Summary
SailPoint is updating how Virtual Appliances connect to certain Amazon Web Services endpoints. Over time, more traffic will use SailPoint-hosted URLs instead of connecting directly to AWS. During the transition, direct AWS URLs remain supported as a fallback until migration is complete for your environment.
If your firewall already allows the primary SailPoint URLs described in our documentation (including standard IdentityNow / secure-api hostnames), you typically do not need to take immediate action. Existing AWS entries can stay in place for now.
What is changing
Message queue traffic (regional Amazon SQS)
Some Virtual Appliance functions that today reach regional Amazon SQS endpoints (sqs.<region>.amazonaws.com) will increasingly use SailPoint-hosted endpoints instead. SailPoint manages the connection to AWS on your behalf.
Software updates (Amazon ECR and related image download paths)
Virtual Appliance container image updates that today use direct Amazon ECR hostnames and a related AWS image layer bucket will increasingly pull through a SailPoint-hosted endpoint, for example:
-
Commercial:
va-docker.secure-api.infra.identitynow.com -
FedRAMP:
va-docker.secure-api.saas.sailpointfedramp.com
During rollout, appliances can fall back to the previous direct AWS paths if needed.
What Will Stay the Same
-
General access through
va-access.infra.identitynow.comfor file and aggregation workloads. -
Other AWS endpoints still listed in the access list (for example configuration and optional data streaming) unless separately announced.
-
Customers who do not use Virtual Appliances.
What we recommend
| Situation | Guidance |
|---|---|
| Today | No need to remove AWS URLs from your firewall. Ensure that your VA clusters are up to date, or address any active health indicators. |
| When updated documentation is published | Review the Virtual Appliance network requirements and add any new SailPoint hostnames you do not already allow. |
| After we announce migration complete for your environment | You may remove the legacy direct AWS entries that are no longer required. |
| New firewall or security reviews | Include both the SailPoint URLs in the updated documentation and, for now, the existing AWS entries until migration is finished. |
-
This is not a same-day cutover. There is no requirement to remove direct AWS URLs when documentation updates.
-
A problem would occur only if you removed legacy AWS URLs before adding the new SailPoint URLs and before your environment has finished migrating off the fallback path.
-
Customers whose firewalls allow only the old AWS hostnames and not the SailPoint secure-api endpoints should add the new URLs when documentation is publishedâstill not an emergency if AWS URLs remain during rollout.
Not a breaking change: We are not announcing a fixed âturn-offâ date after which direct AWS access stops working for all customers. A later notice will cover when legacy URLs can be dropped from the published access list.
Important Dates
June 15 - Rollout of SailPoint-hosted URLs to sandbox
June 29- Rollout to SailPoint-hosted URLs production
In the second half of 2026 we expect to complete the migration of your VAs away from calling direct AWS resources. Once this occurs, these fallback legacy URLs will be no longer be required and will be sunset; an announcement will follow at a later date.
FAQ
Do I need to change anything this week?
Usually no, if your allowlist already includes SailPoint IdentityNow and secure-api domains per our VA requirements.
Should I delete sqs.*.amazonaws.com from my firewall when the doc updates?
No. Keep them until we tell you migration is complete for your org.
Should I delete ECR URLs (api.ecr, *.dkr.ecr, starport layer bucket) now?
No. Add va-docker.secure-api.* for your environment; keep legacy ECR URLs until rollout completes (target end of Q2 2026).
Will SailPoint update my Virtual Appliance automatically?
Routing changes are managed on the platform side over time. Firewall updates remain your responsibility when you tighten or renew allowlists.
Where is the full URL list?
See System and Network Requirements for Virtual Appliances when the published list is updated.