Prefect Cloud endpoints
Workers, flow runs, and the Prefect CLI need outbound HTTPS access (TCP port 443) to communicate with Prefect Cloud.Required endpoints
The IP addresses behind
api.prefect.cloud are dynamic. Configure firewall rules by domain
name (FQDN) rather than by IP address. If your firewall only supports IP-based rules, route
traffic through a proxy or use
PrivateLink instead.Optional endpoints
Blocking optional telemetry endpoints may produce warning messages in logs but does not affect
operation. See Telemetry for details on what data is collected and
how to opt out.
Additional endpoints for your workflows
Depending on your deployment, workers, and flow runs may also need access to:- Code storage: GitHub, GitLab, Bitbucket, S3, GCS, or Azure Blob Storage endpoints where your flow code is stored
- Container registries: Docker Hub, Amazon ECR, Google Artifact Registry, or other registries if your workers pull container images
- Infrastructure APIs: AWS, GCP, Azure, or Kubernetes API endpoints if your workers provision cloud infrastructure
- PyPI or private package indexes: If your flows install Python dependencies at runtime
Self-hosted Prefect server endpoints
When running a self-hosted Prefect server, workers, and the CLI need access to the server’s API endpoint. No external Prefect-hosted endpoints are required for core operation.
Set
PREFECT_SERVER_ANALYTICS_ENABLED=false on the server to disable the server heartbeat, and
DO_NOT_TRACK=1 on client processes to disable SDK telemetry.
Configure a proxy
The Prefect client useshttpx for HTTP requests.
httpx respects standard proxy environment variables, so you can route Prefect traffic through a
corporate proxy:
Verify connectivity
To confirm that your environment can reach Prefect Cloud, run:Enterprise options for strict environments
For environments with strict egress controls, Prefect Cloud offers additional options:- PrivateLink: Route API traffic through AWS or GCP private networking so it never traverses the public internet.
- IP allowlisting: Restrict inbound access to Prefect Cloud APIs and UI to specific IP addresses or CIDR ranges.