Note: Please go to docs.rightscale.com to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > Reference Info > Tables > Firewall Configuration Ruleset

Firewall Configuration Ruleset

Table of Contents

Overview

These are the rules firewall administrators should add in order to enable communication between the RightScale platform and private clouds, end-users and design asset repositories located inside the firewall.

This list is designed for ease of use; it features a small list of network ranges in which all of our infrastructure is hosted; not every address in every range requires traffic on every port.

IMPORTANT: RightScale does not support DNS name-based firewall configurations.

RightScale-Owned IP Networks

RightScale operates network infrastructure in several geographical regions to provide fault tolerance. Your instances generally communicate with infrastructure in a nearby geographical region, but may be redirected to remote regions during network or cloud outages.

Network/CIDR Location Description
54.225.248.128/27 US-East us-3 cluster and island1 resources
54.244.88.96/27 US-West us-4 cluster and island10 resources
54.86.63.128/26 US-East additional island1 resources
54.187.254.128/26 US-West additional island10 resources
54.246.247.16/28  Europe  Only required for workloads in AWS EU-West and EU-Central. 
54.248.220.128/28 Japan Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney. 
54.255.255.208/28 Singapore Only required for workloads in AWS AP-Singapore and AWS AP-Sydney.

All-Inclusive Firewall Rules

For each network operated by RightScale, your firewall will need to allow traffic to (and occasionally from) that network on several network ports. 

NOTE: This material applies only to RightLink 6.0 and above (i.e Multi Cloud Images v14.0 and above); older versions of RightLink require additional network connectivity and are not supported for use with firewalls.

Egress Rules

To enable all RightScale use cases (end-user access to UI and API, RightLink system management, monitoring, alerting) you should add the following egress rules to your firewall. 

Destination Network/CIDR Ports Location Purpose
54.225.248.128/27 tcp/80, tcp/443, udp/123, udp/3011 US-East

Communicate with us-3 and island1

Required for workloads globally

54.244.88.96/27 tcp/80, tcp/443, udp/123, udp/3011 US-West

Communicate with us-4 and island10

Required for workloads globally

54.86.63.128/26 tcp/80, tcp/443, udp/123, udp/3011 US-East

Communicate with island1

Required for workloads globally

54.187.254.128/26 tcp/80, tcp/443, udp/123, udp/3011 US-West

Communicate with island10

Required for workloads globally

54.246.247.16/28 tcp/80, tcp/443, udp/123, udp/3011 Europe

Communicate with island2  

Only required for workloads in AWS EU-Frankfurt and AWS EU-Ireland

54.255.255.208/28 tcp/80, tcp/443, udp/123, udp/3011 Singapore

Communicate with island5  

Only required for workloads in AWS AP-Singapore

54.248.220.128/28 tcp/80, tcp/443, udp/123, udp/3011 Japan

Communicate with island8  

Only required for workloads in AWS AP-Tokyo and AWS-AP-Sydney

0.0.0.0/0 udp/3011 All

Send monitoring data to RightScale. The requirement for this IP address block will be

deprecated by May 15, 2015 when all the UDP monitoring traffic gets directed

into the CIDR blocks above.  Required for workloads globally.

Ingress Rules (for Private Clouds)

Source Network/CIDR Ports Purpose
54.225.248.128/27 configurable (usually tcp/443) Receive API requests from us-3
54.244.88.96/27 configurable (usually tcp/443) Receive API requests from us-4
54.86.63.128/26 configurable (usually tcp/443) Receive API requests from us-3
54.187.254.128/26 configurable (usually tcp/443) Receive API requests from us-4
54.246.247.16/28 configurable (usually tcp/443) Reserved for expansion
54.255.255.208/28 configurable (usually tcp/443) Reserved for expansion

 

NOTE: No Ingress required for VMware vSphere Clouds or AWS VPC

Internally-Hosted Design Asset Repositories

If you design your own Chef ServerTemplates and host a cookbook repository behind a firewall, you will need to ensure that RightScale can access your repository. The port and protocol details vary depending on the kind of repository (Git or Subversion) and, in the case of Git, your chosen transport (git+ssh, https, or git binary).

The origin IP for all RightScale Git or Subversion clients will fall into one of the published IP ranges above.

Ingress Rules (for Design Asset Repositories)

Source Network/CIDR Ports Purpose
54.225.248.128/27 configurable (usually tcp/22 or tcp/443) Receive SCM repository requests from us-3
54.244.88.96/27 configurable (usually tcp/22 or tcp/443) Receive SCM repository requests from us-4
54.86.63.128/26 configurable (usually tcp/22 or tcp/443) Receive SCM repository requests from us-3
54.187.254.128/26 configurable (usually tcp/22 or tcp/443) Receive SCM repository requests from us-4
54.246.247.16/28 configurable (usually tcp/22 or tcp/443) Reserved for expansion
54.255.255.208/28 configurable (usually tcp/22 or tcp/443) Reserved for expansion

End-User Access to RightScale Web Application

You should configure your firewall to allow outbound HTTPS connections to the following networks. If using an HTTP proxy, you should also allow access to the Web site names (hostnames) listed in this table.

Egress Rules (for UI and API Access)

Destination Network/CIDR Ports Purpose
54.225.248.128/27 tcp/443 Send UI and API requests to us-3.rightscale.com
54.244.88.96/27 tcp/443 Send UI and API requests to us-4.rightscale.com
54.86.63.128/26 tcp/443 Send UI and API requests to us-3.rightscale.com
54.187.254.128/26 tcp/443 Send UI and API requests to us-4.rightscale.com
54.246.247.16/28 tcp/443 Send UI and API requests to us-4.rightscale.com
54.255.255.208/28 tcp/443 Send UI and API requests to us-4.rightscale.com

 

Network Protocols and Ports

When considering the rules above, you may elect not to open some ports if you have no need for the RightScale feature associated with that port. This table provides guidance about how we use each port to facilitate your decision.

 

Port Required when... Associated Feature (Egress) Associated Feature (Ingress) Notes
tcp/80 (http) always

Allow instances to install OS packages from RightScale mirrors.

n/a Includes "freeze to latest" 

See Frozen Repositories

tcp/443 (https) always

Allow end-users to access RightScale dashboard and API.

Allow instances to communicate with RightNet.

Allow RightScale to make API requests to firewalled private cloud

RightScale Cloud Appliance for vSphere does not require network ingress
udp/123 (NTP)

launching instances that do not have local NTP configured

Allow instances to synchronize system clock on boot. n/a Instance time must be well synchronized in order for RightLink to function; do not block unless you provide your own NTP servers.
udp/3011 (collectd)

using RightScale monitoring or alerting

Allow instances to send monitoring data to RightScale. n/a  
tcp/22 (git+ssh) using Chef-based ServerTemplates   Allow RightScale to retrieve Chef cookbooks for use with ServerTemplates. Not required for public Git hosting (GitHub, BitBucket, etc)
You must to post a comment.
Last modified
12:24, 3 Apr 2015

Tags

Classifications

This page has no classifications.

Announcements

None


© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.