Outbound network access destinations for GCP

If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a CDP environment.

The following list includes general destinations as well as GCP-specific destinations:

Description/Usage CDP service Destination Protocol and Authentication IP Protocol/Port Comments
Cloudera CCM

Persistent Control Plane connection

All services IP: 44.234.52.96/27

Ports: 6000-6049

Hostname pattern: *.ccm.cdp.cloudera.com

SSH public/private key authentication TCP/6000-6049 One connection per cluster configured; persistent.
Cloudera Databus

Telemetry, billing and metering data

All services dbusapi.us-west-1.altus.cloudera.com

dbusapi.us-west-1.sigma.altus.cloudera.com

HTTPS with Cloudera-generated access key TCP/443 Regular interval for telemetry, billing, metering services, and used for Workload Manager if enabled.
Control Plane API DataFlow,

Machine Learning,

Data Engineering

api.us-west-1.cdp.cloudera.com HTTPS with Cloudera-generated access key TCP/443 Cloudera’s control plane REST API.
Cloudera Manager parcels

Software distribution

Data Hub,

Data Lake,

Operational Database

Data Engineering

archive.cloudera.com HTTPS TCP/443 Cloudera’s public software repository. CDN backed service; IP range not predictable.
Docker Images

Software Distribution

Data Engineering,

DataFlow,

Machine Learning

container.repository.cloudera.com

docker.repository.cloudera.com

HTTPS TCP/443 Cloudera’s public docker registry. CDN backed service; IP range not predictable.
Docker Images

Software Distribution

DataFlow,

Data Warehouse

Data Engineering

container.repo.cloudera.com *.s3.<region>.amazonaws.com

s3-r-w.<region>.amazonaws.com

*.execute-api.<region>.amazonaws.com

Additionally, the following are required only for old/existing DW environments:

auth.docker.io*

cloudera-docker-dev.jfrog.io*

docker-images-prod.s3.amazonaws.com*

gcr.io*

k8s.gcr.io*

quay-registry.s3.amazonaws.com*

quay.io*

quayio-production-s3.s3.amazonaws.com*

docker.io*

production.cloudflare.docker.com*

storage.googleapis.com*

HTTPS TCP/443 Moved to container.repo.cloudera.com

container.repo.cloudera.com uses ECR which requires S3 URLs.

Network Time Protocol Synchronization DataFlow [0-3].pool.ntp.org Network Time Protocol UDP/123 Container services require access to Network Time Protocol servers in order to maintain synchronization of date and time status.