Note: Please go to to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > Guides > Dashboard Users Guide > Settings > Account > Concepts > About Firewalls > Connect a Firewalled Private Cloud to RightScale

Connect a Firewalled Private Cloud to RightScale


The RightLink management agent makes outbound HTTP(S) connections to the RightScale infrastructure in order to receive configuration instructions. Optional RightScale features such as monitoring and frozen package repositories make outbound connections using other protocols.

When RightLink resides behind a firewall that performs egress filtering, the firewall must be configured to allow this outbound traffic.


This information applies to the following environment:

  • Private clouds whose API endpoint resides behind a firewall
  • RightScale management requests sent to private cloud APIs

This information does not apply to:

  • Compute instances that run inside private clouds

Please review the firewall rules you will need to set up in order to enable communication between the RightScale platform and private clouds, end-users, and design asset repositories located inside the firewall as specified in Firewall Configuration Ruleset.


After completing this how-to, you will have configured your network firewall to allow API requests to your private cloud. You will be able to register your cloud with the RightScale platform, add your cloud to one or more RightScale accounts, and use our UI or API to make cloud-management requests.


Note RightScale-Operated Networks

RightScale operates network infrastructure in several geographical regions to provide fault tolerance. Your instances generally communicate with infrastructure in a nearby geographical region, but may be redirected to remote regions during network or cloud outages.

Network/CIDR Location Description US-East us-3 cluster and island1 resources US-West us-4 cluster and island10 resources US-East additional island1 resources US-West additional island10 resources

island2 resources. Can be removed after April 30, 2015.

Only required for workloads in AWS EU-Frankfurt and AWS EU-Ireland.  Europe  Only required for workloads in AWS EU-West and EU-Central.


island8 resources. Can be removed after April 30 2015.  

Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney Japan Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney.


island5 resources. Can be removed after April 30 2015.  

Only required  for workloads in AWS AP-Singapore. Singapore Only required for workloads in AWS AP-Singapore. 

Enable Cloud API Requests

Your private cloud's API is normally exposed as an HTTPS endpoint on port tcp/443 though the protocol and port can change depending on how you have configured the cloud. RightScale must be able to make API requests to this endpoint from each RightScale-operated network range.

Assuming that your cloud is listening on port 443, you will need to create the following ingress rules:

Source Network/CIDR Ports Purpose configurable (usually tcp/443) Receive API requests from us-3 configurable (usually tcp/443) Receive API requests from us-4 configurable (usually tcp/443) Receive API requests from us-3 configurable (usually tcp/443) Receive API requests from us-4 configurable (usually tcp/443) Reserved for expansion configurable (usually tcp/443) Reserved for expansion


NOTE: No Ingress required for VMware vSphere Clouds or AWS VPC

What's Next

Your firewall has been configured to allow RightScale to make API requests. You can now connect it to RightScale and add it to one or more accounts.

You must to post a comment.
Last modified
10:26, 19 Dec 2014


This page has no custom tags.


This page has no classifications.



© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.