Configuring a Firewall for Workload XM

Workload XM is a cloud service which runs on Amazon Web Services (AWS). The Telemetry Publisher service, which was introduced in Cloudera Manager version 5.15.1, collects metrics from various components in a CDH cluster and securely sends these metrics by way of Transport Layer Security (HTTPS) over the internet to the Workload XM service as shown in the following illustration.

To connect an on-premises CDH cluster to communicate with Workload XM, you must configure your firewall using the following information.

The Cloudera Telemetry Publisher service makes outbound connections to two endpoints to communicate with Workload XM as follows:

  • Endpoint #1 (EC2 service):
  • Endpoint #2 (S3 service):

The endpoints listed above map to a dynamic IP address in AWS us-west-2. See for the IP address ranges that are documented on the AWS website.

Starting with Cloudera Manager version 5.16.0, you can also configure an HTTP proxy between Telemetry Publisher and Workload XM. In this configuration, the proxy acts as an HTTP tunnel for the encrypted TLS communication between Telemetry Publisher and Workload XM. See Configuring Telemetry Publisher to Use a Proxy Server for details.