> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Allowlist Braintrust egress IPs for private provider endpoints
export const plans_0 = "Any"
export const deployments_0 = "Any"
export const data_plane_version_0 = undefined
export const use_case_0 = "Use case - Calls to an internal-only or private provider endpoint (such as a self-hosted LiteLLM, vLLM, or Ollama proxy) fail with a 404 or timeout because Braintrust egress IPs are not allowlisted"
**Applies to:**
* Plan - {plans_0}
* Deployment - {deployments_0}
* {data_plane_version_0}
* {use_case_0}
## Summary
**Issue:** Calls to a custom or self-hosted provider endpoint fail with a `404` or timeout, even though the endpoint works from inside the customer's network and the configuration looks correct.
**Cause:** Model calls do not originate from the user's browser. They leave from Braintrust's data-plane and gateway infrastructure. If the provider endpoint is internal-only or behind a firewall, Braintrust traffic never reaches it unless the Braintrust egress IPs are allowlisted.
**Resolution:** Add the Braintrust egress IPs below to your endpoint's allowlist (or firewall, VPN, or private-network rules), then confirm reachability from the endpoint's access logs.
## Braintrust egress IPs (SaaS)
Allowlist both the data-plane and gateway IPs for the region your organization runs in.
```text theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
US Dataplane IPs:
- 3.229.173.13/32
- 3.217.191.104/32
US Gateway IPs:
- 13.216.206.252/32
- 13.223.170.100/32
- 3.209.5.121/32
EU Dataplane IPs:
- 99.81.134.173/32
- 46.51.176.113/32
EU Gateway IPs:
- 54.77.189.154/32
- 18.203.64.78/32
- 63.32.156.3/32
```
These IPs can change over time. Confirm the current allowlist with Braintrust support before relying on it for production network configuration.
These IPs apply to Braintrust SaaS (US and EU). Self-hosted and hybrid deployments egress from the customer's own data-plane infrastructure, so allowlist that path instead.
## Confirm whether traffic is reaching your endpoint
Check your endpoint's access logs for a request at the time of the failed Braintrust call:
* **No inbound request** — Braintrust traffic isn't reaching the endpoint. This is a network or allowlist problem. Confirm the IPs above are allowlisted and that no firewall, VPN, or private-network rule blocks the path.
* **An inbound request returning 404** — the request reaches the endpoint, so the problem is the base URL path or model routing, not the network. Confirm the configured endpoint URL and model ID match what the provider serves.
Successfully validating an API key does not prove the model-call path works. Key validation and actual model calls can take different network paths, so the endpoint's access logs are the fastest way to tell a network problem from a routing problem.
## Verifying Braintrust as the request source
Braintrust does not add a header for the purpose of being identifiable on the provider side. Custom headers you set on the provider configuration are passed through to your endpoint, except for a reserved deny-list. The gateway strips the following before forwarding upstream:
* Prefixes: `x-amzn*`, `x-bt*`, `sec-*`
* Exact: `content-length`, `origin`, `priority`, `referer`, `user-agent`, `cache-control`
To verify on your side that a request originated from your Braintrust provider configuration, set your own custom identifying header (one not on the deny-list above) and check for it in your endpoint logs. See [Custom headers and templating](/integrations/ai-providers/custom#custom-headers-and-templating).
## Relevant links
* [Custom providers](https://www.braintrust.dev/docs/integrations/ai-providers/custom)
* [Custom headers and templating](https://www.braintrust.dev/docs/integrations/ai-providers/custom#custom-headers-and-templating)