The RightLink management agent makes outbound HTTPS connections to the RightScale infrastructure in order to receive configuration instructions. Optional RightScale features such as monitoring and frozen package repositories make outbound connections using other protocols.
When RightLink resides behind a stateless firewall that performs egress filtering, the firewall must be configured to allow outbound and inbound packets associated with these protocols.
This information applies to the following environment:
This information does not apply to:
Screenshots in this document depict the AWS Console UI, but the firewall rules and overall procedure can be applied to any stateless firewall through any management interface.
After completing this how-to, you will have configured your firewall for compatibility with RightScale-managed compute instances. You will be able to launch Servers and ServerArray instances, see audit entries, see instance state changes and use optional features such as monitoring and NTP synchronization, all without exposing your instances to unwanted network traffic.
RightScale operates network infrastructure in several geographical regions to provide fault tolerance. Your instances generally communicate with infrastructure in a nearby geographical region, but may be redirected to remote regions during network or cloud outages.
|220.127.116.11/27||US-East||us-3 cluster and island1 resources|
|18.104.22.168/27||US-West||us-4 cluster and island10 resources|
|22.214.171.124/26||US-East||additional island1 resources|
|126.96.36.199/26||US-West||additional island10 resources|
island2 resources. Can be removed after April 30, 2015.
Only required for workloads in AWS EU-Frankfurt and AWS EU-Ireland.
|188.8.131.52/28||Europe||Only required for workloads in AWS EU-West and EU-Central.|
island8 resources. Can be removed after April 30 2015.
Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney
|184.108.40.206/28||Japan||Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney.|
island5 resources. Can be removed after April 30 2015.
Only required for workloads in AWS AP-Singapore.
|220.127.116.11/28||Singapore||Only required for workloads in AWS AP-Singapore.|
RightLink communicates with the RightScale infrastructure using HTTPS (tcp/443) and HTTP (tcp/80). Your firewall should allow outbound (request) packets to RightScale using these protocols, and inbound (response) packets from RightScale to your instances' ephemeral ports.
|NOTE: Due to ephemeral port selection, the destination port of inbound packets cannot be predicted. Consider using a stateful firewall or security group to enforce additional constraints on inbound traffic.|
Example configuration for an AWS VPC Network ACL that allows only RightLink traffic:
Good time synchronization is important in networking, and particularly important in the cloud because virtualization environments can introduce clock drift. RightLink version previous to 6.3 used OS facilities to synchronize time via NTP protocol (udp/123), first attempting to use the OS' NTP settings and then contacting RightScale-operated NTP servers as proper time synchonization was important to RightLink startup. Starting with RightLink 6.3, this requirement was dropped as proper system time is no longer required.
If your base images have suitable NTP settings for your network environment, or if you wish to skip NTP synchronization, no firewall changes are required. Otherwise, your firewall should allow instances to use RightScale's NTP servers. See our NTP documentation for more information.
RightScale optionally utilizes the collectd protocol (udp/3011) to collect monitoring metrics from your instances and raise user-defined alerts. If you wish to use RightScale monitoring, your firewall should allow instances to send UDP packets to RightScale's servers on this port.
NOTE: rules for monitoring data (udp/3011) will no longer be necessary once RightScale deploys its next-generation monitoring infrastructure in 2015Q1. |
Example configuration for an AWS VPC Network ACL that allows RightLink, time-synchronization and monitoring traffic:
Your firewall has been configured for compatibility with RightLink. If your networking environment includes a stateful firewall in addition to a stateless firewall (e.g. AWS VPC Security Groups) then you should ensure that your stateful firewall is properly configured. You may also wish to boot some test instances to ensure that everything is working well.
To learn more about the firewall functionality of your cloud, refer to the following external links:
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.