The IP Whitelisting Problem
Most SFTP and FTP servers use IP-based access control. Only known IPs can connect. This is good security — until you try to connect from Zapier, Make, or n8n. These platforms run on cloud infrastructure where IP addresses rotate constantly. You can't whitelist what keeps changing.
PushFTP fixes this by routing all file transfers through a single fixed EU IP address. Whitelist one IP, and every transfer from every automation tool works.
Step 1: Find PushFTP's Static IP
Log into your PushFTP dashboard. The static IP is displayed on the main page, usually under Connection Info or Your Fixed IP.
This is the IP address that all outbound connections from your PushFTP account use. Every SFTP, FTP, and S3 connection goes through this IP — no exceptions.
Copy it. You'll need it for the next steps.
Step 2: Add the IP to Your SFTP Server's Firewall
The exact process depends on your server setup. Here are the most common scenarios.
Linux with UFW (Ubuntu/Debian)
sudo ufw allow from 1.2.3.4 to any port 22
sudo ufw reload
Replace 1.2.3.4 with PushFTP's actual IP.
Linux with iptables
sudo iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT
sudo iptables-save > /etc/iptables/rules.v4
AWS Security Group
- Go to EC2 → Security Groups
- Select the security group attached to your instance
- Edit inbound rules
- Add rule: Type = SSH, Port = 22, Source =
1.2.3.4/32 - Save
DigitalOcean Cloud Firewall
- Go to Networking → Firewalls
- Select your firewall
- Add inbound rule: SSH, Port 22, Source =
1.2.3.4/32
cPanel / Plesk
Most managed hosting panels have an IP whitelist or firewall section. Add PushFTP's IP to the SSH/SFTP allow list. Check your host's documentation if you can't find it.
Step 3: Test the Connection
Back in PushFTP, go to Connections and click Test Connection on your SFTP connection. If you haven't created one yet, set one up first.
A successful test means the IP is whitelisted correctly. If it fails with "connection refused" or "connection timed out," the firewall rule isn't applied yet. Some cloud providers take a few seconds to propagate changes.
Step 4: Verify from Zapier
Create a quick test Zap:
- Trigger: Schedule by Zapier → Every Hour (or manual trigger)
- Action: PushFTP → List Files
- Connection: Your SFTP connection
- Path:
/
Run the test. If it returns a file listing, everything is working end-to-end: Zapier calls PushFTP's API, PushFTP connects to your SFTP from its static IP, and your firewall allows it through.
Check the Zapier integration docs for more action options.
What About FTP Servers?
Same process, different port. FTP typically uses port 21 for control and a range of ports for data transfer (passive mode). You'll need to whitelist PushFTP's IP for:
- Port 21 (control channel)
- Your passive port range (e.g., 30000-31000)
sudo ufw allow from 1.2.3.4 to any port 21
sudo ufw allow from 1.2.3.4 to any port 30000:31000/tcp
sudo ufw reload
PushFTP handles passive mode automatically. You just need the firewall rules in place.
What About S3?
S3 doesn't use IP whitelisting in the same way, but you can restrict bucket access to PushFTP's IP using a bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket",
"arn:aws:s3:::your-bucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "1.2.3.4/32"
}
}
}
]
}
This denies all access except from PushFTP's fixed IP (and whatever other IPs you include). Useful when you want to lock down a bucket to only receive files through your automation pipeline.
Multiple Servers, One IP
One of the nice things about PushFTP: you whitelist the same IP everywhere. If you have three SFTP servers, an FTP server, and two S3 buckets, they all get the same IP in their allow lists. Add a new connection in PushFTP, add the same IP to the new server's firewall, done.
No juggling different IPs for different tools. No updating firewall rules when your automation platform changes infrastructure.
Security Considerations
IP whitelisting is one layer of security. Don't treat it as the only one.
- Use strong credentials — long passwords or SSH keys
- Use SFTP over FTP — FTP transmits credentials in plain text
- Rotate API keys periodically in PushFTP
- Monitor transfer logs — PushFTP keeps logs (7-90 days depending on plan) so you can audit what's happening
PushFTP's fixed IP makes the firewall side simple. The rest of your security posture is up to you.
Once your server's firewall is configured, PushFTP handles the rest. One static IP, one whitelist entry, and your Zapier workflows connect reliably every time. Set up takes a couple of minutes — sign up, add your connection, and start transferring.
FAQ
Does PushFTP's IP ever change?
The IP is fixed for the lifetime of your account. If it ever needs to change (infrastructure migration), you'll get advance notice to update your firewall rules.
Can I restrict PushFTP to specific directories?
That's controlled on your SFTP server side. Use chroot or directory permissions to limit what the PushFTP user can access. PushFTP will respect whatever permissions the server enforces.
What if my hosting provider manages the firewall?
Contact their support and ask them to whitelist PushFTP's IP for SSH/SFTP access. Give them the IP and port number. Most managed hosts handle this within a few hours.
Do I need to whitelist anything for the PushFTP API itself?
No. Your automation tools connect to PushFTP's API over HTTPS on standard ports. No firewall changes needed on the tool side — only on your file server side.
Wrap Up
IP whitelisting with PushFTP is straightforward: get the static IP from your dashboard, add it to your server's firewall, test the connection. Once it's set, every Zap and API call routes through that same IP. No more chasing rotating addresses or building workarounds.