search

List of Platform9 Public IPs and Repos to Whitelist in Firewall.

hashtag
Problem

In environments having very restrictive firewall on both ingress/egress network traffic it is required to whitelist the list of Platform9 repos or public ips and to restrict other unnecessary traffic.

Otherwise the requirement is to allow the pf9ctl client to pull the correct packages from repos to successfully onboard the nodes.

hashtag
Environment

  • Platform9 Managed Kubernetes - v-5.4 and Higher.

hashtag
Answer

List of Platform9 repos and [Endpoints] IP addresses:

Item
IP
Type
Port
Domain
OS Flavor
Comments/Notes

SSH

Your Host IP to SSH VM

Inbound

22

Customer DNS resolve nameserver IP to resolve DU fqdn

Outbound

443

FQDN

Curl to install pf9ctl_setup, pf9ctl from s3

3.5.160.117, 52.219.120.209

Outbound

443

pmkft-assets.s3-us-west-1.amazonaws.comarrow-up-right

bash <(curl -sL https://pmkft-assets.s3-us-west-1.amazonaws.com/pf9ctl_setuparrow-up-right), https://pmkft-assets.s3-us-west-1.amazonaws.com/pf9ctlarrow-up-right

Net-tools install, prep-node

185.125.190.39, 91.189.91.38, 91.189.91.39, 185.125.190.36

Outbound

80

archive.ubuntu.com:80arrow-up-right

Ubuntu

pf9ctl prep-node; packages installation (http://archive.ubuntu.com/ubuntu/pool/main/n/net-tools/net-tools_1.60+git20180626.aebd88e-1ubuntu1_amd64.debarrow-up-right)

Ntp install - prep-node

35.180.43.213, 67.219.148.138, 85.236.43.108, 18.225.36.18

Outbound

mirrorlist.centos.org

Centos

pf9ctl prepnode; ntp install

Ntp install - prep-node

108.170.47.61

Outbound

centos-distro.cavecreek.net

Centos

pf9ctl prepnode; ntp install

Ntp install - prep-node

199.193.113.164

Outbound

centos.hivelocity.net

Centos

pf9ctl prepnode; ntp install

Ntp install - prep-node

204.157.3.70

Outbound

mirror.cogentco.com

Centos

pf9ctl prepnode; ntp install

Ntp install - prep-node

131.210.12.35

Outbound

mirror.cs.uwp.edu

Centos

pf9ctl prepnode; ntp install

download.docker.com - Container runtime configure.

108.139.1.114,108.139.1.115, 108.139.1.117, 108.139.1.19

Outbound

443

download.docker.com

During cluster creation (bootstrap)

gcr.io port - Start etcd

142.251.2.82

Outbound

443

gcr.io

Start etcd step during cluster bootstraping

Storage google apis accessing

142.250.189.176, 142.251.214.144, 142.250.189.240, 142.250.191.48, 142.251.46.208, 142.250.72.208, 142.250.189.208, 142.251.32.48, 142.251.46.240

Outbound

443

storage.googleapis.com

https://storage.googleapis.com/artifacts.etcd-development.appspot.com/containers/images/shaarrow-up-right

k8s gcr accessing- Configure and start kube-proxy

74.125.137.82

Outbound

443

k8s.gcr.io

Configure and start kube proxy ([https://k8s.gcr.io/v2/kube-proxy/manifests/v1.24.7](https://k8s.gcr.io/v2/kube-proxy/manifests/v1.24.7%5C))

hashtag
Additional Information

Most of the IPs can be dynamic, so can be fetched/whitelisted from the host domain.

PreviousDoes Platform9 Support Enabling Kernel Parameter kernel.hung_task_panic?Nextetcd backup fails with "error: the following arguments are required: cron_job_name"

Last updated