Skip to content

Latest commit

 

History

History
399 lines (308 loc) · 13.3 KB

copilot-allowlist-reference.md

File metadata and controls

399 lines (308 loc) · 13.3 KB
title intro permissions versions category redirect_from contentType
Copilot allowlist reference
Learn how to allow certain traffic through your firewall or proxy server for {% data variables.product.prodname_copilot_short %} to work as intended in your organization.
Proxy server maintainers or firewall maintainers
feature
copilot
Configure Copilot
/copilot/reference/proxy-server-and-firewall-settings-for-copilot
/copilot/managing-copilot/managing-github-copilot-in-your-organization/configuring-your-proxy-server-or-firewall-for-copilot
/copilot/how-tos/administer/organizations/configuring-your-proxy-server-or-firewall-for-copilot
/copilot/reference/allowlist-reference
reference

If your company employs security measures like a firewall or proxy server, you should add the following URLs, ports, and protocols to an allowlist to ensure {% data variables.product.prodname_copilot_short %} works as expected:

{% data variables.product.github %} public URLs

Domain and/or URL Purpose
https://github.com/login/* Authentication
https://github.com/enterprises/YOUR-ENTERPRISE/* Authentication for {% data variables.enterprise.prodname_managed_users %}, only required with {% data variables.product.prodname_emus %}
https://api.github.com/user User Management
https://api.github.com/copilot_internal/* User Management
https://copilot-telemetry.githubusercontent.com/telemetry Telemetry
https://collector.github.com/* Analytics telemetry
https://default.exp-tas.com Telemetry
https://copilot-proxy.githubusercontent.com API service for {% data variables.product.prodname_copilot_short %} suggestions
https://origin-tracker.githubusercontent.com API service for {% data variables.product.prodname_copilot_short %} suggestions
https://*.githubcopilot.com/*1 API service for {% data variables.product.prodname_copilot_short %} suggestions
https://*.individual.githubcopilot.com2 API service for {% data variables.product.prodname_copilot_short %} suggestions
https://*.business.githubcopilot.com3 API service for {% data variables.product.prodname_copilot_short %} suggestions
https://*.enterprise.githubcopilot.com4 API service for {% data variables.product.prodname_copilot_short %} suggestions
https://*.SUBDOMAIN.ghe.com For {% data variables.product.prodname_copilot_short %} users on {% data variables.enterprise.data_residency_site %}
https://SUBDOMAIN.ghe.com For {% data variables.product.prodname_copilot_short %} users on {% data variables.enterprise.data_residency_site %}
https://copilot-reports-*.b01.azurefd.net {% data variables.product.prodname_copilot_short %} usage metrics report downloads

Depending on the security policies and editors your organization uses, you may need to allowlist additional domains and URLs. For more information on specific editors, see Further reading.

Every user of the proxy server or firewall also needs to configure their own environment to connect to {% data variables.product.prodname_copilot_short %}. See AUTOTITLE.

{% data variables.copilot.copilot_coding_agent %} recommended allowlist

The {% data variables.copilot.copilot_coding_agent %} includes a built-in firewall with a recommended allowlist that is enabled by default. The recommended allowlist allows access to:

  • Common operating system package repositories (for example, Debian, Ubuntu, Red Hat).
  • Common container registries (for example, Docker Hub, Azure Container Registry, AWS Elastic Container Registry).
  • Packages registries used by popular programming languages (C#, Dart, Go, Haskell, Java, JavaScript, Perl, PHP, Python, Ruby, Rust, Swift).
  • Common certificate authorities (to allow SSL certificates to be validated).
  • Hosts used to download web browsers for the Playwright MCP server.

For more information about configuring the {% data variables.copilot.copilot_coding_agent %} firewall, see AUTOTITLE.

The allowlist allows access to the following hosts:

Azure Infrastructure: Metadata Service

  • 168.63.129.16

Certificate Authorities: DigiCert

  • crl3.digicert.com
  • crl4.digicert.com
  • ocsp.digicert.com

Certificate Authorities: Symantec

  • ts-crl.ws.symantec.com
  • ts-ocsp.ws.symantec.com
  • s.symcb.com
  • s.symcd.com

Certificate Authorities: GeoTrust

  • crl.geotrust.com
  • ocsp.geotrust.com

Certificate Authorities: Thawte

  • crl.thawte.com
  • ocsp.thawte.com

Certificate Authorities: VeriSign

  • crl.verisign.com
  • ocsp.verisign.com

Certificate Authorities: GlobalSign

  • crl.globalsign.com
  • ocsp.globalsign.com

Certificate Authorities: SSL.com

  • crls.ssl.com
  • ocsp.ssl.com

Certificate Authorities: IdenTrust

  • crl.identrust.com
  • ocsp.identrust.com

Certificate Authorities: Sectigo

  • crl.sectigo.com
  • ocsp.sectigo.com

Certificate Authorities: UserTrust

  • crl.usertrust.com
  • ocsp.usertrust.com

Container Registries: Docker

  • 172.18.0.1
  • ghcr.io
  • registry.hub.docker.com
  • *.docker.io
  • *.docker.com
  • production.cloudflare.docker.com
  • auth.docker.io
  • quay.io
  • mcr.microsoft.com
  • gcr.io
  • public.ecr.aws

GitHub: Content & API

  • *.githubusercontent.com
  • raw.githubusercontent.com
  • objects.githubusercontent.com
  • lfs.github.com
  • github-cloud.githubusercontent.com
  • github-cloud.s3.amazonaws.com
  • codeload.github.com
  • scanning-api.github.com
  • api.mcp.github.com
  • uploads.github.com/copilot/chat/attachments/

GitHub: Actions Artifact Storage

  • productionresultssa0.blob.core.windows.net
  • productionresultssa1.blob.core.windows.net
  • productionresultssa2.blob.core.windows.net
  • productionresultssa3.blob.core.windows.net
  • productionresultssa4.blob.core.windows.net
  • productionresultssa5.blob.core.windows.net
  • productionresultssa6.blob.core.windows.net
  • productionresultssa7.blob.core.windows.net
  • productionresultssa8.blob.core.windows.net
  • productionresultssa9.blob.core.windows.net
  • productionresultssa10.blob.core.windows.net
  • productionresultssa11.blob.core.windows.net
  • productionresultssa12.blob.core.windows.net
  • productionresultssa13.blob.core.windows.net
  • productionresultssa14.blob.core.windows.net
  • productionresultssa15.blob.core.windows.net
  • productionresultssa16.blob.core.windows.net
  • productionresultssa17.blob.core.windows.net
  • productionresultssa18.blob.core.windows.net
  • productionresultssa19.blob.core.windows.net

Programming Languages & Package Managers: C# / .NET

  • nuget.org
  • dist.nuget.org
  • api.nuget.org
  • nuget.pkg.github.com
  • dotnet.microsoft.com
  • pkgs.dev.azure.com
  • builds.dotnet.microsoft.com
  • dotnetcli.blob.core.windows.net
  • nugetregistryv2prod.blob.core.windows.net
  • azuresearch-usnc.nuget.org
  • azuresearch-ussc.nuget.org
  • dc.services.visualstudio.com
  • dot.net
  • download.visualstudio.microsoft.com
  • dotnetcli.azureedge.net
  • ci.dot.net
  • www.microsoft.com
  • oneocsp.microsoft.com
  • www.microsoft.com/pkiops/crl/

Programming Languages & Package Managers: Dart

  • pub.dev
  • pub.dartlang.org
  • storage.googleapis.com/pub-packages/
  • storage.googleapis.com/dart-archive/

Programming Languages & Package Managers: Go

  • go.dev
  • golang.org
  • proxy.golang.org
  • sum.golang.org
  • pkg.go.dev
  • goproxy.io
  • storage.googleapis.com/proxy-golang-org-prod/

Programming Languages & Package Managers: Haskell

  • haskell.org
  • *.hackage.haskell.org
  • get-ghcup.haskell.org
  • downloads.haskell.org

Programming Languages & Package Managers: Java

  • www.java.com
  • jdk.java.net
  • api.adoptium.net
  • adoptium.net
  • search.maven.org
  • maven.apache.org
  • repo.maven.apache.org
  • repo1.maven.org
  • maven.pkg.github.com
  • maven-central.storage-download.googleapis.com
  • maven.google.com
  • maven.oracle.com
  • jcenter.bintray.com
  • oss.sonatype.org
  • repo.spring.io
  • gradle.org
  • services.gradle.org
  • plugins.gradle.org
  • plugins-artifacts.gradle.org
  • repo.grails.org
  • download.eclipse.org
  • download.oracle.com

Programming Languages & Package Managers: Node.js / JavaScript

  • npmjs.org
  • npmjs.com
  • registry.npmjs.com
  • registry.npmjs.org
  • skimdb.npmjs.com
  • npm.pkg.github.com
  • api.npms.io
  • nodejs.org
  • yarnpkg.com
  • registry.yarnpkg.com
  • repo.yarnpkg.com
  • deb.nodesource.com
  • get.pnpm.io
  • bun.sh
  • deno.land
  • registry.bower.io
  • binaries.prisma.sh

Programming Languages & Package Managers: Perl

  • cpan.org
  • www.cpan.org
  • metacpan.org
  • cpan.metacpan.org

Programming Languages & Package Managers: PHP

  • repo.packagist.org
  • packagist.org
  • getcomposer.org

Programming Languages & Package Managers: Python

  • pypi.python.org
  • pypi.org
  • pip.pypa.io
  • *.pythonhosted.org
  • files.pythonhosted.org
  • bootstrap.pypa.io
  • conda.binstar.org
  • conda.anaconda.org
  • binstar.org
  • anaconda.org
  • download.pytorch.org
  • repo.continuum.io
  • repo.anaconda.com

Programming Languages & Package Managers: Ruby

  • rubygems.org
  • api.rubygems.org
  • rubygems.pkg.github.com
  • bundler.rubygems.org
  • gems.rubyforge.org
  • gems.rubyonrails.org
  • index.rubygems.org
  • cache.ruby-lang.org
  • *.rvm.io

Programming Languages & Package Managers: Rust

  • crates.io
  • index.crates.io
  • static.crates.io
  • sh.rustup.rs
  • static.rust-lang.org

Programming Languages & Package Managers: Swift

  • download.swift.org
  • swift.org
  • cocoapods.org
  • cdn.cocoapods.org

Infrastructure & Tools: HashiCorp

  • releases.hashicorp.com
  • apt.releases.hashicorp.com
  • yum.releases.hashicorp.com
  • registry.terraform.io

Infrastructure & Tools: JSON Schema

  • json-schema.org
  • json.schemastore.org

Infrastructure & Tools: Playwright

  • playwright.download.prss.microsoft.com
  • cdn.playwright.dev
  • playwright.azureedge.net
  • playwright-akamai.azureedge.net
  • playwright-verizon.azureedge.net
  • storage.googleapis.com/chrome-for-testing-public

Linux Package Managers: Ubuntu

  • archive.ubuntu.com
  • security.ubuntu.com
  • ppa.launchpad.net
  • keyserver.ubuntu.com
  • azure.archive.ubuntu.com
  • api.snapcraft.io

Linux Package Managers: Debian

  • deb.debian.org
  • security.debian.org
  • keyring.debian.org
  • packages.debian.org
  • debian.map.fastlydns.net
  • apt.llvm.org

Linux Package Managers: Fedora

  • dl.fedoraproject.org
  • mirrors.fedoraproject.org
  • download.fedoraproject.org

Linux Package Managers: CentOS

  • mirror.centos.org
  • vault.centos.org

Linux Package Managers: Alpine

  • dl-cdn.alpinelinux.org
  • pkg.alpinelinux.org

Linux Package Managers: Arch

  • mirror.archlinux.org
  • archlinux.org

Linux Package Managers: SUSE

  • download.opensuse.org

Linux Package Managers: Red Hat

  • cdn.redhat.com

Linux Package Managers: Common Package Sources

  • packagecloud.io
  • packages.cloud.google.com
  • packages.microsoft.com

Other

  • dl.k8s.io
  • pkgs.k8s.io

Further reading

Footnotes

  1. Allows access to authorized users regardless of {% data variables.product.prodname_copilot_short %} plan. Do not add this URL to your allowlist if you are using subscription-based network routing. For more information on subscription-based network routing, see AUTOTITLE.

  2. Allows access to authorized users via a {% data variables.copilot.copilot_individuals_short %} plan. Do not add this URL to your allowlist if you are using subscription-based network routing.

  3. Allows access to authorized users via a {% data variables.copilot.copilot_business_short %} plan. Do not add this URL to your allowlist if you want to use subscription-based network routing to block users from using {% data variables.copilot.copilot_business_short %} on your network.

  4. Allows access to authorized users via a {% data variables.copilot.copilot_enterprise_short %} plan. Do not add this URL to your allowlist if you want to use subscription-based network routing to block users from using {% data variables.copilot.copilot_enterprise_short %} on your network.