Connect to Cisco Umbrella Through Tunnel
To create an IPsec tunnel, you must connect to at least one of the Umbrella head-end IP addresses listed in the tables referenced here. Some data centers support /automatic failover, which provides redundancy for a single tunnel configuration. However, we recommend configuring two tunnels, one to each data center (DC) in a region, with unique IPsec tunnel IDs per tunnel.
The data centers listed here are only for IPsec connections to the Umbrella secure web gateway (SWG) and cloud-delivered firewall (CDFW). Cisco Umbrella has additional data centers for non-IPsec connections to SWG. For a list of Umbrella data centers, see Global data centers.
Table of Contents
- Data Centers with Automatic IPsec Failover
- Data Centers without Automatic IPsec Failover
- Data Centers Supporting Disaster Recovery
IPsec Failover
These Cisco Umbrella data centers implement automatic failover of IPsec tunnels when a data center is unavailable. When this occurs, tunnels automatically move from one data center in a region to the other. A backup tunnel is not required but is still recommended. A backup tunnel allows you to continuously monitor your tunnels and manually move from one data center in the region to the other instead of waiting for Umbrella failover.
In deployment samples in the Network Tunnel Configuration guides, <umbrella_dc_ip> refers to these IP addresses.
| Region Code | DC Location | IP | FQDN |
|---|---|---|---|
| US-1 | Los Angeles, CA, US | 146.112.67.8 | us1-a.vpn.sig.umbrella.com |
| US-1 | Santa Clara (Palo Alto), CA, US | 146.112.66.8 | us1-b.vpn.sig.umbrella.com |
| US-2 | New York, NY, US | 146.112.83.8 | us2-a.vpn.sig.umbrella.com |
| US-2 | Ashburn, VA, US | 146.112.82.8 | us2-b.vpn.sig.umbrella.com |
| US-3 | Miami, FL, US | 146.112.84.8 | us3-a.vpn.sig.umbrella.com |
| US-3 | Atlanta, GA, US | 146.112.85.8 | us3-b.vpn.sig.umbrella.com |
| US-4 | Dallas–Fort Worth, TX, US | 146.112.72.8 | us4-a.vpn.sig.umbrella.com |
| US-4 | Denver, CO, US | 146.112.73.8 | us4-b.vpn.sig.umbrella.com |
| US-5 | Minneapolis, MN, US | 146.112.80.8 | us5-a.vpn.sig.umbrella.com |
| US-5 | Chicago, IL, US | 146.112.81.8 | us5-b.vpn.sig.umbrella.com |
| EU-1 | London, United Kingdom | 146.112.97.8 | eu1-a.vpn.sig.umbrella.com |
| EU-1 | Frankfurt, Germany | 146.112.96.8 | eu1-b.vpn.sig.umbrella.com |
| EU-2 | Paris, France | 146.112.102.8 | eu2-a.vpn.sig.umbrella.com |
| EU-2 | Prague, Czech Republic | 146.112.103.8 | eu2-b.vpn.sig.umbrella.com |
| EU-3 | Copenhagen, Denmark | 146.112.100.8 | eu3-b.vpn.sig.umbrella.com |
| EU-3 | Stockholm, Sweden | 146.112.101.8 | eu3-a.vpn.sig.umbrella.com |
| EU-4 | Milan, Italy | 146.112.107.8 | eu4-a.vpn.sig.umbrella.com |
| EU-4 | Madrid, Spain | 146.112.106.8 | eu4-b.vpn.sig.umbrella.com |
| AF-1 | Johannesburg, South Africa | 146.112.108.8 | af1-a.vpn.sig.umbrella.com |
| AF-1 | Cape Town, South Africa | 146.112.109.8 | af1-b.vpn.sig.umbrella.com |
| AS-1 | Singapore | 146.112.113.8 | as1-a.vpn.sig.umbrella.com |
| AS-1 | Tokyo2, Japan | 146.112.112.8 | as1-b.vpn.sig.umbrella.com |
| AS-2 | Chennai, India | 146.112.116.8 | as2-b.vpn.sig.umbrella.com |
| AS-2 | Mumbai, India | 146.112.117.8 | as2-a.vpn.sig.umbrella.com |
| AU-1 | Sydney, Australia | 146.112.118.8 | au1-a.vpn.sig.umbrella.com |
| AU-1 | Melbourne, Australia | 146.112.119.8 | au1-b.vpn.sig.umbrella.com |
| CA-1 | Toronto, Canada | 146.112.65.8 | ca1-a.vpn.sig.umbrella.com |
| CA-1 | Vancouver, Canada | 146.112.64.8 | ca1-b.vpn.sig.umbrella.com |
| BR-1 | Rio de Janeiro, Brazil | 146.112.93.8 | br1-b.vpn.sig.umbrella.com |
| BR-1 | São Paulo, Brazil | 146.112.92.8 | br1-a.vpn.sig.umbrella.com |
| LA-1 | Querétaro, Mexico | 146.112.94.8 | la1-a.vpn.sig.umbrella.com |
| LA-1 | Miami, FL, US ** | 146.112.84.8 | N/A |
** Miami will be replaced by a second Latin America DC with its own IP address in the future. Customers can use Miami for automatic failover, or manually configure another data center for backup tunnels.
IPsec connections to the following data centers must be configured with a backup tunnel. Cisco does not prescribe specific backup locations for these DCs. Backup connection can be made to any IPsec-enabled Umbrella data center (including those DCs with automatic IPsec failover).
The data centers listed in the following table currently support automatic, tertiary failover or disaster recovery (DR). Previously, Umbrella supported automatic, tertiary failover for all regions. It is no longer available for US, Canada, Brazil, Latin America, Asia-Pacific, or Oceania regions, and will be removed in the future for remaining regions. Customers can optionally set up their own tertiary failover as a third tunnel to another region.
| Region Code | Failover (DR) Location |
|---|---|
| EU-1 | Amsterdam, NL |
| EU-2 | Amsterdam, NL |
| EU-3 | Amsterdam, NL |
| EU-4 | Amsterdam, NL |
| AF-1 | Amsterdam, NL |
Supported IPsec Parameters < Connect to Cisco Umbrella Through Tunnel > Monitor Network Tunnel Status
Updated 3 months ago