VSHN Infrastructure - IP Addresses and Firewall Rules
This page describes the various services VSHN provides and which IP addresses are in use.
Default Firewall Rules
Incoming
By default, all incoming connections are dropped.
Depending on the provided service on the VM the corresponding ports need to be opened.
Source | Port | Protocol | Description | Explanation |
---|---|---|---|---|
* |
- |
ICMP |
Ping |
At least ICMP Echo Request to monitor reachability |
* |
22 |
TCP |
SSH |
Remote Management |
* |
80 |
TCP |
HTTP |
Webservice unsecured (HTTP) |
* |
443 |
TCP |
HTTPS |
Webservice secured (HTTPS) |
Outgoing
Port | Protocol | Description | Destination (minimum) | IPv4 | IPv6 | Explanation |
---|---|---|---|---|---|---|
22 |
TCP |
SSH |
|
|
|
Git and SSH management |
25 |
TCP |
SMTP |
or local mail relay |
|||
80 |
TCP |
HTTP |
|
Required during initial server setup. Ubuntu repositories not available via HTTPS. apt-key doesn’t support HTTPS. Workaround for package repositories Use https for the puppetlabs repository (works) and use https with a mirror that supports it instead of the Ubuntu repos, for example 'https://ftp.uni-mainz.de/ubuntu'. Workaround for key servers Export all keys on another server, copy via scp and import. |
||
123 |
UDP |
NTP |
or local NTP server |
Time synchronization |
||
443 |
TCP |
HTTPS |
|
|
|
Package repositories, Docker Registry |
4971/4972/4973 |
TCP |
BURP |
or local Backup server |
|
|
Backup Server (BURP) |
8140 |
TCP |
Puppet |
|
|
|
Puppet Configuration Management Server |
5665 |
TCP |
Icinga2 API |
|
|
|
Icinga2 API for client > (satellite >) master connection |
443 |
TCP |
HTTPS |
|
Alerting |
Additional requirements for RHEL systems
Port | Protocol | Description | Destination (minimum) | IPv4 | IPv6 | Explanation |
---|---|---|---|---|---|---|
443 |
TCP |
HTTPS |
required for RHEL subscription management. |
|||
443 |
TCP |
HTTPS |
Required for downloading the RPM GPG key for the Puppet RPM packages. |
Additional requirements for OpenShift systems
For OpenShift 4 the base requirements are documented in the official OpenShift documentation.
Port | Protocol | Description | Destination (minimum) | IPv4 | IPv6 | Explanation |
---|---|---|---|---|---|---|
443 |
TCP |
HTTPS |
|
required to pull container images for OpenShift components (control plane, infrastructure, …) and images for builds, example base images and s2i builder images. |
||
443 |
TCP |
HTTPS |
GitHub:
|
Fetching container images etc. from GitHub |
||
443 |
TCP |
HTTPS |
|
Project Syn management API |
||
443 |
TCP |
HTTPS |
|
Project Syn Vault instance |
||
443 |
TCP |
HTTPS |
id.vshn.net |
185.98.123.195 |
required for OIDC authentication |
|
443 |
TCP |
HTTPS |
|
OpenShift integration in customer portal |
||
53 |
UDP |
DNS |
acme-dns-ns.vshn.net |
185.72.21.82 |
required if the OpenShift API and default wildcard certificates should be issued by Let’s Encrypt |
|
443 |
TCP |
HTTPS |
acme-dns-api.vshn.net |
185.98.123.232 |
required if the OpenShift API and default wildcard certificates should be issued by Let’s Encrypt |
|
443 |
TCP |
HTTPS |
|
required for issuing Let’s Encrypt certificates |
||
443 |
TCP |
HTTPS |
metrics-receive.appuio.net |
185.98.123.232 |
Central metrics storage for OpenShift 4 SLO and billing metrics |
|
443 |
TCP |
HTTPS |
|
required for pulling crossplane provider images |
Additional requirements for Rancher RKE2 systems
For Rancher RKE2, the base requirements are documented in the official RKE2 documentation.
Port | Protocol | Description | Destination (minimum) | IPv4 | IPv6 | Explanation |
---|---|---|---|---|---|---|
443 |
TCP |
HTTPS |
required to pull docker images for both RKE2 Components (Control Plane, Node, …) and images for workloads. |
|||
443 |
TCP |
HTTPS |
|
VSHN Rancher management service |
||
443 |
TCP |
HTTPS |
required to download RKE2 Go binary |
|||
443 |
TCP |
HTTPS |
185.98.123.232 |
Project Syn management API |
||
443 |
TCP |
HTTPS |
185.98.123.232 |
Project Syn Vault instance |
||
443 |
TCP |
HTTPS |
|
Service used to configure node upgrade maintenance windows |