Citrix Connectivity AllowList APIs
  • Overview

Connectivity AllowList API

Overview

The Connectivity AllowList API provides the network allowlist for Citrix Cloud services. Use this API to retrieve the FQDNs (Fully Qualified Domain Names) and IP addresses (CIDR ranges) that need to be allowed in firewalls and network security policies for Citrix Cloud to function correctly.

The allowlist covers both inbound and outbound traffic:

  • Outbound: Traffic from your environment to Citrix Cloud (egress). You must allow these destinations so your network can reach Citrix Cloud services.
  • Inbound: Traffic from Citrix Cloud to your environment (ingress). You must allow these source addresses so Citrix Cloud can communicate with your on-premises or cloud-hosted resources.

The API supports filtering by geographic region and traffic direction, and provides two output formats: canonical JSON and Zscaler-compatible format.

Important:

  • Citrix may add new endpoints or services over time. Automate retrieval and refresh of the allowlist rather than maintaining static firewall rules.
  • This endpoint does not require authentication and is publicly accessible.

Base URLs

Region Base URL
Global (US, EU, AP-S) https://api.cloud.com/connectivity
Japan https://api.citrixcloud.jp/connectivity

API endpoint

GET /v2/allowlist
<!--NeedCopy-->

This is the recommended endpoint for retrieving connectivity allowlist data.

Parameters

Parameter In Required Default Values Description
customerId query Yes Alphanumeric, 1–12 characters Required (format=json), Optional (format=zscaler). Replaces CUSTOMER_ID placeholders in FQDN values with your CustomerId. Must match ^[a-zA-Z0-9]{1,12}$.
format query No json json, zscaler Response format. json returns canonical JSON; zscaler returns Zscaler Web Service Endpoint 1.3 compatible output.
geo query No all us (United States), eu (Europe), ap-s (Asia Pacific South), jp (Japan), all Filter results by geographic region.
direction query No all inbound, outbound, all Filter results by traffic direction.
Citrix-TransactionId header No GUID Caller-provided trace identifier for distributed tracing.

Note: When customerId is provided, CUSTOMER_ID placeholders in FQDN values are replaced with your CustomerId value (for example, CUSTOMER_ID.xendesktop.net becomes testcustomer.xendesktop.net). In Zscaler mode, if customerId is omitted, placeholders are replaced with wildcards (*).

Response formats

Canonical JSON (format=json)

The canonical JSON response contains:

  • meta: Metadata about the published allowlist version.
    • version: Timestamp of the published allowlist.
    • validUntil: Expiry timestamp indicating when you should re-fetch the data.
  • services: Array of service blocks, each containing:
    • name: Service name (for example, “DaaS”).
    • direction: inbound or outbound.
    • endpoints: Array of endpoint objects filtered by geo, containing fqdns and/or ips.
    • tcpPorts / udpPorts: Ports to allow (comma-separated or ranges).
    • required: Whether the service is essential for core functionality.
    • notes: Description of what the connectivity is used for.

Example response:

{
  "meta": {
    "version": "2026-06-01T00:00:00Z",
    "validUntil": "2026-06-04T12:00:00Z"
  },
  "services": [
    {
      "name": "DaaS",
      "direction": "outbound",
      "endpoints": [
        {
          "geo": "us",
          "fqdns": ["testcustomer.xendesktop.net"],
          "ips": ["13.107.6.152/31"]
        }
      ],
      "tcpPorts": "80,443",
      "required": true,
      "notes": "Citrix Cloud control plane access"
    }
  ]
}
<!--NeedCopy-->

Zscaler format (format=zscaler)

The Zscaler-compatible response contains:

  • usage.update_interval: Recommended polling interval (in hours).
  • services: IPv4 service entries with domains, CIDRs, ports, and protocol.
  • ipv6_services: IPv6 service entries (included when IPv6 addresses are present).

Example response:

{
  "usage": {
    "update_interval": 84
  },
  "services": [
    {
      "id": "daas-outbound-us-tcp-ipv4",
      "name": "DaaS outbound us tcp ipv4",
      "type": "non-real-time",
      "protocol": "tcp",
      "ports": "80,443",
      "domains": ["testcustomer.xendesktop.net"],
      "cidrs": ["13.107.6.152/31"]
    }
  ]
}
<!--NeedCopy-->

Rate limits and operational behavior

  • Rate limit: 5 requests per minute per IP Address.
  • Compression: gzip response compression is supported via the Accept-Encoding header.
  • Caching: Responses include Cache-Control and Last-Modified headers. Use validUntil in the JSON response to determine when to re-fetch.
  • Error responses: The API returns 400 Bad Request if required parameters are missing, 404 Not Found if the requested resource does not exist, and 429 Too Many Requests if the rate limit is exceeded.

Example requests

Get allowlist in JSON format

GET https://api.cloud.com/connectivity/v2/allowlist?customerId=testcustomer
<!--NeedCopy-->

Get allowlist in Zscaler format

GET https://api.cloud.com/connectivity/v2/allowlist?format=zscaler
<!--NeedCopy-->

How to use the allowlist

  1. Call the API with your customerId and any desired filters (geo, direction).
  2. Parse the response to extract the FQDNs and IP/CIDR ranges for each service.
  3. Configure your firewall rules:
    • For outbound entries, allow egress traffic to the listed FQDNs and IPs on the specified ports.
    • For inbound entries, allow ingress traffic from the listed source IPs on the specified ports.
  4. Re-fetch periodically based on the validUntil field to keep your rules up to date as Citrix may add or change endpoints.

For the full OpenAPI schema and all request and response details, see the Connectivity AllowList API reference.

Resources
Citrix Connectivity AllowList APIs OpenAPI Specification
Copy Download
Connectivity AllowList API