Outbound network access destinations
Review this section to learn which specific outbound destinations must be available in order to register a CDP environment in an environment with limited outbound network access.
If you have limited outbound internet access (for example due to using a firewall or proxy), review this document to learn which specific outbound destinations must be available in order to register a CDP environment. This document lists:
- General endpoints applicable to all CDP environments
- AWS-specific endpoints
- Azure-specific endpoints
General endpoints
Description/Usage | CDP service | Destination | Protocol and Authentication | IP Protocol/Port | Comments |
---|---|---|---|---|---|
Cloudera CCM Persistent Control Plane connection |
All services | IP: 44.234.52.96/27 Ports: 6000-6049 Hostname pattern: *.ccm.cdp.cloudera.com |
SSH public/private key authentication | TCP/6000-6049 | One connection per cluster configured; persistent. |
Cloudera Databus Telemetry, billing and metering data |
All services | dbusapi.us-west-1.altus.cloudera.com dbusapi.us-west-1.sigma.altus.cloudera.com |
HTTPS with Cloudera-generated access key | TCP/443 | Regular interval for telemetry, billing, metering services, and used for Workload Manager if enabled. |
Control Plane API | Machine Learning | api.us-west-1.cdp.cloudera.com | HTTPS with Cloudera-generated access key | TCP/443 | Cloudera’s control plane REST API. |
Cloudera Manager parcels Software distribution |
Data Lake, Data Hub, Operational Database |
archive.cloudera.com | HTTPS | TCP/443 | Cloudera’s public software repository. CDN backed service; IP range not predictable. |
Docker Images Software Distribution |
Data Engineering Machine Learning |
container.repository.cloudera.com docker.repository.cloudera.com |
HTTPS | TCP/443 | Cloudera’s public docker registry. CDN backed service; IP range not predictable. |
Docker Images Software Distribution |
Data Warehouse | container.repo.cloudera.com *.s3.<region>.amazonaws.com s3-r-w.<region>.amazonaws.com *.execute-api.<region>.amazonaws.com Additionally, the following are required only for old/existing DW environments: auth.docker.io* cloudera-docker-dev.jfrog.io* docker-images-prod.s3.amazonaws.com* gcr.io* k8s.gcr.io* quay-registry.s3.amazonaws.com* quay.io* quayio-production-s3.s3.amazonaws.com* docker.io* production.cloudflare.docker.com* storage.googleapis.com* |
HTTPS | TCP/443 | Moved to container.repo.cloudera.com container.repo.cloudera.com uses ECR which requires S3 URLs. |
AWS specific endpoints
Description/Usage | CDP service | Destination | Protocol and Authentication | IP Protocol/Port | Comments |
---|---|---|---|---|---|
AWS STS | Data Lake | sts.amazonaws.com sts.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 | CDP 7.1.1+ required before can be made internal with VPC endpoints. |
AWS S3 | Data Lake, Data Hub, Data Engineering, Data Warehouse, Machine Learning, Operational Database |
*.s3.amazonaws.com *.s3.*.amazonaws.com s3.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 | Can be made internal with VPC endpoints. |
AWS DynamoDB | Data Lake, Data Hub, Data Engineering, Data Warehouse, Machine Learning, Operational Database |
dynamodb.*.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 | Can be made internal with VPC endpoints. |
AWS RDS | Data Lake, Data Hub, Data Engineering |
*.*.rds.amazonaws.com |
JDBC / Postgres binary protocol / MySQL | TCP 5432 / 3306 | VPC Internal. Only Data Engineering uses MySQL and requires port 3306 to be open. |
AWS ECR | Data Warehouse, Machine Learning |
api.ecr.*.amazonaws.com *.dkr.ecr.*.amazonaws.com |
HTTPS (one way) IAM authentication |
TCP/443 | Can be made internal with VPC endpoints. |
AWS EC2 | Data Warehouse, Machine Learning, Operational Database |
ec2.*.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 | Can be made internal with VPC endpoints. |
AWS EKS | Data Engineering, Data Warehouse, Machine Learning |
eks.*.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 | AWS does not support EKS VPC endpoints at this time. |
AWS Cloudformation | Data Warehouse, Machine Learning |
cloudformation.*.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 | Can be made internal with VPC endpoints. |
AWS Autoscaling | Data Engineering, Data Warehouse, Machine Learning |
autoscaling.*.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 | Can be made internal with VPC endpoints. |
AWS EFS | Data Engineering, Data Warehouse, Machine Learning |
elasticfilesystem.*.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 | Can be made internal with VPC endpoints. |
AWS EKS k8s cluster api | Data Warehouse | UNIQUEID.*.eks.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 | Optional for new clusters. |
AWS ELB | Data Engineering, Data Warehouse |
elasticloadbalancing.*.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 | Can be made internal with VPC endpoints. |
AWS RDS API | Data Warehouse | rds.*.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 |
AWS does not support RDS API VPC endpoints at this time. This requirement is under further evaluation. Data Warehouse uses Amazon RDS for PostgreSQL. |
AWS Service Quotas | Data Warehouse | servicequotas.*.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 | AWS does not support Service Quota via VPC endpoints. Used to check limits and warn prior to hitting the limits. |
AWS Price List Service | Data Warehouse | pricing.*.amazonaws.com | HTTPS (one way) IAM authentication |
TCP/443 | AWS Price List Service uses us-east-1 or ap-south-1 as the region. |
Azure specific endpoints
Description/Usage | CDP service | Destination | Protocol and Authentication | IP Protocol/Port | Comments |
---|---|---|---|---|---|
General Azure guidelines | All | See Safelist the Azure portal URLs on your firewall or proxy server for Azure egress best practices. | |||
Azure Kubernetes Services (AKS) | Data Warehouse, Machine Learning | See Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS). CDP uses AKS and has the same requirements. | |||
Azure Data Lake Storage Gen 2 | Data Lake, Data Hub, Operational Database |
<storage account name>.dfs.core.windows.net |
HTTPS Azure authentication |
TCP/443 | Azure Storage VPC endpoint is required (Microsoft.Storage). |
Azure Database for Postgres | Data Lake, Data Hub, Data Warehouse, Machine Learning |
*.postgres.database.azure.com |
JDBC / Postgres binary protocol | TCP/5432 | Azure SQL VPC endpoint is required (Microsoft.Sql). |
ARM to manage User Assigned Managed Identities | Data Lake | management.azure.com | HTTPS Azure authentication |
TCP/443 | This can be allowed by using the AzureResourceManager Azure service tag. Additionally IP addresses to whitelist are available to download. |
Microsoft Log Analytics | All | *.agentsvc.azure-automation.net *.ods.opinsights.azure.com *.oms.opinsights.azure.com *.blob.core.windows.net |
HTTPS Azure authentication |
TCP/443 | Optional; but may cause issues with Azure approved images if blocked. |