Hi All,
We are deploying devices with Mender within a firewalled network, and all outgoing traffic is forbidden by default.
Which outbound ports must be open to allow the mender-client to reach the hosted SaaS services on hosted.mender.io ?
Best,
Mauro
Hi @malveo you need to allow access to port 443 at hosted.mender.io. However the tricky part is that the storage proxy generates a temporary URL that points to Amazon S3 for the actual artifact download. @tranchitella @merlin is there a limited subset of domains that could be whitelisted here?
Drew
Hi @drewmoseley,
Based on the mender client configuration the pruduction S3 bucket for hosted.mender.io is hosted-mender-artifacts.s3.amazonaws.com, that is located in us-east-1, the S3 service in the us-east-1 region and delivered through these CIDRs (as today):
$ curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="S3") | .ip_prefix'
54.231.0.0/17
52.216.0.0/15
3.5.0.0/18
52.92.16.0/20
please confirm this.
Best,
Mauro
Hello Mauro,
you have to allow outgoing connections to port 443 (that was the original question I believe)
as for the hosts, you need to allow access to hosted.mender.io and Amazon S3 as Drew already mentioned (I cannot guarantee that the IPs will not change, or I cannot give you a list of them to whitelist and say that it will not change).
best regards,
peter
Hi @peter thank you, but for compliance reasons we cannot give indiscriminate access to tcp/443, we will create a whitelist and try to keep it updated as much as possible.
Best,
Mauro
Hi Mauro!
I understand. Let me know if you bump into some obstacles, perhaps we can tackle them together.
good luck!
peter
Hello All,
I am also deploying my first batch of machines within a firewall network. So to reiterate the points mentioned
Thats all or Am i missing something?
Thanks
Yes, I think at the moment that is correct although there is no guarantee it won’t change in the future.
Drew
is there a specific endpoint for the above s3 bucket at this point?
Edit1: Sorry I just realized that we don’t need specific endpoints for S3 bucket. But then, does the region hold any significance while providing a document for whitelisting?
I’m not sure what you are asking. @merlin can you comment?
Hello,
What kind of notice period will be provided to us, if these endpoints do change?
I am only asking so that I am aware of these changes and provide the new documentation to respected parties. (Sorry, If I sound too lawyerly. English is not my strong language )
just to clarify, what you need is: to know when hosted.mender.io and hosted-mender-artifacts.s3.amazonaws.com will change? or do you mean their IP addresses? sorry about the questions, but neither of us is an English native speaker, and unless you speak Polish, I would like to have it out in the open.
that makes two of us:)
peter
I am not sure what whitelisting you are talking about? where do you white list? at the begining I thought you are configuring a firewall in the IP layer, but now I am not sure.
peter
So I will address both of the comments here.
Generally what we do now is that we give the a list of port and protocols and server URL’s that we use to a respective client IT team. They allow traffic on those ports and only to those URL.
So before we used mender. We had given them a bunch of ports and protocols like
So What I understood was, In order to allow mender updates and communication with hosted mender under clients network infrastructure . I need to provide the IT team with an updated list that includes mender related URL’s and protocols
which are mainly hosted.mender.io, s3bucket and TCP traffic on port 443
what I need to know is, if and when hosted.mender.io and hosted-mender-artifacts.s3.amazonaws.com changes. Will I be provided some sort of advance notice so that I can relay that information to the respective IT teams.
Where I got confused, was I generally did not provide region information while providing my s3 bucket link. So I just got confused over there and wanted to know if there is a specific reason for that. We are releasing our new hardware into the wild next week.
So just wanted to make sure I have every corner figured out
I hope this clears your doubts.
Unfortunately I don’t speak polish. And apparently it will take me 1100 hours to learn that. So let me take back my earlier statement and use this instead
I am a master in English language
right. in general those names do not change, but there is a good chance that there will be some work around S3 links done, (see this thread). Which you can monitor here. Since those change so rarely, I honestly do not know what will be the process here. I can assure you that if anything changes that has a global effect there will be a proper communication of it. How long do you need for the eventual changes to be applied, i.e.: how much time in advance do you require?
ok, so one important question: after you release the hardware, you can still do all the configuration later, right? (I just want to be sure that by some bizarre mis-configuration you do not release a shipment of bricks)
so are you fine now? and have you tested that it all works (with current names)?
peter
P.S.
I just remembered that I also speak excellent English.
Thank you for the links. I will monitor it
If I can have like a month notice. That would be nice
I have tested delta updates, system updates on our current hardware with current settings. It works. Are there any other tests that I am missing?
just be very sure that you always have a way to deploy with Mender and for instance update modules in place, so you can run some commands via update modules artifacts – all this to avoid the situation when an error in initial configuration can lead to problems.
peter