Skip to main content

Access to Enterprise Data

Allow AI agents to leverage your enterprise data safely

Updated yesterday

Many high-value business processes require access to enterprise data. This article describes how Thunk.AI agents can access and utilize this data in a secure manner.

​

In most business process automation scenarios, thunks need to integrate with data and applications that live in one of the following environments:

  1. A cloud-based file system like Microsoft Sharepoint or Google Drive

  2. The company's private cloud network, hosted in a hyperscalar cloud environment like GCP, AWS, or Azure, or in a truly "on-premise" data center.

  3. The public internet, hosted by a SaaS vendor (like Google or Salesforce).

AI agents running in a thunk access these external applications via AI tools. Most commonly, an account in Thunk.AI configures a connection with an external application, along with application credentials (using OAuth for cloud file systems and using API tokens for other kinds of connections). Some connections automatically provide AI tools for use by AI agents. In addition, custom tools can be built that utilize the connection credentials for REST API calls or SQL database calls.

Additionally, workflow input requests may arrive via:

  1. Email requests

  2. Webhook calls from a form or other application

  3. REST API calls from another application

In all of these cases, an enterprise customer has to consider how to enable network-level access between the execution environment in the Thunk.AI platform and the external applications. The particular choices depend on the deployment option chosen.

Configuring access from/to an "on-premise" private instance

If the customer's deployed Thunk.AI instance is a private deployment in your corporate cloud tenant, then the Thunk.AI platform service has default network access to your internal corporate applications and databases. However, access to cloud file systems and external applications needs to be configured.

  1. Network access needs to be allowed/provisioned to allow access to the cloud file system (Microsoft Sharepoint or Google Drive) used by the customer.

  2. Network access needs to be allowed/provisioned to allow access to the public internet services needed for the AI workflow (eg: Google Search APIs, or access to the customer's Salesforce CRM instance).

  3. For incoming requests, appropriate ingress ports need to be opened, provisioned, and secured to support incoming webhooks and REST API calls. Incoming email may need to be configured separately in the customer's firewall service (eg: Cloudflare)

Configuring access from/to a "public" multi-tenant instance

On the other hand, if the customer utilizes one of the other deployment options (for example, the public instance of Thunk.AI at https://app.thunk.ai), the access to services on the public internet are straightforward as is the handling of incoming requests.

However, for AI agents to be able to access enterprise applications and databases that are protected behind a corporate firewall, appropriate network access needs to be opened/provisioned. While there are complex and custom mechanisms implemented in some environments to enable this (various kinds of "proxy" servers), the most common mechanism is to whitelist the IP addresses of the multi-tenant Thunk.AI agent host services. That whitelist is provided below as of February 2025. Please note that this list might occasionally change as we scale our service or modify our infrastructure:

35.239.191.23
34.16.85.96
34.136.161.249
34.67.244.155
34.44.127.89
34.66.228.101
34.60.199.231
34.30.40.194

Did this answer your question?