Skip to main content
Applies to:
  • Plan -
  • Deployment -

Summary

Issue: Calls to a custom or self-hosted provider endpoint fail with a 404 or timeout, even though the endpoint works from inside the customer’s network and the configuration looks correct. Cause: Model calls do not originate from the user’s browser. They leave from Braintrust’s data-plane and gateway infrastructure. If the provider endpoint is internal-only or behind a firewall, Braintrust traffic never reaches it unless the Braintrust egress IPs are allowlisted. Resolution: Add the Braintrust egress IPs below to your endpoint’s allowlist (or firewall, VPN, or private-network rules), then confirm reachability from the endpoint’s access logs.

Braintrust egress IPs (SaaS)

Allowlist both the data-plane and gateway IPs for the region your organization runs in. 
US Dataplane IPs:
- 3.229.173.13/32
- 3.217.191.104/32

US Gateway IPs:
- 13.216.206.252/32
- 13.223.170.100/32
- 3.209.5.121/32

EU Dataplane IPs:
- 99.81.134.173/32
- 46.51.176.113/32

EU Gateway IPs:
- 54.77.189.154/32
- 18.203.64.78/32
- 63.32.156.3/32
These IPs can change over time. Confirm the current allowlist with Braintrust support before relying on it for production network configuration.
These IPs apply to Braintrust SaaS (US and EU). Self-hosted and hybrid deployments egress from the customer’s own data-plane infrastructure, so allowlist that path instead.

Confirm whether traffic is reaching your endpoint

Check your endpoint’s access logs for a request at the time of the failed Braintrust call:
  • No inbound request — Braintrust traffic isn’t reaching the endpoint. This is a network or allowlist problem. Confirm the IPs above are allowlisted and that no firewall, VPN, or private-network rule blocks the path.
  • An inbound request returning 404 — the request reaches the endpoint, so the problem is the base URL path or model routing, not the network. Confirm the configured endpoint URL and model ID match what the provider serves.
Successfully validating an API key does not prove the model-call path works. Key validation and actual model calls can take different network paths, so the endpoint’s access logs are the fastest way to tell a network problem from a routing problem.

Verifying Braintrust as the request source

Braintrust does not add a header for the purpose of being identifiable on the provider side. Custom headers you set on the provider configuration are passed through to your endpoint, except for a reserved deny-list. The gateway strips the following before forwarding upstream:
  • Prefixes: x-amzn*, x-bt*, sec-*
  • Exact: content-length, origin, priority, referer, user-agent, cache-control
To verify on your side that a request originated from your Braintrust provider configuration, set your own custom identifying header (one not on the deny-list above) and check for it in your endpoint logs. See Custom headers and templating.