GCP outbound network access destinations
If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a CDP environment.
The following list includes general destinations as well as GCP-specific destinations.
General endpoints
Description/Usage |
CDP service |
Destination |
Protocol and Authentication |
IP Protocol/Port |
Comments |
---|---|---|---|---|---|
Cloudera CCMv1 Persistent Control Plane connection |
All services |
*.ccm.cdp.cloudera.com 44.234.52.96/27 |
SSH public/private key authentication |
TCP/6000-6049 |
One connection per cluster configured; persistent |
Cloudera CCMv2 Persistent Control Plane connection |
All services |
US-based Control Plane: *.v2.us-west-1.ccm.cdp.cloudera.com 35.80.24.128/27 35.166.86.177/32 52.36.110.208/32 52.40.165.49/32 EU-based Control Plane: *.v2.ccm.eu-1.cdp.cloudera.com 3.65.246.128/27 AP-based Control Plane: *.v2.ccm.ap-1.cdp.cloudera.com 3.26.127.64/27 |
HTTPS with mutual authentication |
TCP/443 |
Multiple long-lived/persistent connections |
Cloudera Databus Telemetry, billing and metering data |
All services |
US-based Control Plane: dbusapi.us-west-1.sigma.altus.cloudera.com https://cloudera-dbus-prod.s3.amazonaws.com EU-based Control Plane: api.eu-1.cdp.cloudera.com https://mow-prod-eu-central-1-sigmadbus-dbus.s3.eu-central-1.amazonaws.com https://mow-prod-eu-central-1-sigmadbus-dbus.s3.amazonaws.com AP-based Control Plane:api.ap-1.cdp.cloudera.com https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.ap-southeast-2.amazonaws.com https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.amazonaws.com |
HTTPS with Cloudera-generated access key for dbus HTTPS for S3 |
TCP/443 |
Regular interval for telemetry, billing, metering services, and used for Cloudera Observability if enabled. Larger payloads are sent to a Cloudera managed S3 bucket. |
Cloudera Manager parcels Software distribution |
All services | archive.cloudera.com |
HTTPS |
TCP/443 |
Cloudera’s public software repository. CDN backed service; IP range not predictable. |
Control Plane API |
All services | US-based Control Plane: api.us-west-1.cdp.cloudera.com EU-based Control Plane: api.eu-1.cdp.cloudera.comAP-based Control Plane: api.ap-1.cdp.cloudera.com |
HTTPS with Cloudera-generated access key |
TCP/443 |
Cloudera’s control plane REST API. |
RPMs
Cloudera RPMs for workload agents |
All services | cloudera-service-delivery-cache.s3.amazonaws.com | HTTPS | TPC/443 | RPM packages for some workload components |
Flow definitions CDP AWS bucket with flow definitions |
DataFlow |
US-based Control Plane: *.s3.us-west-1.amazonaws.com EU-based Control Plane: *.s3.eu-central-1.amazonaws.com AP-based Control Plane: *.s3.ap-southeast-2.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 |
Outbound internet access to S3 hosts is necessary on all cloud providers when using CDF as the workload needs to query outbound to an S3 location to retrieve the flow definition when creating a deployment. |
SQL Stream Builder PostgreSQL driver install |
Data Hub: Streaming Analytics clusters |
pypi.org |
HTTPS |
TCP/443 |
SQL Stream Builder depends on the python3 PostgreSQL driver. This is only required for Runtime versions 7.2.11, 7.2.12 and 7.2.13. |
Control plane IAM API |
Machine learning |
US-based Control Plane: iamapi.us-west-1.altus.cloudera.com EU-based Control Plane: console.eu-1.cdp.cloudera.com AP-based Control Plane: console.ap-1.cdp.cloudera.com |
HTTPS |
TCP/443 |
For connecting to the IAMAPI for fetching the entitlement details. |
Learning Hub |
Machine Learning |
https://github.com/cloudera/learning-hub-content |
HTTPS |
TCP/443 |
Access Learning Hub in air-gapped environments |
GCP-specific endpoints
Description/Usage |
CDP service |
Destination |
Protocol and Authentication |
IP Protocol/Port |
Comments |
---|---|---|---|---|---|
APIs |
All services |
storage.googleapis.com iamcredentials.googleapis.com |
HTTPS |
TCP/443 |
In addition to adding the listed destinations, you need to configure Private Service Connect. Private Service Connect lets you send traffic to Google APIs using a Private Service Connect endpoint that is private to your VPC network. To configure Private Service Connect, refer to Configuring Private Service Connect. |