Connectivity AllowList API
Overview
The Connectivity AllowList API provides the network allowlist for Citrix Cloud services. Use this API to retrieve the FQDNs (Fully Qualified Domain Names) and IP addresses (CIDR ranges) that need to be allowed in firewalls and network security policies for Citrix Cloud to function correctly.
The allowlist covers both inbound and outbound traffic:
- Outbound: Traffic from your environment to Citrix Cloud (egress). You must allow these destinations so your network can reach Citrix Cloud services.
- Inbound: Traffic from Citrix Cloud to your environment (ingress). You must allow these source addresses so Citrix Cloud can communicate with your on-premises or cloud-hosted resources.
The API supports filtering by geographic region and traffic direction, and provides two output formats: canonical JSON and Zscaler-compatible format.
Important:
- Citrix may add new endpoints or services over time. Automate retrieval and refresh of the allowlist rather than maintaining static firewall rules.
- This endpoint does not require authentication and is publicly accessible.
Base URLs
| Region | Base URL |
|---|---|
| Global (US, EU, AP-S) | https://api.cloud.com/connectivity |
| Japan | https://api.citrixcloud.jp/connectivity |
API endpoint
GET /v2/allowlist
<!--NeedCopy-->
This is the recommended endpoint for retrieving connectivity allowlist data.
Parameters
| Parameter | In | Required | Default | Values | Description |
|---|---|---|---|---|---|
customerId |
query | Yes | — | Alphanumeric, 1–12 characters | Required (format=json), Optional (format=zscaler). Replaces CUSTOMER_ID placeholders in FQDN values with your CustomerId. Must match ^[a-zA-Z0-9]{1,12}$. |
format |
query | No | json |
json, zscaler
|
Response format. json returns canonical JSON; zscaler returns Zscaler Web Service Endpoint 1.3 compatible output. |
geo |
query | No | all |
us (United States), eu (Europe), ap-s (Asia Pacific South), jp (Japan), all
|
Filter results by geographic region. |
direction |
query | No | all |
inbound, outbound, all
|
Filter results by traffic direction. |
Citrix-TransactionId |
header | No | — | GUID | Caller-provided trace identifier for distributed tracing. |
Note: When customerId is provided, CUSTOMER_ID placeholders in FQDN values are replaced with your CustomerId value (for example, CUSTOMER_ID.xendesktop.net becomes testcustomer.xendesktop.net). In Zscaler mode, if customerId is omitted, placeholders are replaced with wildcards (*).
Response formats
Canonical JSON (format=json)
The canonical JSON response contains:
-
meta: Metadata about the published allowlist version.-
version: Timestamp of the published allowlist. -
validUntil: Expiry timestamp indicating when you should re-fetch the data.
-
-
services: Array of service blocks, each containing:-
name: Service name (for example, “DaaS”). -
direction:inboundoroutbound. -
endpoints: Array of endpoint objects filtered bygeo, containingfqdnsand/orips. -
tcpPorts/udpPorts: Ports to allow (comma-separated or ranges). -
required: Whether the service is essential for core functionality. -
notes: Description of what the connectivity is used for.
-
Example response:
{
"meta": {
"version": "2026-06-01T00:00:00Z",
"validUntil": "2026-06-04T12:00:00Z"
},
"services": [
{
"name": "DaaS",
"direction": "outbound",
"endpoints": [
{
"geo": "us",
"fqdns": ["testcustomer.xendesktop.net"],
"ips": ["13.107.6.152/31"]
}
],
"tcpPorts": "80,443",
"required": true,
"notes": "Citrix Cloud control plane access"
}
]
}
<!--NeedCopy-->
Zscaler format (format=zscaler)
The Zscaler-compatible response contains:
-
usage.update_interval: Recommended polling interval (in hours). -
services: IPv4 service entries with domains, CIDRs, ports, and protocol. -
ipv6_services: IPv6 service entries (included when IPv6 addresses are present).
Example response:
{
"usage": {
"update_interval": 84
},
"services": [
{
"id": "daas-outbound-us-tcp-ipv4",
"name": "DaaS outbound us tcp ipv4",
"type": "non-real-time",
"protocol": "tcp",
"ports": "80,443",
"domains": ["testcustomer.xendesktop.net"],
"cidrs": ["13.107.6.152/31"]
}
]
}
<!--NeedCopy-->
Rate limits and operational behavior
- Rate limit: 5 requests per minute per IP Address.
-
Compression: gzip response compression is supported via the
Accept-Encodingheader. -
Caching: Responses include
Cache-ControlandLast-Modifiedheaders. UsevalidUntilin the JSON response to determine when to re-fetch. -
Error responses: The API returns
400 Bad Requestif required parameters are missing,404 Not Foundif the requested resource does not exist, and429 Too Many Requestsif the rate limit is exceeded.
Example requests
Get allowlist in JSON format
GET https://api.cloud.com/connectivity/v2/allowlist?customerId=testcustomer
<!--NeedCopy-->
Get allowlist in Zscaler format
GET https://api.cloud.com/connectivity/v2/allowlist?format=zscaler
<!--NeedCopy-->
How to use the allowlist
-
Call the API with your
customerIdand any desired filters (geo,direction). - Parse the response to extract the FQDNs and IP/CIDR ranges for each service.
-
Configure your firewall rules:
- For outbound entries, allow egress traffic to the listed FQDNs and IPs on the specified ports.
- For inbound entries, allow ingress traffic from the listed source IPs on the specified ports.
-
Re-fetch periodically based on the
validUntilfield to keep your rules up to date as Citrix may add or change endpoints.
For the full OpenAPI schema and all request and response details, see the Connectivity AllowList API reference.