).

Ask your network team or partner for:

  • The static public IP(s) used for outbound traffic, or

  • The CIDR range(s) (e.g., 203.0.113.0/28) if they use multiple IPs

Option 3 — If you run in a public cloud

Most cloud environments send outbound traffic through a configured egress component. Common examples:

  • AWS: NAT Gateway / Egress-only design using Elastic IPs

  • Azure: NAT Gateway / Public IP for outbound

  • GCP: Cloud NAT with reserved external addresses

In these cases, your allowlist should contain the reserved egress IP(s) (or ranges) configured in your cloud networking.

What to do with the IP(s) once you have them

  1. Log in to Channels: https://www.cm.com/app/channels/

  2. Go to API Access and SettingsBusiness Messaging SettingsSafeguard

  3. Open IP Address Restrictions

  4. Add your IP(s) / CIDR ranges to the allowlist

  5. Review Suggested IP Addresses (if shown) and confirm they match your expected infrastructure

  6. Save changes

Checklist (avoid disruption)

Make sure you include IPs for:

  • Production
  • Staging/integration (if used)
  • Failover/backup environments
  • All regions/datacenters that can send traffic
  • Any third parties sending via your credentials

Need help?

If your outbound IPs are dynamic or you are unsure which IP(s) to allowlist, contact your account manager or Support via the platform.