Many high-value business processes require access to enterprise data. This article describes how Thunk.AI agents can access and utilize this data in a secure manner.
β
In most business process automation scenarios, thunks need to integrate with data and applications that live in one of the following environments:
A cloud-based file system like Microsoft Sharepoint or Google Drive
The company's private cloud network, hosted in a hyperscalar cloud environment like GCP, AWS, or Azure, or in a truly "on-premise" data center.
The public internet, hosted by a SaaS vendor (like Google or Salesforce).
AI agents running in a thunk access these external applications via AI tools. Most commonly, an account in Thunk.AI configures a connection with an external application, along with application credentials (using OAuth for cloud file systems and using API tokens for other kinds of connections). Some connections automatically provide AI tools for use by AI agents. In addition, custom tools can be built that utilize the connection credentials for REST API calls or SQL database calls.
Additionally, workflow input requests may arrive via:
Email requests
Webhook calls from a form or other application
REST API calls from another application
In all of these cases, an enterprise customer has to consider how to enable network-level access between the execution environment in the Thunk.AI platform and the external applications. The particular choices depend on the deployment option chosen.
Configuring access from/to an "on-premise" private instance
If the customer's deployed Thunk.AI instance is a private deployment in your corporate cloud tenant, then the Thunk.AI platform service has default network access to your internal corporate applications and databases. However, access to cloud file systems and external applications needs to be configured.
Network access needs to be allowed/provisioned to allow access to the cloud file system (Microsoft Sharepoint or Google Drive) used by the customer.
Network access needs to be allowed/provisioned to allow access to the public internet services needed for the AI workflow (eg: Google Search APIs, or access to the customer's Salesforce CRM instance).
For incoming requests, appropriate ingress ports need to be opened, provisioned, and secured to support incoming webhooks and REST API calls. Incoming email may need to be configured separately in the customer's firewall service (eg: Cloudflare)
Configuring access from/to a "public" multi-tenant instance
On the other hand, if the customer utilizes one of the other deployment options (for example, the public instance of Thunk.AI at https://app.thunk.ai), the access to services on the public internet are straightforward as is the handling of incoming requests.
However, for AI agents to be able to access enterprise applications and databases that are protected behind a corporate firewall, appropriate network access needs to be opened/provisioned. While there are complex and custom mechanisms implemented in some environments to enable this (various kinds of "proxy" servers), the most common mechanism is to whitelist the IP addresses of the multi-tenant Thunk.AI agent host services. That whitelist is provided below as of February 2025. Please note that this list might occasionally change as we scale our service or modify our infrastructure:
35.239.191.23
34.16.85.96
34.136.161.249
34.67.244.155
34.44.127.89
34.66.228.101
34.60.199.231
34.30.40.194