--- title: Copilot allowlist reference intro: 'Learn how to allow certain traffic through your firewall or proxy server for {% data variables.product.prodname_copilot_short %} to work as intended in your organization.' permissions: Proxy server maintainers or firewall maintainers versions: feature: copilot topics: - Copilot category: - Configure Copilot redirect_from: - /copilot/reference/proxy-server-and-firewall-settings-for-copilot - /copilot/managing-copilot/managing-github-copilot-in-your-organization/configuring-your-proxy-server-or-firewall-for-copilot - /copilot/how-tos/administer/organizations/configuring-your-proxy-server-or-firewall-for-copilot - /copilot/reference/allowlist-reference contentType: reference --- If your company employs security measures like a firewall or proxy server, you should add the following URLs, ports, and protocols to an allowlist to ensure {% data variables.product.prodname_copilot_short %} works as expected: ## {% data variables.product.github %} public URLs | Domain and/or URL | Purpose | |:------------------------------------------------------------| :--------------------------------- | | `https://github.com/login/*` | Authentication | | `https://github.com/enterprises/YOUR-ENTERPRISE/*` | Authentication for {% data variables.enterprise.prodname_managed_users %}, only required with {% data variables.product.prodname_emus %} | | `https://api.github.com/user` | User Management | | `https://api.github.com/copilot_internal/*` | User Management | | `https://copilot-telemetry.githubusercontent.com/telemetry` | Telemetry | | `https://collector.github.com/*` | Analytics telemetry | | `https://default.exp-tas.com` | Telemetry | | `https://copilot-proxy.githubusercontent.com` | API service for {% data variables.product.prodname_copilot_short %} suggestions | | `https://origin-tracker.githubusercontent.com` | API service for {% data variables.product.prodname_copilot_short %} suggestions | | `https://*.githubcopilot.com/*`[^1] | API service for {% data variables.product.prodname_copilot_short %} suggestions | | `https://*.individual.githubcopilot.com`[^2] | API service for {% data variables.product.prodname_copilot_short %} suggestions | | `https://*.business.githubcopilot.com`[^3] | API service for {% data variables.product.prodname_copilot_short %} suggestions | | `https://*.enterprise.githubcopilot.com`[^4] | API service for {% data variables.product.prodname_copilot_short %} suggestions | | `https://*.SUBDOMAIN.ghe.com` | For {% data variables.product.prodname_copilot_short %} users on {% data variables.enterprise.data_residency_site %} | | `https://SUBDOMAIN.ghe.com` | For {% data variables.product.prodname_copilot_short %} users on {% data variables.enterprise.data_residency_site %} | Depending on the security policies and editors your organization uses, you may need to allowlist additional domains and URLs. For more information on specific editors, see [Further reading](#further-reading). Every user of the proxy server or firewall also needs to configure their own environment to connect to {% data variables.product.prodname_copilot_short %}. See [AUTOTITLE](/copilot/configuring-github-copilot/configuring-network-settings-for-github-copilot). ## {% data variables.copilot.copilot_coding_agent %} recommended allowlist The {% data variables.copilot.copilot_coding_agent %} includes a built-in firewall with a recommended allowlist that is enabled by default. The recommended allowlist allows access to: * Common operating system package repositories (for example, Debian, Ubuntu, Red Hat). * Common container registries (for example, Docker Hub, Azure Container Registry, AWS Elastic Container Registry). * Packages registries used by popular programming languages (C#, Dart, Go, Haskell, Java, JavaScript, Perl, PHP, Python, Ruby, Rust, Swift). * Common certificate authorities (to allow SSL certificates to be validated). * Hosts used to download web browsers for the Playwright MCP server. For more information about configuring the {% data variables.copilot.copilot_coding_agent %} firewall, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-firewall). The allowlist allows access to the following hosts: ### Azure Infrastructure: Metadata Service * `168.63.129.16` ### Certificate Authorities: DigiCert * `crl3.digicert.com` * `crl4.digicert.com` * `ocsp.digicert.com` ### Certificate Authorities: Symantec * `ts-crl.ws.symantec.com` * `ts-ocsp.ws.symantec.com` * `s.symcb.com` * `s.symcd.com` ### Certificate Authorities: GeoTrust * `crl.geotrust.com` * `ocsp.geotrust.com` ### Certificate Authorities: Thawte * `crl.thawte.com` * `ocsp.thawte.com` ### Certificate Authorities: VeriSign * `crl.verisign.com` * `ocsp.verisign.com` ### Certificate Authorities: GlobalSign * `crl.globalsign.com` * `ocsp.globalsign.com` ### Certificate Authorities: SSL.com * `crls.ssl.com` * `ocsp.ssl.com` ### Certificate Authorities: IdenTrust * `crl.identrust.com` * `ocsp.identrust.com` ### Certificate Authorities: Sectigo * `crl.sectigo.com` * `ocsp.sectigo.com` ### Certificate Authorities: UserTrust * `crl.usertrust.com` * `ocsp.usertrust.com` ### Container Registries: Docker * `172.18.0.1` * `ghcr.io` * `registry.hub.docker.com` * `*.docker.io` * `*.docker.com` * `production.cloudflare.docker.com` * `auth.docker.io` * `quay.io` * `mcr.microsoft.com` * `gcr.io` * `public.ecr.aws` ### GitHub: Content & API * `*.githubusercontent.com` * `raw.githubusercontent.com` * `objects.githubusercontent.com` * `lfs.github.com` * `github-cloud.githubusercontent.com` * `github-cloud.s3.amazonaws.com` * `codeload.github.com` * `scanning-api.github.com` * `api.mcp.github.com` * `uploads.github.com/copilot/chat/attachments/` ### GitHub: Actions Artifact Storage * `productionresultssa0.blob.core.windows.net` * `productionresultssa1.blob.core.windows.net` * `productionresultssa2.blob.core.windows.net` * `productionresultssa3.blob.core.windows.net` * `productionresultssa4.blob.core.windows.net` * `productionresultssa5.blob.core.windows.net` * `productionresultssa6.blob.core.windows.net` * `productionresultssa7.blob.core.windows.net` * `productionresultssa8.blob.core.windows.net` * `productionresultssa9.blob.core.windows.net` * `productionresultssa10.blob.core.windows.net` * `productionresultssa11.blob.core.windows.net` * `productionresultssa12.blob.core.windows.net` * `productionresultssa13.blob.core.windows.net` * `productionresultssa14.blob.core.windows.net` * `productionresultssa15.blob.core.windows.net` * `productionresultssa16.blob.core.windows.net` * `productionresultssa17.blob.core.windows.net` * `productionresultssa18.blob.core.windows.net` * `productionresultssa19.blob.core.windows.net` ### Programming Languages & Package Managers: C# / .NET * `nuget.org` * `dist.nuget.org` * `api.nuget.org` * `nuget.pkg.github.com` * `dotnet.microsoft.com` * `pkgs.dev.azure.com` * `builds.dotnet.microsoft.com` * `dotnetcli.blob.core.windows.net` * `nugetregistryv2prod.blob.core.windows.net` * `azuresearch-usnc.nuget.org` * `azuresearch-ussc.nuget.org` * `dc.services.visualstudio.com` * `dot.net` * `download.visualstudio.microsoft.com` * `dotnetcli.azureedge.net` * `ci.dot.net` * `www.microsoft.com` * `oneocsp.microsoft.com` * `www.microsoft.com/pkiops/crl/` ### Programming Languages & Package Managers: Dart * `pub.dev` * `pub.dartlang.org` * `storage.googleapis.com/pub-packages/` * `storage.googleapis.com/dart-archive/` ### Programming Languages & Package Managers: Go * `go.dev` * `golang.org` * `proxy.golang.org` * `sum.golang.org` * `pkg.go.dev` * `goproxy.io` * `storage.googleapis.com/proxy-golang-org-prod/` ### Programming Languages & Package Managers: Haskell * `haskell.org` * `*.hackage.haskell.org` * `get-ghcup.haskell.org` * `downloads.haskell.org` ### Programming Languages & Package Managers: Java * `www.java.com` * `jdk.java.net` * `api.adoptium.net` * `adoptium.net` * `search.maven.org` * `maven.apache.org` * `repo.maven.apache.org` * `repo1.maven.org` * `maven.pkg.github.com` * `maven-central.storage-download.googleapis.com` * `maven.google.com` * `maven.oracle.com` * `jcenter.bintray.com` * `oss.sonatype.org` * `repo.spring.io` * `gradle.org` * `services.gradle.org` * `plugins.gradle.org` * `plugins-artifacts.gradle.org` * `repo.grails.org` * `download.eclipse.org` * `download.oracle.com` ### Programming Languages & Package Managers: Node.js / JavaScript * `npmjs.org` * `npmjs.com` * `registry.npmjs.com` * `registry.npmjs.org` * `skimdb.npmjs.com` * `npm.pkg.github.com` * `api.npms.io` * `nodejs.org` * `yarnpkg.com` * `registry.yarnpkg.com` * `repo.yarnpkg.com` * `deb.nodesource.com` * `get.pnpm.io` * `bun.sh` * `deno.land` * `registry.bower.io` * `binaries.prisma.sh` ### Programming Languages & Package Managers: Perl * `cpan.org` * `www.cpan.org` * `metacpan.org` * `cpan.metacpan.org` ### Programming Languages & Package Managers: PHP * `repo.packagist.org` * `packagist.org` * `getcomposer.org` ### Programming Languages & Package Managers: Python * `pypi.python.org` * `pypi.org` * `pip.pypa.io` * `*.pythonhosted.org` * `files.pythonhosted.org` * `bootstrap.pypa.io` * `conda.binstar.org` * `conda.anaconda.org` * `binstar.org` * `anaconda.org` * `download.pytorch.org` * `repo.continuum.io` * `repo.anaconda.com` ### Programming Languages & Package Managers: Ruby * `rubygems.org` * `api.rubygems.org` * `rubygems.pkg.github.com` * `bundler.rubygems.org` * `gems.rubyforge.org` * `gems.rubyonrails.org` * `index.rubygems.org` * `cache.ruby-lang.org` * `*.rvm.io` ### Programming Languages & Package Managers: Rust * `crates.io` * `index.crates.io` * `static.crates.io` * `sh.rustup.rs` * `static.rust-lang.org` ### Programming Languages & Package Managers: Swift * `download.swift.org` * `swift.org` * `cocoapods.org` * `cdn.cocoapods.org` ### Infrastructure & Tools: HashiCorp * `releases.hashicorp.com` * `apt.releases.hashicorp.com` * `yum.releases.hashicorp.com` * `registry.terraform.io` ### Infrastructure & Tools: JSON Schema * `json-schema.org` * `json.schemastore.org` ### Infrastructure & Tools: Playwright * `playwright.download.prss.microsoft.com` * `cdn.playwright.dev` * `playwright.azureedge.net` * `playwright-akamai.azureedge.net` * `playwright-verizon.azureedge.net` ### Linux Package Managers: Ubuntu * `archive.ubuntu.com` * `security.ubuntu.com` * `ppa.launchpad.net` * `keyserver.ubuntu.com` * `azure.archive.ubuntu.com` * `api.snapcraft.io` ### Linux Package Managers: Debian * `deb.debian.org` * `security.debian.org` * `keyring.debian.org` * `packages.debian.org` * `debian.map.fastlydns.net` * `apt.llvm.org` ### Linux Package Managers: Fedora * `dl.fedoraproject.org` * `mirrors.fedoraproject.org` * `download.fedoraproject.org` ### Linux Package Managers: CentOS * `mirror.centos.org` * `vault.centos.org` ### Linux Package Managers: Alpine * `dl-cdn.alpinelinux.org` * `pkg.alpinelinux.org` ### Linux Package Managers: Arch * `mirror.archlinux.org` * `archlinux.org` ### Linux Package Managers: SUSE * `download.opensuse.org` ### Linux Package Managers: Red Hat * `cdn.redhat.com` ### Linux Package Managers: Common Package Sources * `packagecloud.io` * `packages.cloud.google.com` * `packages.microsoft.com` ### Other * `dl.k8s.io` * `pkgs.k8s.io` ## Further reading * [Network Connections in {% data variables.product.prodname_vscode %}](https://code.visualstudio.com/docs/setup/network) in the {% data variables.product.prodname_vs %} documentation * [Install and use {% data variables.product.prodname_vs %} and Azure Services behind a firewall or proxy server](https://learn.microsoft.com/en-us/visualstudio/install/install-and-use-visual-studio-behind-a-firewall-or-proxy-server) in the Microsoft documentation [^1]: Allows access to authorized users regardless of {% data variables.product.prodname_copilot_short %} plan. Do not add this URL to your allowlist if you are using subscription-based network routing. For more information on subscription-based network routing, see [AUTOTITLE](/copilot/managing-copilot/managing-copilot-for-your-enterprise/managing-access-to-copilot-in-your-enterprise/managing-github-copilot-access-to-your-enterprises-network). [^2]: Allows access to authorized users via a {% data variables.copilot.copilot_individuals_short %} plan. Do not add this URL to your allowlist if you are using subscription-based network routing. [^3]: Allows access to authorized users via a {% data variables.copilot.copilot_business_short %} plan. Do not add this URL to your allowlist if you want to use subscription-based network routing to block users from using {% data variables.copilot.copilot_business_short %} on your network. [^4]: Allows access to authorized users via a {% data variables.copilot.copilot_enterprise_short %} plan. Do not add this URL to your allowlist if you want to use subscription-based network routing to block users from using {% data variables.copilot.copilot_enterprise_short %} on your network.