Company's Firewall configuration: what resources need to be opened in Firewall for the Nodegrid appliances to connect to ZPE Cloud?

Company's Firewall configuration: what resources need to be opened in Firewall for the Nodegrid appliances to connect to ZPE Cloud?

ZPE Cloud uses some IP addresses and hostnames that may be blocked by the Firewall rules.  This can prevent the Nodegrid appliances from connecting to the Cloud and/or utilizing specific ZPE Cloud features.  ZPE Cloud utilizes TCP port 443 for communication.

Important:
  1. We’re excited to announce that ZPE Cloud is expanding its support to include IPv6, alongside our existing IPv4 support. This upgrade will be rolled out in phases:
    1. European Site (zpecloud.eu): Monday, December 9, 2024
    2. North American Site (zpecloud.com): Wednesday, December 11, 2024
    3. See FAQ below for more details.
  2. Customers using ZPE Cloud on the European instance (zpecloud.eu) will also need to enable the IPs for the US server during enrollment. When enrolling a unit, it first connects to zpecloud.com and then is redirected to use the region specific servers.
US ZPE Cloud Servers:
Hostname(s)IPv6 AddressIPv4 addressUsage
second-tier-ca.zpecloud.com, device-api.zpecloud.com, device-apiv2.zpecloud.com2600:1901:0:6091::34.49.235.253Required to sign the CSR to connect to Remote Access. Required to Upload/Restore Backups. Required to upload output from executed profiles.
api.astarte.zpecloud.com2600:1901:0:53ce::34.49.39.37Required for Pairing API - without it, device is not able to authenticate against PubSub service and consequently connect to Cloud.
access.zpecloud.com2600:1901:0:ab8f::34.49.235.61Required for Remote Access - without it, device is not able to connect to Remote Access socket.
broker.astarte.zpecloud.com2600:1901:0:5abb::34.49.26.197Required for Broker connection - without it, device is not able to connect to PubSub service and consequently connect to Cloud.
www.zpecloud.com, api.zpecloud.com, proxy-access.zpecloud.com, zpecloud.com2600:1901:0:910b::34.120.236.72Required for Enrollment. Required to SSO from Cloud to Nodegrid appliance; also needs to be enabled on the Nodegrid appliance under Security :: Authentication :: SSO.
proxy-forwarder.zpecloud.com2600:1901:0:4792::34.36.157.245
European ZPE Cloud Servers:
Hostname(s)IPv6 AddressIPv4 AddressUsage
second-tier-ca.zpecloud.eu, device-api.zpecloud.eu, device-apiv2.zpecloud.eu2600:1901:0:b0cb::34.128.171.100Required to sign the CSR to connect to Remote Access. Required to Upload/Restore Backups. Required to upload output from executed profiles.
api.astarte.zpecloud.eu2600:1901:0:7123::34.49.228.213Required for Pairing API - without it, device is not able to authenticate against PubSub service and consequently connect to Cloud.
access.zpecloud.eu2600:1901:0:e8af::34.128.152.77Required for Remote Access - without it, device is not able to connect to Remote Access socket.
broker.astarte.zpecloud.eu2600:1901:0:9065::34.36.11.79Required for Broker connection - without it, device is not able to connect to PubSub service and consequently connect to Cloud.
www.zpecloud.eu, api.zpecloud.eu, proxy-access.zpecloud.eu, zpecloud.eu2600:1901:0:ec0d::34.111.34.34Required for Enrollment. Required to SSO from Cloud to Nodegrid appliance; also needs to be enabled on the Nodegrid appliance under Security :: Authentication :: SSO.
proxy-forwarder.zpecloud.eu2600:1901:0:598e::34.49.218.26

Note: As of September 13, 2024, ZPE Cloud no longer uses the following IPs.  They can be removed from any related firewall configurations:
  1. 35.233.194.48, 34.83.86.148, 35.230.32.156, 34.83.67.57, 34.83.37.8, 34.107.16.100, 34.107.15.10, 34.107.6.32, 34.107.54.54, 34.83.37.8

Frequently Asked Questions (FAQ)

  • Can I change my firewall whitelists now?

Yes, you can update your firewall whitelists now. You can add the new IPv6 addresses while keeping the existing IPv4 entries intact. This ensures you're prepared ahead of the full IPv6 rollout.

  • What happens if I don’t update my firewall whitelist?

IPv4 will continue to function as usual, even if you don't update your whitelist. However, if IPv6 infrastructure is in place and a firewall is used, you will need to whitelist the new IPv6 addresses to ensure uninterrupted service.

  • If I don’t use firewall whitelists, do I need to take any action?

While maintaining a firewall is highly recommended for network security, if you don’t currently use a whitelist, no immediate action is required.

  • Are the new IPs currently active?

No, the new IPv6 addresses will become active on December 9, 2024 and December 11, 2024. To avoid any service disruptions, we recommend adding the new IP addresses to your whitelist in advance.

  • Does this change require modification to Nodegrid configuration?

No changes to your Nodegrid configuration are necessary

  • How to verify if the network connection in Nodegrid has IPv6 support?

You can check if your network connection has IPv6 support by accessing Nodegrid’s WebUI and navigating to Network :: Connections. There, you can see if there is any address in the IPv6 column.

  • How to enable IPv6 support in Nodegrid?

Access Nodegrid’s WebUI and navigate to Network :: Connections. Click on the desired network connection, and then change the “IPv6 mode” for that connection. Please check with your ISP to confirm if your link has IPv6 support.


Should you have any questions or concerns, please don't hesitate to reach out to our support team.

    • Related Articles

    • How to: Enable ZPE Cloud in a Nodegrid device

      ZPE Cloud is a powerful platform that allows you to manage your Nodegrid devices from anywhere in the world. In order to use the benefits of managing your Nodegrid devices through ZPE Cloud, you need to enroll the Nodegrid device to your company and ...

    • How to: Backup a Nodegrid device using ZPE Cloud

      ZPE cloud enables managing on-demand and scheduled backups of your Nodegrid devices. Login to ZPE Cloud Go to Devices :: Enrolled Select the devices you want to backup and then click Backup. You can backup multiples devices at once. Select the File ...

    • How to: Add Devices to your ZPE Cloud company using Transfer Key

      ZPE Cloud is a powerful tool for managing your Nodegrid devices, and one of the methods to add a device to your company in ZPE Cloud is to use a unique 45-digit Transfer Key, which is a unique identifier assigned to a device or list of devices. ...

    • Firewall Rules for the Nodegrid Platform

      Version 0.2 (17 May 2018) Overview This guide lists all required and recommended firewall rules, to ensure a proper working of the solution. The list will need to be adjusted based on specific customer requirements. By default will the firewall will ...

    • How to: Add Devices to your ZPE Cloud company using Customer Code and Enrollment key

      ZPE Cloud is a powerful tool for managing your Nodegrid devices, and one of the recommended methods to add devices to your company in ZPE Cloud is to use the Customer Code and Enrollment key. Customer Code is a unique 5-digit identifier assigned to ...