GCP outbound network access destinations

If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a Cloudera environment.

We recommend hostname-based policies, as some of the destination services do not have static IP addresses. IP address details in CIDR notation have been provided where static IPs are in-use.

The following list includes general destinations as well as GCP-specific destinations.

General endpoints

Description/Usage

Cloudera service

Destination

Protocol and Authentication

IP Protocol/Port

Comments

Control Plane API

All services

US-based Control Plane:

api.us-west-1.cdp.cloudera.com

EU-based Control Plane:

api.eu-1.cdp.cloudera.com

AP-based Control Plane:

api.ap-1.cdp.cloudera.com

HTTPS with Cloudera-generated access key

TCP/443

Cloudera Control Plane REST API.

Cloudera CCMv1

Persistent Control Plane connection

All services

*.ccm.cdp.cloudera.com

44.234.52.96/27

SSH public/private key authentication

TCP/6000-6049

One connection per cluster configured; persistent

Cloudera CCMv2

Persistent Control Plane connection

All services

US-based Control Plane:

*.v2.us-west-1.ccm.cdp.cloudera.com

35.80.24.128/27

EU-based Control Plane:

*.v2.ccm.eu-1.cdp.cloudera.com

3.65.246.128/27

AP-based Control Plane:

*.v2.ccm.ap-1.cdp.cloudera.com

3.26.127.64/27

HTTPS with mutual authentication

TCP/443

Multiple long-lived/persistent connections

Cloudera Databus

Telemetry, billing and metering data

All services

US-based Control Plane:

dbusapi.us-west-1.sigma.altus.cloudera.com

api.us-west-1.cdp.cloudera.com

https://cloudera-dbus-prod.s3.amazonaws.com

EU-based Control Plane:

api.eu-1.cdp.cloudera.com

https://mow-prod-eu-central-1-sigmadbus-dbus.s3.eu-central-1.amazonaws.com

https://mow-prod-eu-central-1-sigmadbus-dbus.s3.amazonaws.com

AP-based Control Plane:

api.ap-1.cdp.cloudera.com

https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.ap-southeast-2.amazonaws.com

https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.amazonaws.com

HTTPS with Cloudera-generated access key for dbus

HTTPS for S3

TCP/443

Regular interval for telemetry, billing, metering services, and used for Cloudera Observability if enabled. Larger payloads are sent to a Cloudera managed S3 bucket.

Cloudera Observability Metrics

System metrics collection

All services US-based Control Plane:

*.api.monitoring.us-west-1.cdp.cloudera.com

EU-based Control Plane:

*.api.monitoring.eu-1.cdp.cloudera.com

AP-based Control Plane:

*.api.monitoring.ap-1.cdp.cloudera.com

HTTPS

TCP/443 New as of March 2024

Cloudera Manager parcels

Software distribution

All services

archive.cloudera.com

HTTPS

TCP/443

Cloudera's public software repository. CDN backed service; IP range not predictable.

RPMs

Cloudera RPMs for workload agents

All services cloudera-service-delivery-cache.s3.amazonaws.com HTTPS TPC/443 RPM packages for some workload components

GCP-specific endpoints

Description/Usage

Cloudera service

Destination

Protocol and Authentication

IP Protocol/Port

Comments

APIs

All services

storage.googleapis.com

iamcredentials.googleapis.com

HTTPS

TCP/443

In addition to adding the listed destinations, you need to configure Private Service Connect. Private Service Connect lets you send traffic to Google APIs using a Private Service Connect endpoint that is private to your VPC network.

To configure Private Service Connect, refer to Configuring Private Service Connect.