Welcome to the Netflix Partner Help Center. Have a question or need help with an issue? Send us a ticket and we'll help you to a resolution.

Menu

In order for the Netflix Footage Ingest application to work properly within your network environment, the following services should be made accessible via your facility's firewall rules. If you have not configured your network to integrate with Content Hub before, you can refer to the requirements here

Netflix Footage Ingest Required IP Allow List

These services should be enabled along with the existing base Content Hub services outlined in the link above.

AWS 

  • Hostname: pegasusasperaprod.us-east-1.dynprod.netflix.net 
  • IP: 34.195.253.0/25
  • IP: 34.195.253.0-34
  • IP: 34.195.253.127

Aspera

  • IPs: 192.173.98.33
  • IPs: 192.173.98.34
  • IPs: 192.173.98.35
  • IPs: 192.173.98.36
  • IPs: 192.173.98.37
  • IPs: 192.173.98.38
  • IPs: 192.173.98.39
  • IPs: 192.173.98.40

Netflix Domains

Netflix domains have been put in-front of our SASS providers. Users should primarily see their browser navigating to Netflix owned domains.

  • *.netflix.net
  • *.netflix.com
  • *.netflixstudios.com

Customer Identity Cloud (CIC)

CIC is the entry point for Single Sign-On (SSO). Partner users will be authenticated within CIC without redirecting to WIC. Please keep in mind that they may be subject to Google reCAPTCHA or Cloudflare Turnstile.

  • *.auth0.com

Workforce Identity Cloud (WIC)

WIC is utilized in conjunction with CIC for Single Sign-on (SSO). Workforce users will be redirected from CIC to WIC for authentication. Please keep in mind that they may be subject to Google reCAPTCHA or Cloudflare Turnstile.

  • *.oktacdn.com
  • *.okta.com
  • *.oktapreview.com

Cloudflare Turnstile 

Turnstile is enforced for bot detection and prevention. Users may be subject to Turnstile.

  • *.cloudflare.com

Please allow outbound traffic to the following IP CIDR ranges:

Customer Identity Cloud (CIC)

NOBU IP Objects have been created for our CIC Private Cloud Instance's CIDR ranges.

Workforce Identity Cloud (WIC)

Netflix's tenants are hosted in the following WIC Cells:

  • Production: US Cell 14 (us_cell_14)
  • Preview: Preview Cell 3 (preview_cell_3)

Okta IP Addresses

For proper connectivity to Okta for all Okta agents and end users, add Okta system IP addresses to your allowlist based on this AWS-managed list:

This list includes all existing IP addresses and any new IP addresses reserved for future updates.

Okta groups these IP addresses in the following cells:

  • Production (us_cell_1 - us_cell_7, us_cell_10 - us_cell_12, us_cell_14)
  • Production EMEA (emea_cell_1)
  • Production EMEA (emea_cell_2)
  • Production HIPAA (us_cell_5,us_cell_10)
  • Production APAC (apac_cell_1, apac_cell_2)
  • Preview  (preview_cell_1 - preview_cell_3)
  • Preview EMEA (preview_cell_2)

Implementation Details

Ports The Okta service uses SSL/TLS for all communication. If your policy requires a port number, port 443 must be allowlisted for the IP addresses provided in this document, unless otherwise noted.
Required Okta domains Add the following domains to your list of allowed domains:
  • *.okta.com
  • *.mtls.okta.com
  • *.oktapreview.com
  • *.mtls.oktapreview.com
  • *.oktacdn.com
  • *.okta-emea.com
  • *.mtls.okta-emea.com
  • *.kerberos.okta.com
  • *.kerberos.okta-emea.com
  • *.kerberos.oktapreview.com
  • *.okta-gov.com
  • *.mtls.okta-gov.com
  • *.okta.mil
  • *.mtls.okta.mil
  • *.awsglobalaccelerator.com
Content Delivery Network (CDN) Okta static UI assets (JavaScript, CSS, and images) can be delivered to browsers through an international CDN for faster downloading of assets to customers outside of the USA.For most firewall or proxy systems, Okta recommends specifying an allowlist of DNS addresses for Okta services so that you can make outbound connections. Add this domain to your DNS allowlist:
  • okta-featureflag-edge.azureedge.net
Certificate revocation troubleshooting Various problems can arise when you attempt to revoke a certificate. For example, some clients fail to connect to SSL/TLS endpoints when they're unable to reach a revocation server. If you experience trouble with certificate revocation, ensure that you have the following domain names allowlisted under port 80:
  • ocsp.digicert.com
  • crl3.digicert.com
  • crl4.digicert.com

 

Please ensure the following hostnames are also on your allow list: 

  • ingest.sentry.io/

You will need to confirm your upload location via Content Hub and then ensure that the correct information is on your allow list.

   "description": "Europe/Madrid",

      "port": 33001,

      "hosts": [

        "192.173.101.35",

        "192.173.101.36",

        "192.173.101.37",

        "192.173.101.39",

        "192.173.101.40"

"description": "Europe/London",

    "asperaPublicHosts": [

      "192.173.109.34",

      "192.173.109.33",

      "192.173.109.39",

      "192.173.109.37",

      "192.173.109.35",

      "192.173.109.36",

      "192.173.109.38",

      "192.173.109.40"

"description": "North America/New York",

 "asperaPublicHosts": [

      "192.173.110.33",

      "192.173.110.36",

      "192.173.110.38",

      "192.173.110.39",

      "192.173.110.34",

      "192.173.110.37",

      "192.173.110.35",

      "192.173.110.40"

"description": "North America/Los Angeles",

"asperaPublicHosts": [

      "192.173.87.38",

      "192.173.87.39",

      "192.173.87.40",

      "192.173.87.41"

"description": "Asia/Mumbai",

 "asperaPublicHosts": [

      "192.173.98.34",

      "192.173.98.38",

      "192.173.98.33",

      "192.173.98.36",

      "192.173.98.40",

      "192.173.98.37",

      "192.173.98.35",

      "192.173.98.39"

"description": "Asia/Tokyo",

"asperaPublicHosts": [

      "192.173.102.33",

      "192.173.102.46",

      "192.173.102.49",

      "192.173.102.47",

      "192.173.102.48",

      "192.173.102.34",

      "192.173.102.50",

      "192.173.102.51"

Was this article helpful?
1 out of 1 found this helpful