Outbound network access destinations for GCP

If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a CDP environment.

The following list includes general destinations as well as GCP-specific destinations:

Description/Usage CDP service Destination Protocol and Authentication IP Protocol/Port Comments
Cloudera CCM

Persistent Control Plane connection

All services IP:

Hostname pattern: *.ccm.cdp.cloudera.com

SSH public/private key authentication TCP/6000-6049 One connection per cluster configured; persistent.
Cloudera Databus

Telemetry, billing and metering data

All services dbusapi.us-west-1.sigma.altus.cloudera.com


HTTPS with Cloudera-generated access key for dbus

HTTPS for S3

TCP/443 Regular interval for telemetry, billing, metering services, and used for Workload Manager if enabled. Larger payloads are sent to a Cloudera managed S3 bucket.
Cloudera Manager parcels

Software distribution

Data Hub

Data Lake

archive.cloudera.com HTTPS TCP/443 Cloudera’s public software repository. CDN backed service; IP range not predictable.
APIs All services storage.googleapis.com


HTTPS TCP/443 In addition to adding the listed destinations, you need to configure Private Service Connect. Private Service Connect lets you send traffic to Google APIs using a Private Service Connect endpoint that is private to your VPC network.

To configure Private Service Connect, refer to Configuring Private Service Connect.