Azure outbound network access destinations

Cloudera CCMv1

Persistent Control Plane connection

All services

*.ccm.cdp.cloudera.com

44.234.52.96/27

SSH public/private key authentication

TCP/6000-6049

One connection per cluster configured; persistent

Cloudera CCMv2

Persistent Control Plane connection

All services

US-based Control Plane:

*.v2.us-west-1.ccm.cdp.cloudera.com

35.80.24.128/27

35.166.86.177/32

52.36.110.208/32

52.40.165.49/32

EU-based Control Plane:

*.v2.ccm.eu-1.cdp.cloudera.com

3.65.246.128/27

AP-based Control Plane:

*.v2.ccm.ap-1.cdp.cloudera.com

3.26.127.64/27

HTTPS with mutual authentication

TCP/443

Multiple long-lived/persistent connections

Cloudera Databus

Telemetry, billing and metering data

All services

US-based Control Plane:

dbusapi.us-west-1.sigma.altus.cloudera.com

https://cloudera-dbus-prod.s3.amazonaws.com

EU-based Control Plane:

api.eu-1.cdp.cloudera.com

https://mow-prod-eu-central-1-sigmadbus-dbus.s3.eu-central-1.amazonaws.com

https://mow-prod-eu-central-1-sigmadbus-dbus.s3.amazonaws.com

api.ap-1.cdp.cloudera.com

https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.ap-southeast-2.amazonaws.com

https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.amazonaws.com

HTTPS with Cloudera-generated access key for dbus

HTTPS for S3

TCP/443

Regular interval for telemetry, billing, metering services, and used for Cloudera Observability if enabled. Larger payloads are sent to a Cloudera managed S3 bucket.

Cloudera Manager parcels

Software distribution

archive.cloudera.com

HTTPS

TCP/443

Cloudera’s public software repository. CDN backed service; IP range not predictable.

Control Plane API

US-based Control Plane:

api.us-west-1.cdp.cloudera.com

EU-based Control Plane:

AP-based Control Plane:

api.ap-1.cdp.cloudera.com

HTTPS with Cloudera-generated access key

TCP/443

Cloudera’s control plane REST API.

Cloudera RPMs for workload agents

Docker Images

Software Distribution

Data Engineering

Machine Learning

container.repository.cloudera.com

docker.repository.cloudera.com

HTTPS

TCP/443

Cloudera’s public docker registry. CDN backed service; IP range not predictable.

Docker Images

Software Distribution

Data Engineering

Data Warehouse

Machine Learning

container.repo.cloudera.com

US-based Control Plane:

prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com

prod-us-west-2-starport-layer-bucket.s3.amazonaws.com

s3-r-w.us-west-2.amazonaws.com

*.execute-api.us-west-2.amazonaws.com

EU-based Control Plane:

prod-eu-west-1-starport-layer-bucket.s3.eu-west-1.amazonaws.com

prod-eu-west-1-starport-layer-bucket.s3.amazonaws.com

s3-r-w.eu-west-1.amazonaws.com

*.execute-api.eu-west-1.amazonaws.com

AP-based Control Plane:

prod-ap-southeast-1-starport-layer-bucket.s3.ap-southeast-1.amazonaws.com

prod-ap-southeast-1-starport-layer-bucket.s3.amazonaws.com

s3-r-w.ap-southeast-1.amazonaws.com

*.execute-api.ap-southeast-1.amazonaws.com

HTTPS

TCP/443

Moved to container.repo.cloudera.com

container.repo.cloudera.com uses ECR which requires S3 URLs.

Docker Images

Software Distribution

Data Warehouse

auth.docker.io*

cloudera-docker-dev.jfrog.io*

docker-images-prod.s3.amazonaws.com*

gcr.io*

k8s.gcr.io*

quay-registry.s3.amazonaws.com*

quay.io*

quayio-production-s3.s3.amazonaws.com*

docker.io*

production.cloudflare.docker.com*

storage.googleapis.com*

HTTPS

CDP AWS bucket with flow definitions

US-based Control Plane:

*.s3.us-west-1.amazonaws.com

EU-based Control Plane:

*.s3.eu-central-1.amazonaws.com

AP-based Control Plane:

*.s3.ap-southeast-2.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443

Public Signing Key Retrieval

Data Engineering

DataFlow

consoleauth.altus.cloudera.com

console.us-west-1.cdp.cloudera.com

EU-based Control Plane:

AP-based Control Plane:

console.ap-1.cdp.cloudera.com

HTTPS

TCP/443

Required to allow authentication to CDE virtual Cluster using a CDP Access Key.

SQL Stream Builder PostgreSQL driver install

Data Hub: Streaming Analytics clusters

pypi.org

HTTPS

TCP/443

SQL Stream Builder depends on the python3 PostgreSQL driver.

This is only required for Runtime versions 7.2.11, 7.2.12 and 7.2.13.

Control plane IAM API

Machine learning

US-based Control Plane: iamapi.us-west-1.altus.cloudera.com

EU-based Control Plane: console.eu-1.cdp.cloudera.com

AP-based Control Plane: console.ap-1.cdp.cloudera.com

HTTPS

TCP/443

For connecting to the IAMAPI for fetching the entitlement details.

AMPs

Applied ML Prototypes

Machine Learning

https://raw.githubusercontent.com

https://github.com

HTTPS

TCP/443

Files for AMPs are hosted on GitHub.

Learning Hub

Machine Learning

https://github.com/cloudera/learning-hub-content

HTTPS

TCP/443

Access Learning Hub in air-gapped environments

General Azure guidelines

All services

See Safelist the Azure portal URLs on your firewall or proxy server for Azure egress best practices.

Azure Data Lake Storage Gen 2

All services

<STORAGE-ACCOUNT-NAME>.dfs.core.windows.net

HTTPS

Azure authentication

TCP/443

Azure Database for Postgres

*.postgres.database.azure.com

JDBC / Postgres binary protocol

TCP/5432

Azure SQL VPC endpoint is required (Microsoft.Sql).

ARM to manage User Assigned Managed Identities

All services

management.azure.com

HTTPS

Azure authentication

TCP/443

This can be allowed by using the AzureResourceManager Azure service tag. Additionally IP addresses to whitelist are available to download.

Microsoft Log Analytics

All services

*.agentsvc.azure-automation.net

*.ods.opinsights.azure.com

*.oms.opinsights.azure.com

*.blob.core.windows.net

HTTPS

Azure authentication

TCP/443

Optional, but may cause issues with Azure approved images if blocked.

Azure Kubernetes Services (AKS)

Data Engineering

DataFlow

Data Warehouse

Machine Learning

Azure Database for MySQL

Data Engineering

*.mysql.database.azure.com

JDBC / Postgres binary protocol

TCP/3306

Azure Database for MySQL

Azure files

Data Engineering

*.file.core.windows.net

SMB

TCP/445

What is Azure Files?

Azure Files NFS

Machine Learning

*.file.core.windows.net

NFS

TCP/2049

Create an NFS Azure file share

Digicert CA Certificate

Data Engineering

DataFlow

www.digicert.com

cacerts.digicert.com

HTTPS

Azure authentication

TCP/443

Fetching TLS CA for Azure MySQL DB secure connection