Company's Firewall configuration: what resources need to be opened in Firewall for the Nodegrid appliances to connect to ZPE Cloud?

Company's Firewall configuration: what resources need to be opened in Firewall for the Nodegrid appliances to connect to ZPE Cloud?

ZPE Cloud uses some IP addresses and hostnames that may be blocked by the Firewall rules.  This can prevent the Nodegrid appliances from connecting to the Cloud and/or untilizing specific ZPE Cloud fgeatures.  ZPE Cloud utilizes TCP port 443 for communication.

US ZPE Cloud Servers:
Hostname(s)IP AddressUsage
second-tier-ca.zpecloud.com
device-api.zpecloud.com
35.233.194.48
Required to sign the CSR to connect to Remote Access.
Required to Upload/Restore Backups.
Required to upload output from executed profiles.
api.astarte.zpecloud.com34.83.86.148Required for Pairing API - without it, device is not able to authenticate against PubSub service and consequently connect to Cloud.
access.zpecloud.com35.230.32.156Required for Remote Access - without it, device is not able to connect to Remote Access socket.
broker.astarte.zpecloud.com 34.83.67.57Required for Broker connection - without it, device is not able to connect to PubSub service and consequently connect to Cloud.
proxy-access.zpecloud.com
api.zpecloud.com
34.83.37.8
Required for Enrollment.
Required to SSO from Cloud to Nodegrid appliance; also needs to be enabled on the Nodegrid appliance under Security :: Authentication :: SSO.

European ZPE Cloud Servers:
Hostname(s)IP AddressUsage
second-tier-ca.zpecloud.eu
device-api.zpecloud.eu
34.107.16.100
Required to sign the CSR to connect to Remote Access.
Required to Upload/Restore Backups.
Required to upload output from executed profiles.
api.astarte.zpecloud.eu34.107.15.10Required for Pairing API - without it, device is not able to authenticate against PubSub service and consequently connect to Cloud.
access.zpecloud.eu34.107.6.32Required for Remote Access - without it, device is not able to connect to Remote Access socket.
broker.astarte.zpecloud.eu 34.107.54.54Required for Broker connection - without it, device is not able to connect to PubSub service and consequently connect to Cloud.
proxy-access.zpecloud.eu
api.zpecloud.eu
34.83.37.8
Required for Enrollment.
Required to SSO from Cloud to Nodegrid appliance; also needs to be enabled on the Nodegrid appliance under Security :: Authentication :: SSO.


Note: When enrolling a unit, it first connects to zpecloud.com and then is redirected to use the region specific servers.  This means you may need to allow access to both sets of domains and IPs during enrollment.
    • Related Articles

    • Firewall Rules for the Nodegrid Platform

      Version 0.2 (17 May 2018) Overview This guide lists all required and recommended firewall rules, to ensure a proper working of the solution. The list will need to be adjusted based on specific customer requirements. By default will the firewall will ...
    • How to Manually Add a Device in ZPE Cloud

      Log into ZPE Cloud and click on settings.  This will take you directly to the "Enrollment" page.  Make sure to check the box for "Enable Device Enrollment" to enable enrollment.  Here you will need to copy your "Customer Code" and your "Enrollment ...
    • How to Configure Firewall on a Nodegrid

      Version 0.1 (08 May 2018) Overview The Nodegrid platform comes with its own firewall which is based on iptables. The WebUI and the CLI provide an easy way of creating and managing the firewall. By default, the firewall accepts all incoming traffic. ...
    • Creating a New Firewall rule to block an Ip address or a network

      There are six default chains to configure firewall rules. Three for IPv4 and three for IPv6.  These chains are input , output and forward packets. One can make additional user chain if required. For each chain, policy can be created. Configuration ...
    • Automate Firewall Deployment with ZPE Cloud

      With ZPE Cloud one can deploy the firewall on nodegrid devices automatically. One can select the device and script ( firewall configuration ) and it will be deployed on the selected device. Follow these steps, Login in ZPE Cloud and go to Devices ...