> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# Network access and allowlists
> Configure ingress and egress allowlists, IP addresses, and the Semgrep Network Broker so Semgrep can reach your SCM and related services.
If your organization uses a self-hosted source code manager (SCM), IP allowlisting, or other network restrictions, confirm that Semgrep can connect to the systems it needs before you deploy.
**Before you configure**
Use the [Pre-deployment checklist](/deployment/checklist) to confirm whether network configuration applies to your deployment.
## When to configure allowlists
You might need to update ingress or egress allowlists if any of the following apply:
* Your SCM offers security features that limit access to your resources.
* Your SCM is behind a firewall or protected by network restrictions.
* You use a virtual private network (VPN).
* You host your SCM on-premise or in a private network.
## Ingress and egress allowlists
Semgrep deployments might require both **ingress** and **egress** allowlist updates:
* **Ingress allowlists** control traffic from Semgrep into your infrastructure.
* **Egress allowlists** control traffic from your infrastructure to Semgrep.
Depending on your network, you might need to configure one or both.
IP addresses
If you are behind a firewall, are using a virtual private network (VPN), or have network restrictions regarding access, you might need to add the following IP addresses to the **ingress** allowlist and **egress** allowlist:
```bash theme={null}
# Ingress IP addresses (from Semgrep to your infrastructure)
# and egress IP addresses (from your infrastructure to Semgrep)
35.166.231.235
52.35.248.246
52.34.137.110
44.225.64.41
```
### CloudFront egress IP addresses
You must add **CloudFront IP addresses** to your **egress** allowlist. Refer to [Locations and IP address ranges of CloudFront edge servers](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html) for a list of IP addresses.
## Semgrep Network Broker
The [Semgrep Network Broker](/semgrep-ci/network-broker) facilitates secure access between Semgrep and your private network. Its use can replace allowlisting the IP addresses required for **ingress** traffic from Semgrep.
The Network Broker, however, only facilitates requests from Semgrep to your network. It does *not* assist with requests originating from your network to Semgrep, including egress traffic from your infrastructure to Semgrep.
In other words, the only address you would have to allow inbound is `wireguard.semgrep.dev` on UDP port `51820`, or your tenant's equivalent. Depending on how restrictive your network is, you might also need to modify your egress allowlist to include the IP addresses listed in [IP addresses](#ip-addresses).
For setup instructions, see [Set up the Semgrep Network Broker](/semgrep-ci/network-broker).
## Features that require inbound network connectivity
The following Semgrep features require Semgrep to reach resources in your network:
| Feature | Guide |
| :------------------------- | :--------------------------------------------------------------------------------------------------------- |
| On-premise SCM connections | [Connect to on-premise orgs and projects](/deployment/connect-scm#connect-to-on-premise-orgs-and-projects) |
| PR and MR comments | [PR or MR comments](/category/pr-or-mr-comments) |
| Semgrep Managed Scans | [Managed Scans overview](/deployment/managed-scanning/overview) |
| Semgrep Multimodal | [Semgrep Multimodal getting started](/semgrep-multimodal/getting-started) |