Guides
ProductDeveloper
Guides

Connect to Cisco Umbrella Through Tunnel

To create an IPsec tunnel, you must connect to at least one of the Umbrella head-end IP addresses listed in the tables referenced here. Some data centers support automatic failover, which provides redundancy for a single tunnel configuration. However, we recommend configuring two tunnels, one to each data center (DC) in a region, with unique IPsec tunnel IDs per tunnel.

👍

The data centers listed here are only for IPsec connections to the Umbrella secure web gateway (SWG) and cloud-delivered firewall (CDFW). Cisco Umbrella has additional data centers for non-IPsec connections to SWG. For a list of Umbrella data centers, see Global data centers.

Table of Contents

Data Centers with Automatic IPsec Failover

👍

IPsec Failover

These Cisco Umbrella data centers implement automatic failover of IPsec tunnels when a data center is unavailable. When this occurs, tunnels automatically move from one data center in a region to the other. A backup tunnel is not required but is still recommended. A backup tunnel allows you to continuously monitor your tunnels and manually move from one data center in the region to the other instead of waiting for Umbrella failover.

In deployment samples in the Network Tunnel Configuration guides, <umbrella_dc_ip> refers to these IP addresses.

Region CodeDC LocationIP
US-1Los Angeles, CA, US146.112.67.8
US-1Santa Clara (Palo Alto), CA, US146.112.66.8
US-2New York, NY, US146.112.83.8
US-2Ashburn, VA, US146.112.82.8
US-3Miami, FL, US146.112.84.8
US-3Atlanta, GA, US146.112.85.8
US-4Dallas–Fort Worth, TX, US146.112.72.8
US-4Denver, CO, US146.112.73.8
EU-1London, United Kingdom146.112.97.8
EU-1Frankfurt, Germany146.112.96.8
EU-2Paris, France146.112.102.8
EU-2Prague, Czech Republic146.112.103.8
EU-3Copenhagen, Denmark146.112.100.8
EU-3Stockholm, Sweden146.112.101.8
EU-4Milan, Italy146.112.107.8
EU-4Madrid, Spain146.112.106.8
AF-1Johannesburg, South Africa146.112.108.8
AF-1Cape Town, South Africa146.112.109.8
AS-1Singapore146.112.113.8
AS-1Tokyo, Japan146.112.112.8
AS-2Mumbai, India146.112.117.8
AS-2Before September 6, 2023: Hong Kong, China*

After September 6, 2023: Chennai, India
146.112.116.8
AU-1Sydney, Australia146.112.118.8
AU-1Melbourne, Australia146.112.119.8
CA-1Toronto, Canada146.112.65.8
CA-1Vancouver, Canada146.112.64.8
BR-1Rio de Janeiro, Brazil146.112.93.8
BR-1São Paulo, Brazil146.112.92.8
LA-1Querétaro, Mexico146.112.94.8
LA-1Miami, FL, US **146.112.84.8

* On September 6, 2023, IP address 146.112.116.8 will change from Hong Kong to Chennai, India. For more information, see IPsec tunnel IP address changes for Hong Kong data center.
** Miami will be replaced by a second Latin America DC with its own IP address in the future. Customers can use Miami for automatic failover, or manually configure another data center for backup tunnels.

Data Centers without Automatic IPsec Failover

IPsec connections to the following data centers must be configured with a backup tunnel. Cisco does not prescribe specific backup locations for these DCs. Backup connection can be made to any IPsec-enabled Umbrella data center (including those DCs with automatic IPsec failover).

DC LocationIP
Dubai, United Arab Emirates146.112.110.8
Dublin, IrelandTo be announced.
Hong Kong, China146.112.114.8
Marseille, FranceTo be announced.
Reston, VA, USTo be announced.
Manchester, UK146.112.122.8

Tertiary/Disaster Recovery Data Centers

The data centers listed in the following table currently support automatic, tertiary failover or disaster recovery (DR). Previously, Umbrella supported automatic, tertiary failover for all regions. It is no longer available for US, Canada, Brazil, Latin America, Asia-Pacific, or Oceania regions, and will be removed in the future for remaining regions. Customers can optionally set up their own tertiary failover as a third tunnel to another region.

Region CodeFailover (DR) Location
EU-1Amsterdam, NL
EU-2Amsterdam, NL
EU-3Amsterdam, NL
EU-4Amsterdam, NL
AF-1Amsterdam, NL

Supported IPsec Parameters < Connect to Cisco Umbrella Through Tunnel > Monitor Network Tunnel Status