Configuring a Firewall for Workload XM

Workload XM is a cloud service which runs on Amazon Web Services (AWS). The Telemetry Publisher service, which was introduced in Cloudera Manager version 5.15.1, collects metrics from various components in a CDH cluster and securely sends these metrics by way of Transport Layer Security (HTTPS) over the internet to the Workload XM service as shown in the following illustration.



To connect an on-premises CDH cluster to communicate with Workload XM, you must configure your firewall using the following information.

The Cloudera Telemetry Publisher service makes outbound connections to two endpoints to communicate with Workload XM as follows:

  • Endpoint #1:

    https://dbusapi.us-west-1.sigma.altus.cloudera.com

    This endpoint maps to a dynamic IP address in AWS us west-1.

    AWS us west-1 IP address ranges are documented here.

  • Endpoint #2:

    https://cloudera-dbus-prod.s3.amazonaws.com

    This endpoint also maps to a dynamic IP address in AWS us west-1. See the above link for the IP address ranges that are documented on the AWS web site.

Starting with Cloudera Manager version 5.16.0, you can also configure an HTTP proxy between Telemetry Publisher and Workload XM. In this configuration, the proxy acts as an HTTP tunnel for the encrypted TLS communication between Telemetry Publisher and Workload XM. See Configuring Telemetry Publisher to Use a Proxy Server for details.