Outbound network access destinations for AWS

If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a CDP environment.

The following list includes general destinations as well as AWS-specific destinations:

Description/Usage CDP service Destination Protocol and Authentication IP Protocol/Port Comments
Cloudera CCM

Persistent Control Plane connection

All services IP: 44.234.52.96/27

Hostname pattern: *.ccm.cdp.cloudera.com

SSH public/private key authentication TCP/6000-6049 One connection per cluster configured; persistent.
Cloudera Databus

Telemetry, billing and metering data

All services dbusapi.us-west-1.altus.cloudera.com

dbusapi.us-west-1.sigma.altus.cloudera.com

HTTPS with Cloudera-generated access key TCP/443 Regular interval for telemetry, billing, metering services, and used for Workload Manager if enabled.
Control Plane API DataFlow,

Machine Learning,

Data Engineering

api.us-west-1.cdp.cloudera.com HTTPS with Cloudera-generated access key TCP/443 Cloudera’s control plane REST API.
Cloudera Manager parcels

Software distribution

Data Hub,

Data Lake,

Operational Database

Data Engineering

archive.cloudera.com HTTPS TCP/443 Cloudera’s public software repository. CDN backed service; IP range not predictable.
Docker Images

Software Distribution

Data Engineering,

DataFlow,

Machine Learning

container.repository.cloudera.com

docker.repository.cloudera.com

HTTPS TCP/443 Cloudera’s public docker registry. CDN backed service; IP range not predictable.
Docker Images

Software Distribution

DataFlow,

Data Warehouse

Data Engineering

container.repo.cloudera.com *.s3.<region>.amazonaws.com

s3-r-w.<region>.amazonaws.com

*.execute-api.<region>.amazonaws.com

Additionally, the following are required only for old/existing DW environments:

auth.docker.io*

cloudera-docker-dev.jfrog.io*

docker-images-prod.s3.amazonaws.com*

gcr.io*

k8s.gcr.io*

quay-registry.s3.amazonaws.com*

quay.io*

quayio-production-s3.s3.amazonaws.com*

docker.io*

production.cloudflare.docker.com*

storage.googleapis.com*

HTTPS TCP/443 Moved to container.repo.cloudera.com

container.repo.cloudera.com uses ECR which requires S3 URLs.

Network Time Protocol Synchronization DataFlow [0-3].pool.ntp.org Network Time Protocol UDP/123 Container services require access to Network Time Protocol servers in order to maintain synchronization of date and time status.
AWS STS Data Lake sts.amazonaws.com

sts.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443 CDP 7.1.1+ required before can be made internal with VPC endpoints.
AWS S3 Data Engineering,

DataFlow,

Data Hub,

Data Lake,

Data Warehouse,

Machine Learning,

Operational Database

*.s3.amazonaws.com

*.s3.*.amazonaws.com

s3.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443 Can be made internal with VPC endpoints.
AWS DynamoDB Data Engineering,

DataFlow,

Data Hub,

Data Lake,

Data Warehouse,

Machine Learning,

Operational Database

dynamodb.*.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 Can be made internal with VPC endpoints.
AWS RDS Data Engineering,

DataFlow,

Data Hub,

Data Lake

*.*.rds.amazonaws.com JDBC / Postgres binary protocol / MySQL TCP 5432 / 3306 VPC Internal.

Only Data Engineering uses MySQL and requires port 3306 to be open.

AWS ECR DataFlow,

Data Warehouse,

Machine Learning

api.ecr.*.amazonaws.com

*.dkr.ecr.*.amazonaws.com

HTTPS (one way)

IAM authentication

TCP/443 Can be made internal with VPC endpoints.
AWS EC2 DataFlow,

Data Warehouse,

Machine Learning,

Operational Database

ec2.*.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 Can be made internal with VPC endpoints.
AWS EKS Data Engineering,

DataFlow,

Data Warehouse,

Machine Learning

eks.*.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 AWS does not support EKS VPC endpoints at this time.
AWS Cloudformation DataFlow,

Data Warehouse,

Machine Learning

cloudformation.*.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 Can be made internal with VPC endpoints.
AWS Autoscaling Data Engineering,

Data Warehouse,

Machine Learning

autoscaling.*.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 Can be made internal with VPC endpoints.
AWS EFS Data Engineering,

Data Warehouse,

Machine Learning

elasticfilesystem.*.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 Can be made internal with VPC endpoints.
AWS EKS k8s cluster api Data Warehouse UNIQUEID.*.eks.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 Optional for new clusters.
AWS ELB Data Engineering,

DataFlow,

Data Warehouse

elasticloadbalancing.*.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 Can be made internal with VPC endpoints.
AWS RDS API Data Warehouse rds.*.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 AWS does not support RDS API VPC endpoints at this time. This requirement is under further evaluation.

Data Warehouse uses Amazon RDS for PostgreSQL.

AWS Service Quotas Data Warehouse servicequotas.*.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 AWS does not support Service Quota via VPC endpoints. Used to check limits and warn prior to hitting the limits.
AWS Price List Service Data Warehouse pricing.*.amazonaws.com HTTPS (one way)

IAM authentication

TCP/443 AWS Price List Service uses us-east-1 or ap-south-1 as the region.