Skip to main content
If your execution environment restricts outbound network access, you must allow traffic to specific endpoints for Prefect to function. This page lists the required and optional endpoints for both Prefect Cloud and self-hosted Prefect server deployments.

Prefect Cloud endpoints

Workers, flow runs, and the Prefect CLI need outbound HTTPS access (TCP port 443) to communicate with Prefect Cloud.

Required endpoints

The IP addresses behind api.prefect.cloud are dynamic. Configure firewall rules by domain name (FQDN) rather than by IP address. If your firewall only supports IP-based rules, route traffic through a proxy or use PrivateLink instead.

Optional endpoints

Blocking optional telemetry endpoints may produce warning messages in logs but does not affect operation. See Telemetry for details on what data is collected and how to opt out.

Additional endpoints for your workflows

Depending on your deployment, workers, and flow runs may also need access to:
  • Code storage: GitHub, GitLab, Bitbucket, S3, GCS, or Azure Blob Storage endpoints where your flow code is stored
  • Container registries: Docker Hub, Amazon ECR, Google Artifact Registry, or other registries if your workers pull container images
  • Infrastructure APIs: AWS, GCP, Azure, or Kubernetes API endpoints if your workers provision cloud infrastructure
  • PyPI or private package indexes: If your flows install Python dependencies at runtime

Self-hosted Prefect server endpoints

When running a self-hosted Prefect server, workers, and the CLI need access to the server’s API endpoint. No external Prefect-hosted endpoints are required for core operation. Set PREFECT_SERVER_ANALYTICS_ENABLED=false on the server to disable the server heartbeat, and DO_NOT_TRACK=1 on client processes to disable SDK telemetry.

Configure a proxy

The Prefect client uses httpx for HTTP requests. httpx respects standard proxy environment variables, so you can route Prefect traffic through a corporate proxy:
See the GitHub Discussion on using Prefect Cloud with proxies for additional configuration examples.

Verify connectivity

To confirm that your environment can reach Prefect Cloud, run:
A successful response returns a health check JSON payload. If the request times out or is refused, check your firewall rules and proxy configuration. You can also verify your full Prefect configuration with:

Enterprise options for strict environments

For environments with strict egress controls, Prefect Cloud offers additional options:
  • PrivateLink: Route API traffic through AWS or GCP private networking so it never traverses the public internet.
  • IP allowlisting: Restrict inbound access to Prefect Cloud APIs and UI to specific IP addresses or CIDR ranges.
Contact your account manager or sales@prefect.io for details on enterprise networking options.

Next steps