Hi @malveo you need to allow access to port 443 at hosted.mender.io. However the tricky part is that the storage proxy generates a temporary URL that points to Amazon S3 for the actual artifact download. @tranchitella@merlin is there a limited subset of domains that could be whitelisted here?
Based on the mender client configuration the pruduction S3 bucket for hosted.mender.io is hosted-mender-artifacts.s3.amazonaws.com, that is located in us-east-1, the S3 service in the us-east-1 region and delivered through these CIDRs (as today):
you have to allow outgoing connections to port 443 (that was the original question I believe)
as for the hosts, you need to allow access to hosted.mender.io and Amazon S3 as Drew already mentioned (I cannot guarantee that the IPs will not change, or I cannot give you a list of them to whitelist and say that it will not change).
What kind of notice period will be provided to us, if these endpoints do change?
I am only asking so that I am aware of these changes and provide the new documentation to respected parties. (Sorry, If I sound too lawyerly. English is not my strong language )
just to clarify, what you need is: to know when hosted.mender.io and hosted-mender-artifacts.s3.amazonaws.com will change? or do you mean their IP addresses? sorry about the questions, but neither of us is an English native speaker, and unless you speak Polish, I would like to have it out in the open.
So I will address both of the comments here.
Generally what we do now is that we give the a list of port and protocols and server URL’s that we use to a respective client IT team. They allow traffic on those ports and only to those URL.
So before we used mender. We had given them a bunch of ports and protocols like
allow traffic on TCP port 443
allow UDP traffic on port 123 and 127 for NTP
we gave them our s3 bucket links and our iot URL
So What I understood was, In order to allow mender updates and communication with hosted mender under clients network infrastructure . I need to provide the IT team with an updated list that includes mender related URL’s and protocols
what I need to know is, if and when hosted.mender.io and hosted-mender-artifacts.s3.amazonaws.com changes. Will I be provided some sort of advance notice so that I can relay that information to the respective IT teams.
Where I got confused, was I generally did not provide region information while providing my s3 bucket link. So I just got confused over there and wanted to know if there is a specific reason for that. We are releasing our new hardware into the wild next week.
So just wanted to make sure I have every corner figured out
I hope this clears your doubts.
Unfortunately I don’t speak polish. And apparently it will take me 1100 hours to learn that. So let me take back my earlier statement and use this instead
right. in general those names do not change, but there is a good chance that there will be some work around S3 links done, (see this thread). Which you can monitor here. Since those change so rarely, I honestly do not know what will be the process here. I can assure you that if anything changes that has a global effect there will be a proper communication of it. How long do you need for the eventual changes to be applied, i.e.: how much time in advance do you require?
ok, so one important question: after you release the hardware, you can still do all the configuration later, right? (I just want to be sure that by some bizarre mis-configuration you do not release a shipment of bricks)
so are you fine now? and have you tested that it all works (with current names)?
I just remembered that I also speak excellent English.
just be very sure that you always have a way to deploy with Mender and for instance update modules in place, so you can run some commands via update modules artifacts – all this to avoid the situation when an error in initial configuration can lead to problems.