AWS outbound network access destinations

If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a CDP environment.

We recommend hostname-based policies, as some of the destination services do not have static IP addresses. IP address details in CIDR notation have been provided where static IPs are in-use.

The following list includes general destinations as well as AWS-specific destinations.

General endpoints

Description/Usage

CDP service

Destination

Protocol and Authentication

IP Protocol/Port

Comments

Control Plane API

All services

US-based Control Plane:

api.us-west-1.cdp.cloudera.com

EU-based Control Plane:

api.eu-1.cdp.cloudera.com

AP-based Control Plane:

api.ap-1.cdp.cloudera.com

HTTPS with Cloudera-generated access key

TCP/443

Cloudera’s control plane REST API.

Cloudera CCMv1

Persistent Control Plane connection

All services

*.ccm.cdp.cloudera.com

44.234.52.96/27

SSH public/private key authentication

TCP/6000-6049

One connection per cluster configured; persistent

Cloudera CCMv2

Persistent Control Plane connection

All services

US-based Control Plane:

*.v2.us-west-1.ccm.cdp.cloudera.com

35.80.24.128/27

EU-based Control Plane:

*.v2.ccm.eu-1.cdp.cloudera.com

3.65.246.128/27

AP-based Control Plane:

*.v2.ccm.ap-1.cdp.cloudera.com

3.26.127.64/27

HTTPS with mutual authentication

TCP/443

Multiple long-lived/persistent connections

Cloudera Databus

Telemetry, billing and metering data

All services

US-based Control Plane:

dbusapi.us-west-1.sigma.altus.cloudera.com

api.us-west-1.cdp.cloudera.com

https://cloudera-dbus-prod.s3.amazonaws.com

EU-based Control Plane:

api.eu-1.cdp.cloudera.com

https://mow-prod-eu-central-1-sigmadbus-dbus.s3.eu-central-1.amazonaws.com

https://mow-prod-eu-central-1-sigmadbus-dbus.s3.amazonaws.com

AP-based Control Plane:

api.ap-1.cdp.cloudera.com

https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.ap-southeast-2.amazonaws.com

https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.amazonaws.com

HTTPS with Cloudera-generated access key for dbus

HTTPS for S3

TCP/443

Regular interval for telemetry, billing, metering services, and used for Cloudera Observability if enabled. Larger payloads are sent to a Cloudera managed S3 bucket.

Cloudera Observability Metrics

System metrics collection

All services US-based Control Plane:

*.api.monitoring.us-west-1.cdp.cloudera.com

EU-based Control Plane:

*.api.monitoring.eu-1.cdp.cloudera.com

AP-based Control Plane:

*.api.monitoring.ap-1.cdp.cloudera.com

HTTPS

TCP/443 New as of March 2024

Cloudera Manager parcels

Software distribution

All services

archive.cloudera.com

HTTPS

TCP/443

Cloudera’s public software repository. CDN backed service; IP range not predictable.

RPMs

Cloudera RPMs for workload agents

All services cloudera-service-delivery-cache.s3.amazonaws.com HTTPS TPC/443 RPM packages for some workload components

Container Images

Software Distribution

Data Engineering

DataFlow

Data Warehouse

Machine Learning

container.repo.cloudera.com

container.repository.cloudera.com

container.repo.cloudera.com

prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com

prod-us-west-2-starport-layer-bucket.s3.amazonaws.com

s3-r-w.us-west-2.amazonaws.com

*.execute-api.us-west-2.amazonaws.com

prod-eu-west-1-starport-layer-bucket.s3.eu-west-1.amazonaws.com

prod-eu-west-1-starport-layer-bucket.s3.amazonaws.com

s3-r-w.eu-west-1.amazonaws.com

*.execute-api.eu-west-1.amazonaws.com

prod-ap-southeast-1-starport-layer-bucket.s3.ap-southeast-1.amazonaws.com

prod-ap-southeast-1-starport-layer-bucket.s3.amazonaws.com

s3-r-w.ap-southeast-1.amazonaws.com

*.execute-api.ap-southeast-1.amazonaws.com

HTTPS

TCP/443

CDN-backed and AWS ECR-backed services; IP range not predictable.

container.repo.cloudera.com uses ECR backend which requires S3 URLs.

IP geolocation attempts to select closest API and ECR backend; clients may be directed to any of the destinations.

Flow Definitions

CDP AWS bucket with flow definitions

DataFlow US-based Control Plane:

s3.us-west-2.amazonaws.com/dfx-flow-artifacts.mow-prod.mow-prod.cloudera.com

EU-based Control Plane:

cldr-mow-prod-eu-central-1-dfx-flow-artifacts.s3.eu-central-1.amazonaws.com

AP-based Control Plane:

cldr-mow-prod-ap-southeast-2-dfx-flow-artifacts.s3.ap-southeast-2.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

Outbound internet access to S3 hosts is necessary on all cloud providers when using CDF as the workload needs to query outbound to an S3 location to retrieve the flow definition when creating a deployment.

Public Signing Key Retrieval

Data Engineering

DataFlow

US-based Control Plane:

consoleauth.altus.cloudera.com

console.us-west-1.cdp.cloudera.com

EU-based Control Plane:

console.eu-1.cdp.cloudera.com

AP-based Control Plane:

console.ap-1.cdp.cloudera.com

HTTPS

TCP/443

Required to allow authentication to CDE virtual Cluster using a CDP Access Key.

Control Plane IAM API

Machine Learning

US-based Control Plane:

iamapi.us-west-1.altus.cloudera.com

console.us-west-1.cdp.cloudera.com

EU-based Control Plane:

console.eu-1.cdp.cloudera.com

AP-based Control Plane:

console.ap-1.cdp.cloudera.com

HTTPS

TCP/443

For connecting to the IAMAPI for fetching the entitlement details.

AMPs

Applied ML Prototypes

Machine Learning

https://raw.githubusercontent.com

https://github.com

HTTPS

TCP/443

Files for AMPs are hosted on GitHub.

Learning Hub

Machine Learning

https://github.com/cloudera/learning-hub-content

HTTPS

TCP/443

Access Learning Hub in air-gapped environments

AWS-specific endpoints

Description/Usage

CDP service

Destination

Protocol and Authentication

IP Protocol/Port

Comments

AWS STS

All services

sts.amazonaws.com

sts.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

CDP 7.1.1+ required before can be made internal with VPC endpoints.

AWS S3

All services

*.s3.amazonaws.com

*.s3.<AWS_REGION>.amazonaws.com

s3.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

The <AWS_REGION> should be replaced with the AWS region used for your workloads.

*.s3.<AWS_REGION>.amazonaws.com is VPC internal.

*.s3.amazonaws.com and s3.amazonaws.com can be made internal with VPC endpoints.

AWS RDS

All services

*.*.rds.amazonaws.com

JDBC / Postgres binary protocol / MySQL / RDS CA certs

TCP 5432 / 3306 / 443

VPC Internal.

Only Data Engineering uses MySQL and requires port 3306 to be open.

AWS EC

DataFlow

Data Warehouse

Machine Learning

api.ecr.<AWS_REGION>.amazonaws.com

*.dkr.ecr.<AWS_REGION>.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

VPC Internal.

The <AWS_REGION> should be replaced with the AWS region used for your workloads.

AWS EC2

DataFlow

Data Warehouse

Machine Learning

Operational Database

ec2.<AWS_REGION>.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

VPC Internal.

The <AWS_REGION> should be replaced with the AWS region used for your workloads.

AWS EKS

Data Engineering

DataFlow

Data Warehouse

Machine Learning

eks.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

AWS does not support EKS VPC endpoints at this time.

AWS Cloudformation

DataFlow

Data Warehouse

Machine Learning

cloudformation.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

Can be made internal with VPC endpoints.

AWS Autoscaling

Data Engineering

DataFlow

Data Warehouse

Machine Learning

autoscaling.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

Can be made internal with VPC endpoints.

AWS EFS

Data Engineering

Data Warehouse

Machine Learning

elasticfilesystem.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

Can be made internal with VPC endpoints.

AWS ELB

Data Engineering

Data Warehouse

elasticloadbalancing.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

Can be made internal with VPC endpoints.

AWS EKS k8s cluster API

Data Warehouse

<UNIQUEID>.*.eks.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

Optional for new clusters.

The <UNIQUEID> should be replaced with the unique hostname that is assigned when an EKS k8s cluster is deployed.

AWS RDS API

Data Warehouse

rds.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

AWS does not support RDS API VPC endpoints at this time. This requirement is under further evaluation.

Data Warehouse uses Amazon RDS for PostgreSQL.

AWS Service Quotas

Data Warehouse

servicequotas.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

AWS does not support Service Quota via VPC endpoints. Used to check limits and warn prior to hitting the limits.

AWS Price List Service

DataFlow

Data Warehouse

pricing.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

AWS Price List Service uses us-east-1 or ap-south-1 as the region.