AWS outbound network access destinations
If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a CDP environment.
We recommend hostname-based policies, as some of the destination services do not have static IP addresses. IP address details in CIDR notation have been provided where static IPs are in-use.
The following list includes general destinations as well as AWS-specific destinations.
General endpoints
Description/Usage |
CDP service |
Destination |
Protocol and Authentication |
IP Protocol/Port |
Comments |
|---|---|---|---|---|---|
|
Control Plane API |
All services | US-based Control Plane: api.us-west-1.cdp.cloudera.com EU-based Control Plane: api.eu-1.cdp.cloudera.comAP-based Control Plane: api.ap-1.cdp.cloudera.com |
HTTPS with Cloudera-generated access key |
TCP/443 |
Cloudera’s control plane REST API. |
|
Cloudera CCMv1 Persistent Control Plane connection |
All services |
*.ccm.cdp.cloudera.com 44.234.52.96/27 |
SSH public/private key authentication |
TCP/6000-6049 |
One connection per cluster configured; persistent |
|
Cloudera CCMv2 Persistent Control Plane connection |
All services |
US-based Control Plane: *.v2.us-west-1.ccm.cdp.cloudera.com 35.80.24.128/27 EU-based Control Plane: *.v2.ccm.eu-1.cdp.cloudera.com 3.65.246.128/27 AP-based Control Plane: *.v2.ccm.ap-1.cdp.cloudera.com 3.26.127.64/27 |
HTTPS with mutual authentication |
TCP/443 |
Multiple long-lived/persistent connections |
Cloudera Databus Telemetry, billing and metering data |
All services |
US-based Control Plane: dbusapi.us-west-1.sigma.altus.cloudera.com api.us-west-1.cdp.cloudera.com https://cloudera-dbus-prod.s3.amazonaws.com EU-based Control Plane: api.eu-1.cdp.cloudera.com https://mow-prod-eu-central-1-sigmadbus-dbus.s3.eu-central-1.amazonaws.com https://mow-prod-eu-central-1-sigmadbus-dbus.s3.amazonaws.com AP-based Control Plane:api.ap-1.cdp.cloudera.com https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.ap-southeast-2.amazonaws.com https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.amazonaws.com |
HTTPS with Cloudera-generated access key for dbus HTTPS for S3 |
TCP/443 |
Regular interval for telemetry, billing, metering services, and used for Cloudera Observability if enabled. Larger payloads are sent to a Cloudera managed S3 bucket. |
|
Cloudera Observability Metrics System metrics collection |
All services | US-based Control Plane: *.api.monitoring.us-west-1.cdp.cloudera.com EU-based Control Plane:*.api.monitoring.eu-1.cdp.cloudera.com AP-based Control Plane:*.api.monitoring.ap-1.cdp.cloudera.com |
HTTPS |
TCP/443 | New as of March 2024 |
Cloudera Manager parcels Software distribution |
All services | archive.cloudera.com |
HTTPS |
TCP/443 |
Cloudera’s public software repository. CDN backed service; IP range not predictable. |
| RPMs
Cloudera RPMs for workload agents |
All services | cloudera-service-delivery-cache.s3.amazonaws.com | HTTPS | TPC/443 | RPM packages for some workload components |
|
Container Images Software Distribution |
Data Engineering DataFlow Data Warehouse Machine Learning |
container.repo.cloudera.com container.repository.cloudera.com container.repo.cloudera.com prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com prod-us-west-2-starport-layer-bucket.s3.amazonaws.com s3-r-w.us-west-2.amazonaws.com *.execute-api.us-west-2.amazonaws.com prod-eu-west-1-starport-layer-bucket.s3.eu-west-1.amazonaws.com prod-eu-west-1-starport-layer-bucket.s3.amazonaws.com s3-r-w.eu-west-1.amazonaws.com *.execute-api.eu-west-1.amazonaws.com prod-ap-southeast-1-starport-layer-bucket.s3.ap-southeast-1.amazonaws.com prod-ap-southeast-1-starport-layer-bucket.s3.amazonaws.com s3-r-w.ap-southeast-1.amazonaws.com *.execute-api.ap-southeast-1.amazonaws.com |
HTTPS |
TCP/443 |
CDN-backed and AWS ECR-backed services; IP range not predictable. container.repo.cloudera.com uses ECR backend which requires S3 URLs. IP geolocation attempts to select closest API and ECR backend; clients may be directed to any of the destinations. |
| Flow Definitions CDP AWS bucket with flow definitions |
DataFlow | US-based Control Plane: s3.us-west-2.amazonaws.com/dfx-flow-artifacts.mow-prod.mow-prod.cloudera.com EU-based Control Plane: cldr-mow-prod-eu-central-1-dfx-flow-artifacts.s3.eu-central-1.amazonaws.com AP-based Control Plane:cldr-mow-prod-ap-southeast-2-dfx-flow-artifacts.s3.ap-southeast-2.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Outbound internet access to S3 hosts is necessary on all cloud providers when using CDF as the workload needs to query outbound to an S3 location to retrieve the flow definition when creating a deployment. |
Public Signing Key Retrieval |
Data Engineering DataFlow |
US-based Control Plane: consoleauth.altus.cloudera.com console.us-west-1.cdp.cloudera.com EU-based Control Plane: console.eu-1.cdp.cloudera.comAP-based Control Plane: console.ap-1.cdp.cloudera.com |
HTTPS |
TCP/443 |
Required to allow authentication to CDE virtual Cluster using a CDP Access Key. |
Control Plane IAM API |
Machine Learning |
US-based Control Plane: iamapi.us-west-1.altus.cloudera.com console.us-west-1.cdp.cloudera.com EU-based Control Plane: console.eu-1.cdp.cloudera.com AP-based Control Plane: console.ap-1.cdp.cloudera.com |
HTTPS |
TCP/443 |
For connecting to the IAMAPI for fetching the entitlement details. |
AMPs Applied ML Prototypes |
Machine Learning |
https://raw.githubusercontent.com https://github.com |
HTTPS |
TCP/443 |
Files for AMPs are hosted on GitHub. |
Learning Hub |
Machine Learning |
https://github.com/cloudera/learning-hub-content |
HTTPS |
TCP/443 |
Access Learning Hub in air-gapped environments |
AWS-specific endpoints
Description/Usage |
CDP service |
Destination |
Protocol and Authentication |
IP Protocol/Port |
Comments |
|---|---|---|---|---|---|
AWS STS |
All services |
sts.amazonaws.com sts.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
CDP 7.1.1+ required before can be made internal with VPC endpoints. |
AWS S3 |
All services |
*.s3.amazonaws.com *.s3.<AWS_REGION>.amazonaws.com s3.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
The <AWS_REGION> should be replaced with the AWS region used for your workloads. *.s3.<AWS_REGION>.amazonaws.com is VPC internal. *.s3.amazonaws.com and s3.amazonaws.com can be made internal with VPC endpoints. |
AWS RDS |
All services | *.*.rds.amazonaws.com |
JDBC / Postgres binary protocol / MySQL / RDS CA certs |
TCP 5432 / 3306 / 443 |
VPC Internal. Only Data Engineering uses MySQL and requires port 3306 to be open. |
AWS EC |
DataFlow Data Warehouse Machine Learning |
api.ecr.<AWS_REGION>.amazonaws.com *.dkr.ecr.<AWS_REGION>.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
VPC Internal. The <AWS_REGION> should be replaced with the AWS region used for your workloads. |
AWS EC2 |
DataFlow Data Warehouse Machine Learning Operational Database |
ec2.<AWS_REGION>.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
VPC Internal. The <AWS_REGION> should be replaced with the AWS region used for your workloads. |
AWS EKS |
Data Engineering DataFlow Data Warehouse Machine Learning |
eks.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
AWS does not support EKS VPC endpoints at this time. |
AWS Cloudformation |
DataFlow Data Warehouse Machine Learning |
cloudformation.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Can be made internal with VPC endpoints. |
AWS Autoscaling |
Data Engineering DataFlow Data Warehouse Machine Learning |
autoscaling.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Can be made internal with VPC endpoints. |
AWS EFS |
Data Engineering Data Warehouse Machine Learning |
elasticfilesystem.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Can be made internal with VPC endpoints. |
AWS ELB |
Data Engineering Data Warehouse |
elasticloadbalancing.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Can be made internal with VPC endpoints. |
|
AWS EKS k8s cluster API |
Data Warehouse |
<UNIQUEID>.*.eks.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Optional for new clusters. The <UNIQUEID> should be replaced with the unique hostname that is assigned when an EKS k8s cluster is deployed. |
AWS RDS API |
Data Warehouse |
rds.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
AWS does not support RDS API VPC endpoints at this time. This requirement is under further evaluation. Data Warehouse uses Amazon RDS for PostgreSQL. |
AWS Service Quotas |
Data Warehouse |
servicequotas.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
AWS does not support Service Quota via VPC endpoints. Used to check limits and warn prior to hitting the limits. |
AWS Price List Service |
DataFlow Data Warehouse |
pricing.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
AWS Price List Service uses us-east-1 or ap-south-1 as the region. |
