Note: Please go to to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > Guides > Dashboard Users Guide > Settings > Account > Concepts > About Firewalls > Configure a Stateful Firewall for RightLink Compatibility

Configure a Stateful Firewall for RightLink Compatibility


The RightLink management agent makes outbound HTTP(S) connections to the RightScale infrastructure in order to receive configuration instructions. Optional RightScale features such as monitoring and frozen package repositories make outbound connections using other protocols.

When RightLink resides behind a firewall that performs egress filtering, the firewall must be configured to allow this outbound traffic.


This information applies to the following environment:

  • Compute instances that use RightLink v6.0 or later
  • Network firewalls that perform stateful egress filtering, including:
    • AWS VPC Security Groups
    • OpenStack (Neutron) Security Groups
    • Windows Azure Network Security Groups (NSGs)

This information does not apply to:

  • Compute instances that use RightLink v5.x
  • Stateless firewalls:
    • AWS VPC Network ACLs (NACLs)
  • Ingress-only firewalls:
    • AWS Classic Security Groups
    • GCE Firewalls
    • Azure Network ACLs (NACLs)

Screenshots in this document depict the RightScale Network management UI, but the firewall rules and overall procedure can be applied to any egress-filtering firewall through any management interface.


After completing this how-to, you will have configured your network for compatibility with RightScale-managed compute instances. You will be able to launch Servers and ServerArray instances, see audit entries, see instance state changes and use optional features such as monitoring and NTP synchronization, all without exposing your instances to unwanted network traffic.


Note RightScale-Operated Networks

RightScale operates network infrastructure in several geographical regions to provide fault tolerance. Your instances generally communicate with infrastructure in a nearby geographical region, but may be redirected to remote regions during network or cloud outages.

Network/CIDR Location Description US-East us-3 cluster and island1 resources US-West us-4 cluster and island10 resources US-East additional island1 resources US-West additional island10 resources

island2 resources. Can be removed after April 30, 2015.

Only required for workloads in AWS EU-Frankfurt and AWS EU-Ireland.  Europe  Only required for workloads in AWS EU-West and EU-Central.


island8 resources. Can be removed after April 30 2015.  

Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney Japan Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney.


island5 resources. Can be removed after April 30 2015.  

Only required  for workloads in AWS AP-Singapore. Singapore Only required for workloads in AWS AP-Singapore. 

Enable RightLink Communication

RightLink communicates with the RightScale infrastructure using HTTPS (tcp/443) and HTTP (tcp/80). Your firewall should allow instances to make outbound connections to RightScale infrastructure using these protocols. For example:

AWS VPC Security Group with HTTP/HTTPS rules

Optional: Enable Time Synchronization

Good time synchronization is important in networking, and particularly important in the cloud because virtualization environments can introduce clock drift. RightLink uses OS facilities to perform NTP sync, first attempting to use OS defaults and then attempting to synchronize with RightScale-operated NTP servers.

If your base images have functional default NTP settings, or if you wish to skip NTP synchronization, no firewall changes are required. Otherwise, your firewall should allow instances to use RightScale's NTP servers. For example:


See our NTP documentation for more information about NTP settings and defaults.

Optional: Enable RightScale Monitoring

NOTE: this step will no longer be necessary once RightScale deploys its next-generation monitoring infrastructure in 2015Q1.

RightScale optionally utilizes the collectd protocol (udp/3011) to collect monitoring metrics from your instances and raise user-defined alerts. If you wish to use RightScale monitoring, your firewall should allow instances to send UDP packets to RightScale's servers on this port. For example:


What's Next

Your firewall has been configured for compatibility with RightLink. If your networking environment includes a stateless firewall in addition to a stateful firewall (e.g. AWS VPC Network ACLs) then you should ensure that your stateless firewall is properly configured. You may also wish to boot some test instances to ensure that everything is working well.

To learn more about the firewall functionality of your cloud, refer to the following external links:

You must to post a comment.
Last modified
08:59, 25 Nov 2014


This page has no custom tags.


This page has no classifications.



© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.