AWS outbound network access destinations
If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a Cloudera environment.
We recommend hostname-based policies, as some of the destination services do not have static IP addresses. IP address details in CIDR notation have been provided where static IPs are in-use.
The following list includes general destinations as well as AWS-specific destinations.
General endpoints
Description/Usage |
Cloudera service |
Destination |
Protocol and Authentication |
IP Protocol/Port |
Comments |
|---|---|---|---|---|---|
|
Control Plane API |
All services | US-based Control Plane: api.us-west-1.cdp.cloudera.com EU-based Control Plane: api.eu-1.cdp.cloudera.comAP-based Control Plane: api.ap-1.cdp.cloudera.com |
HTTPS with Cloudera-generated access key |
TCP/443 |
Cloudera Control Plane REST API. |
|
Cloudera CCMv1 Persistent Control Plane connection |
All services |
*.ccm.cdp.cloudera.com 44.234.52.96/27 |
SSH public/private key authentication |
TCP/6000-6049 |
One connection per cluster configured; persistent |
|
Cloudera CCMv2 Persistent Control Plane connection |
All services |
US-based Control Plane: *.v2.us-west-1.ccm.cdp.cloudera.com 35.80.24.128/27 EU-based Control Plane: *.v2.ccm.eu-1.cdp.cloudera.com 3.65.246.128/27 AP-based Control Plane: *.v2.ccm.ap-1.cdp.cloudera.com 3.26.127.64/27 |
HTTPS with mutual authentication |
TCP/443 |
Multiple long-lived/persistent connections |
Cloudera Databus Telemetry, billing and metering data |
All services |
US-based Control Plane: dbusapi.us-west-1.sigma.altus.cloudera.com api.us-west-1.cdp.cloudera.com https://cloudera-dbus-prod.s3.amazonaws.com EU-based Control Plane: api.eu-1.cdp.cloudera.com https://mow-prod-eu-central-1-sigmadbus-dbus.s3.eu-central-1.amazonaws.com https://mow-prod-eu-central-1-sigmadbus-dbus.s3.amazonaws.com AP-based Control Plane:api.ap-1.cdp.cloudera.com https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.ap-southeast-2.amazonaws.com https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.amazonaws.com |
HTTPS with Cloudera-generated access key for dbus HTTPS for S3 |
TCP/443 |
Regular interval for telemetry, billing, metering services, and used for Cloudera Observability if enabled. Larger payloads are sent to a Cloudera managed S3 bucket. |
|
Cloudera Observability Metrics System metrics collection |
All services | US-based Control Plane: *.api.monitoring.us-west-1.cdp.cloudera.com EU-based Control Plane:*.api.monitoring.eu-1.cdp.cloudera.com AP-based Control Plane:*.api.monitoring.ap-1.cdp.cloudera.com |
HTTPS |
TCP/443 | New as of March 2024 |
Cloudera Manager parcels Software distribution |
All services | archive.cloudera.com |
HTTPS |
TCP/443 |
Cloudera's public software repository. CDN backed service; IP range not predictable. |
| RPMs
Cloudera RPMs for workload agents |
All services | cloudera-service-delivery-cache.s3.amazonaws.com | HTTPS | TPC/443 | RPM packages for some workload components |
|
Container Images Software Distribution |
Cloudera Data Engineering Cloudera DataFlow Cloudera Data Warehouse Cloudera AI |
container.repo.cloudera.com container.repository.cloudera.com container.repo.cloudera.com prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com prod-us-west-2-starport-layer-bucket.s3.amazonaws.com s3-r-w.us-west-2.amazonaws.com *.execute-api.us-west-2.amazonaws.com prod-eu-west-1-starport-layer-bucket.s3.eu-west-1.amazonaws.com prod-eu-west-1-starport-layer-bucket.s3.amazonaws.com s3-r-w.eu-west-1.amazonaws.com *.execute-api.eu-west-1.amazonaws.com prod-ap-southeast-1-starport-layer-bucket.s3.ap-southeast-1.amazonaws.com prod-ap-southeast-1-starport-layer-bucket.s3.amazonaws.com s3-r-w.ap-southeast-1.amazonaws.com *.execute-api.ap-southeast-1.amazonaws.com |
HTTPS |
TCP/443 |
CDN-backed and AWS ECR-backed services; IP range not predictable. container.repo.cloudera.com uses ECR backend which requires S3 URLs. IP geolocation attempts to select closest API and ECR backend; clients may be directed to any of the destinations. |
| Flow Definitions Cloudera AWS bucket with flow definitions |
Cloudera DataFlow | US-based Control Plane: s3.us-west-2.amazonaws.com/dfx-flow-artifacts.mow-prod.mow-prod.cloudera.com EU-based Control Plane: cldr-mow-prod-eu-central-1-dfx-flow-artifacts.s3.eu-central-1.amazonaws.com AP-based Control Plane:cldr-mow-prod-ap-southeast-2-dfx-flow-artifacts.s3.ap-southeast-2.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Outbound internet access to S3 hosts is necessary on all cloud providers when using Cloudera DataFlow as the workload needs to query outbound to an S3 location to retrieve the flow definition when creating a deployment. |
Public Signing Key Retrieval |
Cloudera Data Engineering Cloudera DataFlow |
US-based Control Plane: consoleauth.altus.cloudera.com console.us-west-1.cdp.cloudera.com EU-based Control Plane: console.eu-1.cdp.cloudera.comAP-based Control Plane: console.ap-1.cdp.cloudera.com |
HTTPS |
TCP/443 |
Required to allow authentication to Cloudera Data Engineering virtual Cluster using a Cloudera Access Key. |
Control Plane IAM API |
Cloudera AI |
US-based Control Plane: iamapi.us-west-1.altus.cloudera.com console.us-west-1.cdp.cloudera.com EU-based Control Plane: console.eu-1.cdp.cloudera.com AP-based Control Plane: console.ap-1.cdp.cloudera.com |
HTTPS |
TCP/443 |
For connecting to the IAMAPI for fetching the entitlement details. |
AMPs Cloudera Accelerators for Machine Learning Projects |
Cloudera AI |
https://raw.githubusercontent.com https://github.com |
HTTPS |
TCP/443 |
Files for AMPs are hosted on GitHub. |
Learning Hub |
Cloudera AI |
https://github.com/cloudera/learning-hub-content |
HTTPS |
TCP/443 |
Access Learning Hub in air-gapped environments |
AWS-specific endpoints
Description/Usage |
Cloudera service |
Destination |
Protocol and Authentication |
IP Protocol/Port |
Comments |
|---|---|---|---|---|---|
AWS STS |
All services |
sts.amazonaws.com sts.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Cloudera 7.1.1+ required before can be made internal with VPC endpoints. |
AWS S3 |
All services |
*.s3.amazonaws.com *.s3.<AWS_REGION>.amazonaws.com s3.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
The <AWS_REGION> should be replaced with the AWS region used for your workloads. *.s3.<AWS_REGION>.amazonaws.com is VPC internal. *.s3.amazonaws.com and s3.amazonaws.com can be made internal with VPC endpoints. |
AWS RDS |
All services | *.*.rds.amazonaws.com |
JDBC / Postgres binary protocol / MySQL / RDS CA certs |
TCP 5432 / 3306 / 443 |
VPC Internal. Only Cloudera Data Engineering uses MySQL and requires port 3306 to be open. |
AWS EC |
Cloudera DataFlow Cloudera Data Warehouse Cloudera AI |
api.ecr.<AWS_REGION>.amazonaws.com *.dkr.ecr.<AWS_REGION>.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
VPC Internal. The <AWS_REGION> should be replaced with the AWS region used for your workloads. |
AWS EC2 |
Cloudera DataFlow Cloudera Data Warehouse Cloudera AI Cloudera Operational Database |
ec2.<AWS_REGION>.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
VPC Internal. The <AWS_REGION> should be replaced with the AWS region used for your workloads. |
AWS EKS |
Cloudera Data Engineering Cloudera DataFlow Cloudera Data Warehouse Cloudera AI |
eks.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
AWS does not support EKS VPC endpoints at this time. |
AWS Cloudformation |
Cloudera DataFlow Cloudera Data Warehouse Cloudera AI |
cloudformation.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Can be made internal with VPC endpoints. |
AWS Autoscaling |
Cloudera Data Engineering Cloudera DataFlow Cloudera Data Warehouse Cloudera AI |
autoscaling.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Can be made internal with VPC endpoints. |
AWS EFS |
Cloudera Data Engineering Cloudera Data Warehouse Cloudera AI |
elasticfilesystem.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Can be made internal with VPC endpoints. |
AWS ELB |
Cloudera Data Engineering Cloudera Data Warehouse |
elasticloadbalancing.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Can be made internal with VPC endpoints. |
|
AWS EKS k8s cluster API |
Cloudera Data Warehouse |
<UNIQUEID>.*.eks.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Optional for new clusters. The <UNIQUEID> should be replaced with the unique hostname that is assigned when an EKS k8s cluster is deployed. |
AWS RDS API |
Cloudera Data Warehouse |
rds.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
AWS does not support RDS API VPC endpoints at this time. This requirement is under further evaluation. Cloudera Data Warehouse uses Amazon RDS for PostgreSQL. |
AWS Service Quotas |
Cloudera Data Warehouse |
servicequotas.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
AWS does not support Service Quota via VPC endpoints. Used to check limits and warn prior to hitting the limits. |
AWS Price List Service |
Cloudera DataFlow Cloudera Data Warehouse |
pricing.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
AWS Price List Service uses us-east-1 or ap-south-1 as the region. |
