Azure outbound network access destinations
If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a Cloudera environment.
We recommend hostname-based policies, as some of the destination services do not have static IP addresses. IP address details in CIDR notation have been provided where static IPs are in-use.
The following list includes general destinations as well as Azure-specific destinations.
General endpoints
Description/Usage |
Cloudera service |
Destination |
Protocol and Authentication |
IP Protocol/Port |
Comments |
|---|---|---|---|---|---|
|
Control Plane API |
All services | US-based Control Plane: api.us-west-1.cdp.cloudera.com EU-based Control Plane: api.eu-1.cdp.cloudera.comAP-based Control Plane: api.ap-1.cdp.cloudera.com |
HTTPS with Cloudera-generated access key |
TCP/443 |
Cloudera Control Plane REST API. |
|
Cloudera CCMv1 Persistent Control Plane connection |
All services |
*.ccm.cdp.cloudera.com 44.234.52.96/27 |
SSH public/private key authentication |
TCP/6000-6049 |
One connection per cluster configured; persistent |
|
Cloudera CCMv2 Persistent Control Plane connection |
All services |
US-based Control Plane: *.v2.us-west-1.ccm.cdp.cloudera.com 35.80.24.128/27 EU-based Control Plane: *.v2.ccm.eu-1.cdp.cloudera.com 3.65.246.128/27 AP-based Control Plane: *.v2.ccm.ap-1.cdp.cloudera.com 3.26.127.64/27 |
HTTPS with mutual authentication |
TCP/443 |
Multiple long-lived/persistent connections |
Cloudera Databus Telemetry, billing and metering data |
All services |
US-based Control Plane: dbusapi.us-west-1.sigma.altus.cloudera.com api.us-west-1.cdp.cloudera.com https://cloudera-dbus-prod.s3.amazonaws.com EU-based Control Plane: api.eu-1.cdp.cloudera.com https://mow-prod-eu-central-1-sigmadbus-dbus.s3.eu-central-1.amazonaws.com https://mow-prod-eu-central-1-sigmadbus-dbus.s3.amazonaws.com AP-based Control Plane:api.ap-1.cdp.cloudera.com https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.ap-southeast-2.amazonaws.com https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.amazonaws.com |
HTTPS with Cloudera-generated access key for dbus HTTPS for S3 |
TCP/443 |
Regular interval for telemetry, billing, metering services, and used for Cloudera Observability if enabled. Larger payloads are sent to a Cloudera managed S3 bucket. |
|
Cloudera Observability Metrics System metrics collection |
All services | US-based Control Plane: *.api.monitoring.us-west-1.cdp.cloudera.com EU-based Control Plane:*.api.monitoring.eu-1.cdp.cloudera.com AP-based Control Plane:*.api.monitoring.ap-1.cdp.cloudera.com |
HTTPS |
TCP/443 | New as of March 2024 |
Cloudera Manager parcels Software distribution |
All services | archive.cloudera.com |
HTTPS |
TCP/443 |
Cloudera's public software repository. CDN backed service; IP range not predictable. |
| RPMs
Cloudera RPMs for workload agents |
All services | cloudera-service-delivery-cache.s3.amazonaws.com | HTTPS | TPC/443 | RPM packages for some workload components |
|
Container Images Software Distribution |
Cloudera Data Engineering Cloudera Data Warehouse Cloudera AI |
container.repo.cloudera.com container.repository.cloudera.com container.repo.cloudera.com prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com prod-us-west-2-starport-layer-bucket.s3.amazonaws.com s3-r-w.us-west-2.amazonaws.com *.execute-api.us-west-2.amazonaws.com prod-eu-west-1-starport-layer-bucket.s3.eu-west-1.amazonaws.com prod-eu-west-1-starport-layer-bucket.s3.amazonaws.com s3-r-w.eu-west-1.amazonaws.com *.execute-api.eu-west-1.amazonaws.com prod-ap-southeast-1-starport-layer-bucket.s3.ap-southeast-1.amazonaws.com prod-ap-southeast-1-starport-layer-bucket.s3.amazonaws.com s3-r-w.ap-southeast-1.amazonaws.com *.execute-api.ap-southeast-1.amazonaws.com |
HTTPS |
TCP/443 |
CDN-backed and AWS ECR-backed services; IP range not predictable. container.repo.cloudera.com uses ECR backend which requires S3 URLs. IP geolocation attempts to select closest API and ECR backend; clients may be directed to any of the destinations. |
| Flow Definitions Cloudera AWS bucket with flow definitions |
Cloudera DataFlow | US-based Control Plane: s3.us-west-2.amazonaws.com/dfx-flow-artifacts.mow-prod.mow-prod.cloudera.com EU-based Control Plane: cldr-mow-prod-eu-central-1-dfx-flow-artifacts.s3.eu-central-1.amazonaws.com AP-based Control Plane:cldr-mow-prod-ap-southeast-2-dfx-flow-artifacts.s3.ap-southeast-2.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Outbound internet access to S3 hosts is necessary on all cloud providers when using Cloudera DataFlow as the workload needs to query outbound to an S3 location to retrieve the flow definition when creating a deployment. |
Public Signing Key Retrieval |
Cloudera Data Engineering Cloudera DataFlow |
US-based Control Plane: consoleauth.altus.cloudera.com console.us-west-1.cdp.cloudera.com EU-based Control Plane: console.eu-1.cdp.cloudera.comAP-based Control Plane: console.ap-1.cdp.cloudera.com |
HTTPS |
TCP/443 |
Required to allow authentication to Cloudera Data Engineering virtual Cluster using a Cloudera Access Key. |
Control Plane IAM API |
Cloudera AI |
US-based Control Plane: iamapi.us-west-1.altus.cloudera.com console.us-west-1.cdp.cloudera.com EU-based Control Plane: console.eu-1.cdp.cloudera.com AP-based Control Plane: console.ap-1.cdp.cloudera.com |
HTTPS |
TCP/443 |
For connecting to the IAMAPI for fetching the entitlement details. |
AMPs Cloudera Accelerators for Machine Learning Projects |
Cloudera AI |
https://raw.githubusercontent.com https://github.com |
HTTPS |
TCP/443 |
Files for AMPs are hosted on GitHub. |
Learning Hub |
Cloudera AI |
https://github.com/cloudera/learning-hub-content |
HTTPS |
TCP/443 |
Access Learning Hub in air-gapped environments |
Azure-specific endpoints
Description/Usage |
Cloudera service |
Destination |
Protocol and Authentication |
IP Protocol/Port |
Comments |
|---|---|---|---|---|---|
General Azure guidelines |
All services |
See Safelist the Azure portal URLs on your firewall or proxy server for Azure egress best practices. |
|||
All services |
<STORAGE_ACCOUNT_NAME>.dfs.core.windows.net |
HTTPS Azure authentication |
TCP/443 |
Azure Storage VPC endpoint is required (Microsoft.Storage).Replace the <STORAGE_ACCOUNT_NAME> with an actual storage account name. |
|
| All services | *.postgres.database.azure.com |
JDBC / Postgres binary protocol |
TCP/5432 |
Azure SQL VPC endpoint is required (Microsoft.Sql). |
|
ARM to manage User Assigned Managed Identities |
All services |
management.azure.com |
HTTPS Azure authentication |
TCP/443 |
This can be allowed by using the AzureResourceManager Azure service tag. Additionally IP addresses to whitelist are available to download. |
All services |
*.agentsvc.azure-automation.net *.ods.opinsights.azure.com *.oms.opinsights.azure.com *.blob.core.windows.net |
HTTPS Azure authentication |
TCP/443 |
Optional, but may cause issues with Azure approved images if blocked. |
|
|
Azure Kubernetes Services (AKS) |
Cloudera Data Engineering Cloudera DataFlow Cloudera Data Warehouse Cloudera AI |
||||
Azure Database for MySQL |
Cloudera Data Engineering |
*.mysql.database.azure.com |
JDBC / Postgres binary protocol |
TCP/3306 |
|
Azure files |
Cloudera Data Engineering |
*.file.core.windows.net |
SMB |
TCP/445 |
|
|
Azure Files NFS |
Cloudera AI |
*.file.core.windows.net |
NFS |
TCP/2049 |
|
Digicert CA Certificate |
Cloudera Data Engineering Cloudera DataFlow |
www.digicert.com cacerts.digicert.com |
HTTPS Azure authentication |
TCP/443 |
Fetching TLS CA for Azure MySQL DB secure connection |
