Customer Firewalls

For Kots, a smaller set of IPs will be required:

Installation of KOTS

When Replicated is installed, it can be downloaded from the Internet or packaged up and delivered in an airgap pacakge. IP addresses for these services can be found in replicatedhq/ips

No outbound internet access is required for airgapped installations.

Host Existing Cluster Installation Embedded Cluster Installation Description
Docker Hub Required Required Some dependencies of Replicated are hosted as public images in Docker Hub.
proxy.replicated.com Required Required Upstream Docker images are proxied via proxy.replicated.com. The on-prem docker client uses a license ID to authenticate to proxy.replicated.com. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA
replicated.app Required Required Upstream application YAML and metadata is pulled from replicated.app. The current running version of the application (if any) will be sent, in addition to a license ID and an application IDs are sent to replicated.app to authenticate and receive these YAML files. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA
k8s.kurl.sh Not Required Required Kubernetes cluster installation scripts and artifacts are served from kurl.sh. An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA
amazonaws.com Not Required Required tar.gz packages are downloaded from Amazon S3 during embedded cluster installations. The IP ranges to whitelist for accessing these can be scraped dynamically from the AWS IP Address Ranges documentation.