Network Requirements
You need to allow inbound and outbound traffic from Coalesce.
Allow Inbound Traffic from Coalesce
When using Coalesce, we will connect to your Data Platform from the following IP addresses. Be sure to allow traffic from all IPs in the respective Coalesce region by locating your domain (URL) below.
Network Table
Data Platform Setup
- Databricks
- Snowflake
When connecting Coalesce to Databricks, both inbound and outbound access must be configured so Coalesce can authenticate and exchange data securely.
Databricks allows you to manage connectivity through several policy layers. The following apply when using Coalesce:
- Serverless Egress Policies - Allow outbound access from Databricks serverless workloads.
- IP Access Lists - Optionally configure workspace-level IP access lists to explicitly allow connections from Coalesce. This adds another layer of ingress protection.
- Private Connectivity (Optional) - If your Databricks workspace uses PrivateLink or VNet injection, ensure Coalesce IPs and domains are reachable through your private endpoint configuration.
In Snowflake, IP address policies can be assigned at the Account, Security Integration, and User levels, with a defined precedence. If a policy is set at the Account level, it applies to all users by default. However, a User-specific policy will override the Account policy, applying only to the designated user. Authentication methods like Username/Password and OAuth are subject to User-defined policies, while Key Pair authentication is user-specific, as it involves setting a public key directly for a Snowflake user. Review Snowflake Network policy precedence.
Snowflake recommends using Network Rules to update network information.
Running ALTER ACCOUNT SET NETWORK_POLICY = ‘<COALESCE_NETWORK_POLICY> will overwrite any existing network policies, which can lead to other users losing Snowflake access.
If there are current network policies, you should add the Coalesce IPs in the ALLOWED_IP_LIST to the existing policy, instead of replacing the entire policy.
Allow Outbound Traffic to Coalesce
It's required to allow outbound HTTPS connectivity on your network to the following domains in order to connect to Coalesce GUI, API, and/or CLI.
https://firestore.googleapis.com
https://firebasestorage.googleapis.com/
https://identitytoolkit.googleapis.com/
https://securetoken.googleapis.com/
https://storage.coalescesoftware.io/
https://app.coalescesoftware.io
https://*.app.coalescesoftware.io
https://app.eu.coalescesoftware.io/
https://*.app.eu.coalescesoftware.io/
https://app.australia-southeast1.gcp.coalescesoftware.io/
https://*.app.australia-southeast1.gcp.coalescesoftware.io/
https://app.us-east-1.aws.coalescesoftware.io/
https://*.app.us-east-1.aws.coalescesoftware.io/
https://app.us-west-2.aws.coalescesoftware.io/
https://*.app.us-west-2.aws.coalescesoftware.io/
| Name | Description |
|---|---|
https://firestore.googleapis.com | Database that holds all metadata. |
https://firebasestorage.googleapis.com | Send deployment metadata from the client about deployments running in the cloud environment. |
https://identitytoolkit.googleapis.com | Authentication mechanism containing all users, providing the user with a JWT for OAuth. |
https://securetoken.googleapis.com | Allows Coalesce to exchange the Access Token to an OAuth JWT. |
https://storage.coalescesoftware.io | CDN hosting for all static assets such as images and JavaScript. |
https://app.coalescesoftware.io | The web application. |
https://*.app.coalescesoftware.io | An alias for the web application to allow SSO. Such as redirecting to a specific organization. |
The Coalesce Command-Line Interface may be used to deploy and run Jobs in an Environment. This omits the requirement to allow list Coalesce IP addresses. These IPs are still used in the Coalesce app.
What's Next?
- If users still see a blank or spinning screen after login, see Troubleshooting Browser Login Issues.