To access your enterprise on GHE.com, client systems must:
- Trust GitHub's SSH key fingerprints
- Have access to GitHub's hostnames and IP addresses
GitHub's SSH key fingerprints
To find these details, use the /meta API endpoint for your instance. For example, using the GitHub CLI:
gh api /meta --hostname octocorp.ghe.com
For more information, see REST API endpoints for meta data.
Using SSH with GHE.com
To clone a repository using Git over SSH from SUBDOMAIN.ghe.com, where SUBDOMAIN is your enterprise's dedicated subdomain on GHE.com, use the SUBDOMAIN as the SSH username instead of git.
git clone SUBDOMAIN@SUBDOMAIN.ghe.com:OWNER/REPO.git
GitHub's hostnames
*.SUBDOMAIN.ghe.com, where SUBDOMAIN is your enterprise's dedicated subdomain on GHE.com*.pages.SUBDOMAIN.ghe.com*.actions.SUBDOMAIN.ghe.com*.githubassets.com*.githubusercontent.com*.blob.core.windows.netauth.ghe.com
GitHub's IP addresses
GitHub's IP address ranges for enterprises on GHE.com depend on your chosen region.
The EU
| Ranges for egress traffic | Ranges for ingress traffic |
|---|---|
| 108.143.221.96/28 | 108.143.197.176/28 |
| 20.61.46.32/28 | 20.123.213.96/28 |
| 20.224.62.160/28 | 20.224.46.144/28 |
| 51.12.252.16/28 | 20.240.194.240/28 |
| 74.241.131.48/28 | 20.240.220.192/28 |
| 20.240.211.176/28 | 20.240.211.208/28 |
Australia
| Ranges for egress traffic | Ranges for ingress traffic |
|---|---|
| 20.5.34.240/28 | 4.237.73.192/28 |
| 20.5.146.128/28 | 20.5.226.112/28 |
| 68.218.155.16/28 | 20.248.163.176/28 |
US
| Ranges for egress traffic | Ranges for ingress traffic |
|---|---|
| 20.221.76.128/28 | 74.249.180.192/28 |
| 135.233.115.208/28 | 48.214.149.96/28 |
| 20.118.27.192/28 | 172.202.123.176/28 |
Japan
| Ranges for egress traffic | Ranges for ingress traffic |
|---|---|
| 74.226.88.192/28 | 74.226.88.240/28 |
| 40.81.180.112/28 | 40.81.176.224/28 |
| 4.190.169.192/28 | 4.190.169.240/28 |
Supported regions for Azure private networking
GitHub deploys your runners in the same Azure region as the subnet you connect them to. Because of this, your subnet must be in one of the supported regions. If you use Azure private networking for GitHub-hosted runners, the supported Azure regions on GHE.com differ from those on GitHub.com.
Supported regions in the EU
| Runner type | Supported regions |
|---|---|
| x64 | francecentral, swedencentral, germanywestcentral, northeurope |
| arm64 | francecentral, northeurope, germanywestcentral |
| GPU | italynorth, swedencentral |
Supported regions in Australia
| Runner type | Supported regions |
|---|---|
| x64 | australiaeast, australiacentral |
| arm64 | australiaeast, australiacentral |
| GPU | australiaeast, australiacentral |
Supported regions in the US
| Runner type | Supported regions |
|---|---|
| x64 | centralus, eastus2, westus3 |
| arm64 | centralus, eastus2, westus3 |
| GPU | centralus, eastus2, westus3 |
Supported regions in Japan
| Runner type | Supported regions |
|---|---|
| x64 | japaneast, japanwest |
| arm64 | japaneast, japanwest |
| GPU | japaneast |
IP ranges for Azure private networking
EU
Actions IPs:
- 74.241.192.231
- 20.4.161.108
- 74.241.204.117
- 20.31.193.160
EU region:
- 108.143.197.176/28
- 20.123.213.96/28
- 20.224.46.144/28
- 20.240.194.240/28
- 20.240.220.192/28
- 20.240.211.208/28
Australia
Actions IPs:
- 4.147.140.77
- 20.53.114.78
Australia region:
- 4.237.73.192/28
- 20.5.226.112/28
- 20.248.163.176/28
Japan
Actions IPs:
- 20.63.233.164
- 172.192.153.164
Japan region:
74.226.88.241 40.81.176.225 4.190.169.240
Required for all regions
Storageservice tag- Communication requirements for github.com
- 192.30.252.0/22
- 185.199.108.0/22
- 140.82.112.0/20
- 143.55.64.0/20
- 20.201.28.151/32
- 20.205.243.166/32
- 20.87.245.0/32
- 4.237.22.38/32
- 20.207.73.82/32
- 20.27.177.113/32
- 20.200.245.247/32
- 20.175.192.147/32
- 20.233.83.145/32
- 20.29.134.23/32
- 20.199.39.232/32
- 20.217.135.5/32
- 4.225.11.198/32
- 4.208.26.197/32
- 20.26.156.215/32
Domains for Azure private networking
Required for all regions
*.<TENANT>.ghe.com<TENANT>.ghe.comgithub.com*.githubusercontent.com*.blob.core.windows.net(can be further restricted by region, see below)*.web.core.windows.net
EU
*.blob.core.windows.net can be replaced with:
memoryalphaprodsdc01.blob.core.windows.netmemoryalphaprodweu01.blob.core.windows.netprodsdc01resultssa0.blob.core.windows.netprodsdc01resultssa1.blob.core.windows.netprodsdc01resultssa2.blob.core.windows.netprodsdc01resultssa3.blob.core.windows.netprodweu01resultssa0.blob.core.windows.netprodweu01resultssa1.blob.core.windows.netprodweu01resultssa2.blob.core.windows.netprodweu01resultssa3.blob.core.windows.net
Australia
*.blob.core.windows.net can be replaced with:
memoryalphaprodae01.blob.core.windows.netprodae01resultssa0.blob.core.windows.netprodae01resultssa1.blob.core.windows.netprodae01resultssa2.blob.core.windows.netprodae01resultssa3.blob.core.windows.net
Japan
*.blob.core.windows.net can be replaced with:
memoryalphaprodjpw01.blob.core.windows.netprodjpw01resultssa0.blob.core.windows.netprodjpw01resultssa1.blob.core.windows.netprodjpw01resultssa2.blob.core.windows.netprodjpw01resultssa3.blob.core.windows.net
OAuth callback URL for connecting an Azure subscription for billing
When you connect or update an Azure subscription for billing, you must allow access to the following URL:
https://github.com/enterprises/oauth_callback
This URL is required during the OAuth authentication flow that occurs when:
- Connecting an Azure subscription to your enterprise for the first time
- Changing or updating an existing Azure subscription connection
Important
- The URL must be allowed with all query parameters, for example
https://github.com/enterprises/oauth_callback?code=... - After the Azure subscription is successfully connected and the subscription ID is stored, you can remove this URL from your allowlist
- To change or update your Azure subscription, you must add the URL back to your allowlist
The OAuth flow works as follows:
- The user starts the connection process on
SUBDOMAIN.ghe.com - Azure redirects to
https://github.com/enterprises/oauth_callbackto complete the OAuth flow - The system redirects back to
SUBDOMAIN.ghe.comto finalize the connection
IP ranges for GitHub Enterprise Importer
If you're running a migration to your enterprise with GitHub Enterprise Importer, you may need to add certain ranges to an IP allow list. See Managing access for a migration between GitHub products.