Services used by mender-client

Hi All,

We are deploying devices with Mender within a firewalled network, and all outgoing traffic is forbidden by default.

Which outbound ports must be open to allow the mender-client to reach the hosted SaaS services on hosted.mender.io ?

Best,
Mauro

Hi @malveo you need to allow access to port 443 at hosted.mender.io. However the tricky part is that the storage proxy generates a temporary URL that points to Amazon S3 for the actual artifact download. @tranchitella @merlin is there a limited subset of domains that could be whitelisted here?

Drew

Hi @drewmoseley,

Based on the mender client configuration the pruduction S3 bucket for hosted.mender.io is hosted-mender-artifacts.s3.amazonaws.com, that is located in us-east-1, the S3 service in the us-east-1 region and delivered through these CIDRs (as today):

$ curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="S3") | .ip_prefix'
54.231.0.0/17
52.216.0.0/15
3.5.0.0/18
52.92.16.0/20

please confirm this.

Best,
Mauro

Hello Mauro,

you have to allow outgoing connections to port 443 (that was the original question I believe)
as for the hosts, you need to allow access to hosted.mender.io and Amazon S3 as Drew already mentioned (I cannot guarantee that the IPs will not change, or I cannot give you a list of them to whitelist and say that it will not change).

best regards,
peter

Hi @peter thank you, but for compliance reasons we cannot give indiscriminate access to tcp/443, we will create a whitelist and try to keep it updated as much as possible.

Best,
Mauro

Hi Mauro!

I understand. Let me know if you bump into some obstacles, perhaps we can tackle them together.

good luck!
peter

Hello All,

I am also deploying my first batch of machines within a firewall network. So to reiterate the points mentioned

  1. Allow all outgoing connections to TCP at port 443
  2. I need to whitelist hosted.mender.io and hosted-mender-artifacts.s3.amazonaws.com located in us-east-1 region

Thats all or Am i missing something?

Thanks

Yes, I think at the moment that is correct although there is no guarantee it won’t change in the future.
Drew

is there a specific endpoint for the above s3 bucket at this point?

Edit1: Sorry I just realized that we don’t need specific endpoints for S3 bucket. But then, does the region hold any significance while providing a document for whitelisting?

I’m not sure what you are asking. @merlin can you comment?

Hello,
What kind of notice period will be provided to us, if these endpoints do change?
I am only asking so that I am aware of these changes and provide the new documentation to respected parties. (Sorry, If I sound too lawyerly. English is not my strong language )

just to clarify, what you need is: to know when hosted.mender.io and hosted-mender-artifacts.s3.amazonaws.com will change? or do you mean their IP addresses? sorry about the questions, but neither of us is an English native speaker, and unless you speak Polish, I would like to have it out in the open.

that makes two of us:)

peter

I am not sure what whitelisting you are talking about? where do you white list? at the begining I thought you are configuring a firewall in the IP layer, but now I am not sure.

peter

So I will address both of the comments here.
Generally what we do now is that we give the a list of port and protocols and server URL’s that we use to a respective client IT team. They allow traffic on those ports and only to those URL.

So before we used mender. We had given them a bunch of ports and protocols like

  1. allow traffic on TCP port 443
  2. allow UDP traffic on port 123 and 127 for NTP
  3. we gave them our s3 bucket links and our iot URL

So What I understood was, In order to allow mender updates and communication with hosted mender under clients network infrastructure . I need to provide the IT team with an updated list that includes mender related URL’s and protocols

which are mainly hosted.mender.io, s3bucket and TCP traffic on port 443

what I need to know is, if and when hosted.mender.io and hosted-mender-artifacts.s3.amazonaws.com changes. Will I be provided some sort of advance notice so that I can relay that information to the respective IT teams.

Where I got confused, was I generally did not provide region information while providing my s3 bucket link. So I just got confused over there and wanted to know if there is a specific reason for that. We are releasing our new hardware into the wild next week.
So just wanted to make sure I have every corner figured out

I hope this clears your doubts.

Unfortunately I don’t speak polish. And apparently it will take me 1100 hours to learn that. So let me take back my earlier statement and use this instead

I am a master in English language

right. in general those names do not change, but there is a good chance that there will be some work around S3 links done, (see this thread). Which you can monitor here. Since those change so rarely, I honestly do not know what will be the process here. I can assure you that if anything changes that has a global effect there will be a proper communication of it. How long do you need for the eventual changes to be applied, i.e.: how much time in advance do you require?

ok, so one important question: after you release the hardware, you can still do all the configuration later, right? (I just want to be sure that by some bizarre mis-configuration you do not release a shipment of bricks)
so are you fine now? and have you tested that it all works (with current names)?

peter

P.S.

:slight_smile: I just remembered that I also speak excellent English.