CNAME Url with A record pointing to Load Balancer IP Address

Hi there!

We’ve been developing a high profile site with a vendor for a few years on Netlify and it’s been very good. However, the vendor we’re working with has some aggressive internal info-sec software that checks the reputation score of any site visited. The site we’ve built with them should be fine - but they note that since the site is CNAME pointed to - it seems to trigger a false positive on our site due to some sites in Netlify having a poor reputation score on their system. If we had a single IP resolution to whitelist (or a few), this should be pretty straightforward. Outside their network - all is well, but since it’s a content site they contribute to, it needs to also work internally.

Since our site is a subdomain (ie: - can we create an A record for that subdomain pointing to I’ve read through [Support Guide] Can I host my site on Netlify but keep my DNS at my domain registrar? and Configure external DNS for a custom domain | Netlify Docs, and I’ve tested this on a non-primary subdomain and it works ok. That thread and URL deals with apex domains with respect to that IP - can a subdomain safely be setup as a primary domain with the A record of the subdomain pointing at the IP address of the load balancer?

Two more follow ups - just want to receive verification - but that load balancer IP address is not a single point of failure correct (like, it’s super highly available)? Also - if the IP address is to change, we’d be notified well in advance, correct? I’m pretty sure I know the answers, just doing my due diligence.


Hi @dwiper :wave:

I’ve replied in your helpdesk ticket but will also post here for benefit of the community:

There isn’t a way to narrow the amount of resolved IPs, however, your approach to

point the domain to the A record of Netlify’s load balancer (

…is sound and will work! It may not be as optimal as pointing to the load balancer, but traffic will still be evenly distributed just among fewer node pools.

Thanks Audrey! Apologies for the post and email - I realized I had the two follow-up questions as well after I sent the email + I figured there may be others out there with the same question.

Am I correct in assuming the load balancer IP address is highly available + we’d be notified well in advance of any changes?

Can confirm!

To change that IP, we need to make quite a lot of noise since a million or so customers use it. It will remain, and remain highly available, for the foreseeable future. Of course, we may change to something better that we encourage you to move to, and “the foreseeable future” isn’t 10 years. But you should be good for at least the next 6months, and were it to change, we’d send out scads of warnings well in advance of any change (months!)

Perfect! Thank you very much!