The RightLink management agent makes outbound HTTP(S) connections to the RightScale infrastructure in order to receive configuration instructions. Optional RightScale features such as monitoring and frozen package repositories make outbound connections using other protocols.
When RightLink resides behind a firewall that performs egress filtering, the firewall must be configured to allow this outbound traffic.
This information applies to the following environment:
This information does not apply to:
Screenshots in this document depict the RightScale Network management UI, but the firewall rules and overall procedure can be applied to any egress-filtering firewall through any management interface.
After completing this how-to, you will have configured your network for compatibility with RightScale-managed compute instances. You will be able to launch Servers and ServerArray instances, see audit entries, see instance state changes and use optional features such as monitoring and NTP synchronization, all without exposing your instances to unwanted network traffic.
RightScale operates network infrastructure in several geographical regions to provide fault tolerance. Your instances generally communicate with infrastructure in a nearby geographical region, but may be redirected to remote regions during network or cloud outages.
|184.108.40.206/27||US-East||us-3 cluster and island1 resources|
|220.127.116.11/27||US-West||us-4 cluster and island10 resources|
|18.104.22.168/26||US-East||additional island1 resources|
|22.214.171.124/26||US-West||additional island10 resources|
island2 resources. Can be removed after April 30, 2015.
Only required for workloads in AWS EU-Frankfurt and AWS EU-Ireland.
|126.96.36.199/28||Europe||Only required for workloads in AWS EU-West and EU-Central.|
island8 resources. Can be removed after April 30 2015.
Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney
|188.8.131.52/28||Japan||Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney.|
island5 resources. Can be removed after April 30 2015.
Only required for workloads in AWS AP-Singapore.
|184.108.40.206/28||Singapore||Only required for workloads in AWS AP-Singapore.|
RightLink communicates with the RightScale infrastructure using HTTPS (tcp/443) and HTTP (tcp/80). Your firewall should allow instances to make outbound connections to RightScale infrastructure using these protocols. For example:
Good time synchronization is important in networking, and particularly important in the cloud because virtualization environments can introduce clock drift. RightLink uses OS facilities to perform NTP sync, first attempting to use OS defaults and then attempting to synchronize with RightScale-operated NTP servers.
If your base images have functional default NTP settings, or if you wish to skip NTP synchronization, no firewall changes are required. Otherwise, your firewall should allow instances to use RightScale's NTP servers. For example:
See our NTP documentation for more information about NTP settings and defaults.
|NOTE: this step will no longer be necessary once RightScale deploys its next-generation monitoring infrastructure in 2015Q1.|
RightScale optionally utilizes the collectd protocol (udp/3011) to collect monitoring metrics from your instances and raise user-defined alerts. If you wish to use RightScale monitoring, your firewall should allow instances to send UDP packets to RightScale's servers on this port. For example:
Your firewall has been configured for compatibility with RightLink. If your networking environment includes a stateless firewall in addition to a stateful firewall (e.g. AWS VPC Network ACLs) then you should ensure that your stateless firewall is properly configured. You may also wish to boot some test instances to ensure that everything is working well.
To learn more about the firewall functionality of your cloud, refer to the following external links:
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.