Connect a Firewalled Private Cloud to RightScale
Overview
The RightLink management agent makes outbound HTTP(S) connections to the RightScale infrastructure in order to receive configuration instructions. Optional RightScale features such as monitoring and frozen package repositories make outbound connections using other protocols.
When RightLink resides behind a firewall that performs egress filtering, the firewall must be configured to allow this outbound traffic.
Prerequisites
This information applies to the following environment:
- Private clouds whose API endpoint resides behind a firewall
- RightScale management requests sent to private cloud APIs
This information does not apply to:
- Compute instances that run inside private clouds
Please review the firewall rules you will need to set up in order to enable communication between the RightScale platform and private clouds, end-users, and design asset repositories located inside the firewall as specified in Firewall Configuration Ruleset.
Goal
After completing this how-to, you will have configured your network firewall to allow API requests to your private cloud. You will be able to register your cloud with the RightScale platform, add your cloud to one or more RightScale accounts, and use our UI or API to make cloud-management requests.
Procedure
Note RightScale-Operated Networks
RightScale operates network infrastructure in several geographical regions to provide fault tolerance. Your instances generally communicate with infrastructure in a nearby geographical region, but may be redirected to remote regions during network or cloud outages.
| Network/CIDR | Location | Description |
| 54.225.248.128/27 | US-East | us-3 cluster and island1 resources |
| 54.244.88.96/27 | US-West | us-4 cluster and island10 resources |
| 54.86.63.128/26 | US-East | additional island1 resources |
| 54.187.254.128/26 | US-West | additional island10 resources |
|
54.217.243.218/32 54.217.243.226/32 | Europe | island2 resources. Can be removed after April 30, 2015. Only required for workloads in AWS EU-Frankfurt and AWS EU-Ireland. |
| 54.246.247.16/28 | Europe | Only required for workloads in AWS EU-West and EU-Central. |
| 54.248.220.136/32 54.248.220.137/32 | Japan | island8 resources. Can be removed after April 30 2015. Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney |
| 54.248.220.128/28 | Japan | Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney. |
| 54.251.98.164/32 54.251.106.120/32 | Singapore | island5 resources. Can be removed after April 30 2015. Only required for workloads in AWS AP-Singapore. |
| 54.255.255.208/28 | Singapore | Only required for workloads in AWS AP-Singapore. |
Enable Cloud API Requests
Your private cloud's API is normally exposed as an HTTPS endpoint on port tcp/443 though the protocol and port can change depending on how you have configured the cloud. RightScale must be able to make API requests to this endpoint from each RightScale-operated network range.
Assuming that your cloud is listening on port 443, you will need to create the following ingress rules:
| Source Network/CIDR | Ports | Purpose |
| 54.225.248.128/27 | configurable (usually tcp/443) | Receive API requests from us-3 |
| 54.244.88.96/27 | configurable (usually tcp/443) | Receive API requests from us-4 |
| 54.86.63.128/26 | configurable (usually tcp/443) | Receive API requests from us-3 |
| 54.187.254.128/26 | configurable (usually tcp/443) | Receive API requests from us-4 |
| 54.246.247.16/28 | configurable (usually tcp/443) | Reserved for expansion |
| 54.255.255.208/28 | configurable (usually tcp/443) | Reserved for expansion |
| NOTE: No Ingress required for VMware vSphere Clouds or AWS VPC |
What's Next
Your firewall has been configured to allow RightScale to make API requests. You can now connect it to RightScale and add it to one or more accounts.
- © Copyright 2015 RightScale Technical Support