Sentry Ingestion Domains Updates
The TL;DR: We are going to apply these changes on September 1st, 2023:
- Ingestion via non-encrypted HTTP will be disabled.
- DNS A records for
*.sentry.iowill point to
- DNS A record for
app.getsentry.comwill point to
Read on if you have:
- outbound firewall rules mentioning
- http:// (non-HTTPS) specified in your Sentry SDK settings.
Software development can be hard. So is operating large software setups like Sentry SaaS. Some technical solutions that worked perfectly before, show their drawbacks as the system grows, while new, better solutions appear. The time has come to reconsider the performance and enforce security around our ingestion.
The good news is that we already prepared the internal changes, it will just take some time to roll them out.
Here are some improvements that we plan to roll out:
- increase overall security and performance by using modern protocols, such as TLS 1.3, HTTP/2, and HTTP/3;
- TTFB for Sentry UI and API calls will be lower globally due to Anycast technology;
- fully deprecating non-encrypted HTTP.
Last year, we disabled TLS 1.0 and 1.1 because these protocols were considered insecure. But, It was also clear that it’s no longer reasonable to support non-encrypted HTTP. The API calls via plain HTTP were disabled a long time ago, but ingestion via HTTP was still possible for older clients. Now we are disabling it, keeping only HTTP → HTTPS redirects.
You should care about this change if you have strict firewall rules for outbound internet requests. In most setups, this should continue to work as before.
In general, please refer to this page for more details about the IP addresses that we use: https://docs.sentry.io/product/security/ip-ranges/
We are going to change the IP address of the
*.sentry.io host names.
New IP address: 220.127.116.11
Old IP address: 18.104.22.168
Also, we are going to change the IP address of the legacy
app.getsentry.com host name:
New IP address: 22.214.171.124
Old IP address: 126.96.36.199
If you’re still using
app.getsentry.com domains for event ingestion, please consider migrating away from them. They were superseded by organization subdomains (April 2020) which look like:
You can acquire the new settings on the Platforms page or in the “SDK Setup” section of your project settings.
June 22: Publication of this blog post.
July 3 through August 31: Series of brownouts. Throughout July and August, we are going to switch the DNS A records to the new IP addresses. Also, non-encrypted HTTP ingestion will be disabled during these brownouts. The purpose is to provide Sentry customers a warning and allow some time to make corresponding changes to network configurations. Keep an eye on our StatusPage for exact dates.
September 1: Complete switch of DNS A records to new IP addresses and disabling non-encrypted HTTP.
We’ll be updating this blog post with relevant information as we move ahead in the timeline, so please check back if this affects you.