Customer Firewalls

NOTE - this post has been superseded by Installation Requirements | Replicated Docs. Please reference those docs instead.

The historical content is preserved below.


Previous Post - Superseded

Often, customers will need to have a complete list of expected internal and outbound network traffic so they can open ports in firewalls and allowed hosts and IP addresses for outbound connectivity. This document provides the list of all known connections that Replicated requires to run. Any external services required are not listed here.

Note: Airgap installations can run completely offline, and all tasks can be performed without outbound internet access. Additionally, no installations of Replicated ever require inbound access.

Depending on the current activity, the needs can be different. This document is broken into the tasks that the customer is attempting to perform, and then broken down by the type of installation they are running.

For IP based firewalls rules you can get the needed IPs from the Replicated Services and IPs.

Port Requirements

To use the Replicated management console you are required to allow inbound/outbound traffic on TCP port :8800 to the private subnet with which an IT administrator would be accessing the console.

For Replicated communication you must also allow TCP ports :9870-:9881 to accept both inbound/outbound traffic on the installed subnet. These ports are for internal communication and should not be exposed externally. Please note that if you are running a multi-host setup communication on these ports will be required between hosts as well as on the primary host.

Initial Installation of Replicated

When Replicated is installed, it can be downloaded from the Internet or packaged up and delivered in an airgap pacakge.

Host Online Installation Airgap Installation Description
get.replicated.com Required Not Required This endpoint hosts the install script that used in the Replicated easy install script.
registry.replicated.com
registry-data.replicated.com
Required Not Required This domain name will be used to download images hosted in private Replicated registry…
quay.io Required Not Required Replicated images for releases before 2.45.0 are hosted as public images in the Quay.io registry.
docker.io
index.docker.io
registry-1.docker.io
auth.docker.io
Required Not Required Replicated images for releases 2.45.0 and above are hosted as public images on Docker Hub.

Application Installation and Upgrade

To install your application and perform updates, some external connections are required. All connections are initiated from inside the network, and can vary depending on the installation method and the application update.

Host Online Installation Airgap Installation Description
api.replicated.com Required Not Required This endpoint services the license sync check and used to pull down yaml for app upgrades.
registry.replicated.com
registry-data.replicated.com
Required Not Required This endpoint services Docker pull requests for all private images.
quay.io Required Not Required Replicated images for releases prior to 2.45.0 are hosted as public images in the Quay.io registry and may be upgraded during app upgrade time.
docker.io
index.docker.io
registry-1.docker.io
auth.docker.io
Required Not Required Replicated images for releases 2.45.0 and above as well as some dependencies of Replicated for all versions are hosted as public images in Docker Hub.
Third Party Registries Required Not Required Replicated will pull public images hosted on third party registries directly so those should be identified and added to allow lists.

Ongoing Access

When the application is up and running, and not being updated, the requirements for outbound internet access are greatly reduced. It’s possible to even run a server completely disconnected from the Internet, and only connect when you want to check for updates.

Once the application is installed, your customer can continue to run it, and stop and start the application without any outbound access.

In order to perform basic maintenance, some outbound access is required, as documented in the table below:

Task Host Online Installation Airgap Installation Description
Check for updates api.replicated.com (port 443) Required Not Required This endpoint is the only endpoint required to check for application updates.
License sync api.replicated.com (port 443) Required Not Required This endpoint is the only endpoint required to sync the license.

The replicated Kubernetes scheduler will also require access to more ports - 6443, 2379, 2380 and 10250-10252.

TCP 6783 and UDP 6783/6784 are required for weave to enable inter-node communication.

For Kots, a smaller set of IPs will be required:

Installation of KOTS

When Replicated is installed, it can be downloaded from the Internet or packaged up and delivered in an airgap pacakge. IP addresses for these services can be found in replicatedhq/ips

No outbound internet access is required for airgapped installations.

Host Existing Cluster Installation Embedded Cluster Installation Description
Docker Hub Required Required Some dependencies of Replicated are hosted as public images in Docker Hub.
proxy.replicated.com Required Required Upstream Docker images are proxied via proxy.replicated.com. The on-prem docker client uses a license ID to authenticate to proxy.replicated.com. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA
replicated.app Required Required Upstream application YAML and metadata is pulled from replicated.app. The current running version of the application (if any) will be sent, in addition to a license ID and an application IDs are sent to replicated.app to authenticate and receive these YAML files. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA
k8s.kurl.sh Not Required Required Kubernetes cluster installation scripts and artifacts are served from kurl.sh. An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA
amazonaws.com Not Required Required tar.gz packages are downloaded from Amazon S3 during embedded cluster installations. The IP ranges to whitelist for accessing these can be scraped dynamically from the AWS IP Address Ranges documentation.

Requirements for Installation | Replicated Docs has the latest on our firewall requirements and should be referred to instead of this post.

1 Like

Thanks Diamon! I have added this to the original post as well!