Company's Firewall configuration: what resources need to be opened in Firewall for the Nodegrid appliances to connect to ZPE Cloud?

Company's Firewall configuration: what resources need to be opened in Firewall for the Nodegrid appliances to connect to ZPE Cloud?

ZPE Cloud uses some IP addresses and hostnames that may be blocked by the Firewall rules.  This can prevent the Nodegrid appliances from connecting to the Cloud and/or untilizing specific ZPE Cloud fgeatures.  ZPE Cloud utilizes TCP port 443 for communication.

US ZPE Cloud Servers:
Hostname(s)IP AddressUsage
second-tier-ca.zpecloud.com
device-api.zpecloud.com
device-apiv2.zpecloud.com

35.233.194.48
Required to sign the CSR to connect to Remote Access.
Required to Upload/Restore Backups.
Required to upload output from executed profiles.
api.astarte.zpecloud.com34.83.86.148Required for Pairing API - without it, device is not able to authenticate against PubSub service and consequently connect to Cloud.
access.zpecloud.com35.230.32.156Required for Remote Access - without it, device is not able to connect to Remote Access socket.
broker.astarte.zpecloud.com 34.83.67.57Required for Broker connection - without it, device is not able to connect to PubSub service and consequently connect to Cloud.
proxy-access.zpecloud.com
api.zpecloud.com
34.83.37.8
Required for Enrollment.
Required to SSO from Cloud to Nodegrid appliance; also needs to be enabled on the Nodegrid appliance under Security :: Authentication :: SSO.

European ZPE Cloud Servers:
Hostname(s)IP AddressUsage
second-tier-ca.zpecloud.eu
device-api.zpecloud.eu
device-apiv2.zpecloud.eu
34.107.16.100
Required to sign the CSR to connect to Remote Access.
Required to Upload/Restore Backups.
Required to upload output from executed profiles.
api.astarte.zpecloud.eu34.107.15.10Required for Pairing API - without it, device is not able to authenticate against PubSub service and consequently connect to Cloud.
access.zpecloud.eu34.107.6.32Required for Remote Access - without it, device is not able to connect to Remote Access socket.
broker.astarte.zpecloud.eu 34.107.54.54Required for Broker connection - without it, device is not able to connect to PubSub service and consequently connect to Cloud.
proxy-access.zpecloud.eu
api.zpecloud.eu
34.83.37.8
Required for Enrollment.
Required to SSO from Cloud to Nodegrid appliance; also needs to be enabled on the Nodegrid appliance under Security :: Authentication :: SSO.


Note: When enrolling a unit, it first connects to zpecloud.com and then is redirected to use the region specific servers.  This means you may need to allow access to both sets of domains and IPs during enrollment.

    • Related Articles

    • Firewall Rules for the Nodegrid Platform

      Version 0.2 (17 May 2018) Overview This guide lists all required and recommended firewall rules, to ensure a proper working of the solution. The list will need to be adjusted based on specific customer requirements. By default will the firewall will ...

    • Guide: Add Devices to a Company in ZPE Cloud

      Overview There are different methods to associate Nodegrid appliances with a specific ZPE Cloud company: Claim ID, Transfer Key or Customer Code and Enrollment Key. Requirements: The Nodegrid appliance needs to be on v4.2.13 or newer. If upgrade is ...

    • How to Configure Firewall on a Nodegrid

      Version 0.1 (08 May 2018) Overview The Nodegrid platform comes with its own firewall which is based on iptables. The WebUI and the CLI provide an easy way of creating and managing the firewall. By default, the firewall accepts all incoming traffic. ...

    • Troubleshoot: ZPE Cloud scheduled Backup failures

      Verify the affected system's time is set correctly If there is a significant time difference between ZPE Cloud and the target system, the backup will not upload properly causing the job to fail. Check the system's time from the GUI: System :: Date ...

    • Creating a New Firewall rule to block an Ip address or a network

      There are six default chains to configure firewall rules. Three for IPv4 and three for IPv6.  These chains are input , output and forward packets. One can make additional user chain if required. For each chain, policy can be created. Configuration ...