VSHN Infrastructure - IP Addresses and Firewall Rules

This page describes the various services VSHN provides and which IP addresses are in use.

Default Firewall Rules

Incoming

By default, all incoming connections are dropped.

Depending on the provided service on the VM the corresponding ports need to be opened.

Source Port Protocol Description Explanation

*

-

ICMP

Ping

At least ICMP Echo Request to monitor reachability

*

22

TCP

SSH

Remote Management

*

80

TCP

HTTP

Webservice unsecured (HTTP)

*

443

TCP

HTTPS

Webservice secured (HTTPS)

Additional requirements for OpenShift systems

Source Port Protocol Description Explanation

185.98.123.195 (APPUiO cloudscale.ch - LPG 2)

443

TCP

HTTPS

Integration into control.vshn.net

Outgoing

Port Protocol Description Destination (minimum) IPv4 IPv6 Explanation

22

TCP

SSH

  • git.vshn.net

  • management2.corp.vshn.net

  • Github

Git and SSH management

25

TCP

SMTP

  • *

or local mail relay

Mail

80

TCP

HTTP

  • Ubuntu package repositories

  • Puppetlabs package repositories

  • Key servers

Required during initial server setup. Ubuntu repositories not available via HTTPS. apt-key doesn’t support HTTPS.

Workaround for package repositories

Use https for the puppetlabs repository (works) and use https with a mirror that supports it instead of the Ubuntu repos, for example 'https://ftp.uni-mainz.de/ubuntu'.

Workaround for key servers

Export all keys on another server, copy via scp and import.

123

UDP

NTP

  • *

or local NTP server

Time synchronization

443

TCP

HTTPS

  • cache1.vshn.net

  • cache2.vshn.net

  • registry.vshn.net

  • Docker Hub

  • Red Hat Docker Registry

  • 5.102.151.77

  • 159.100.242.228

  • 5.102.151.92

  • unknown

  • unknown

  • 2a06:c00::3b22

  • 2a04:c43:e00:13f0:500:1:0:1

  • 2a06:c00::3554

  • unknown

  • unknown

Package repositories, Docker Registry

4971/4972/4973

TCP

BURP

  • backup*.rma.cloudscale.vshn.net

  • backup*.lpg.cloudscale.vshn.net

or local Backup server

  • 185.72.23.224/27

  • 185.72.21.0/27

  • 2a05:3d80:8000::/48

  • 2a05:3d81:8000::/48

Backup Server (BURP)

8140

TCP

Puppet

  • master.puppet.vshn.net

  • 5.102.151.83

  • 5.102.151.36

  • 2a06:c00::3bc5

  • 2a06:c00::3df5

Puppet Configuration Management Server

5665

TCP

Icinga2 API

  • master.monitoring.vshn.net

  • master2.prod.monitoring.vshn.net

  • 45.81.71.100

  • 5.102.145.243

  • 2a06:c00::575a

  • 2a06:c01:1:1102::243

Icinga2 API for client > (satellite >) master connection

443

TCP

HTTPS

  • api.opsgenie.com

ip-ranges.atlassian.com

ip-ranges.atlassian.com

Alerting

Additional requirements for RHEL systems

Port Protocol Description Destination (minimum) IPv4 IPv6 Explanation

443

TCP

HTTPS

subscription.rhsm.redhat.com

required for RHEL subscription management.

443

TCP

HTTPS

yum.puppetlabs.com

Required for downloading the RPM GPG key for the Puppet RPM packages.

Additional requirements for OpenShift systems

For OpenShift 4 the base requirements are documented in the official OpenShift documentation.

Port Protocol Description Destination (minimum) IPv4 IPv6 Explanation

443

TCP

HTTPS

  • index.docker.io

  • registry.redhat.io

  • registry.access.redhat.com

  • quay.io

  • cdn.quay.io

  • cdn01.quay.io

  • cdn02.quay.io

  • cdn03.quay.io

  • registry.k8s.io

  • gcr.io

required to pull container images for OpenShift components (control plane, infrastructure, …​) and images for builds, example base images and s2i builder images.

443

TCP

HTTPS

GitHub:

  • ghcr.io

  • github.com

Github help

Github help

Fetching container images etc. from GitHub

443

TCP

HTTPS

  • 185.98.123.232

Project Syn management API

443

TCP

HTTPS

  • 185.98.123.232

Project Syn Vault instance

443

TCP

HTTPS

id.vshn.net

185.98.123.195

required for OIDC authentication

443

TCP

HTTPS

  • 5.102.151.2

  • 5.102.151.3

OpenShift integration in customer portal

53

UDP

DNS

acme-dns-ns.vshn.net

185.72.21.82

required if the OpenShift API and default wildcard certificates should be issued by Let’s Encrypt

443

TCP

HTTPS

acme-dns-api.vshn.net

185.98.123.232

required if the OpenShift API and default wildcard certificates should be issued by Let’s Encrypt

443

TCP

HTTPS

  • acme-v02.api.letsencrypt.org

  • acme-staging-v02.api.letsencrypt.org

required for issuing Let’s Encrypt certificates

443

TCP

HTTPS

metrics-receive.appuio.net

185.98.123.232

Central metrics storage for OpenShift 4 SLO and billing metrics

443

TCP

HTTPS

  • xpkg.upbound.io

required for pulling crossplane provider images

Additional requirements for Rancher RKE2 systems

For Rancher RKE2, the base requirements are documented in the official RKE2 documentation.

Port Protocol Description Destination (minimum) IPv4 IPv6 Explanation

443

TCP

HTTPS

required to pull docker images for both RKE2 Components (Control Plane, Node, …​) and images for workloads.

443

TCP

HTTPS

  • 5.102.151.94

VSHN Rancher management service

443

TCP

HTTPS

required to download RKE2 Go binary

443

TCP

HTTPS

api.syn.vshn.net

185.98.123.232

Project Syn management API

443

TCP

HTTPS

vault-prod.syn.vshn.net

185.98.123.232

Project Syn Vault instance

443

TCP

HTTPS

  • 185.98.123.232

Service used to configure node upgrade maintenance windows

Important VSHN IP addresses

Name Hostnames IPv4 IPv6

VSHN Office

n/a

212.51.145.245

2a02:168:4607:100::/64

Don’t use this as the only IP in ACLs, use as addition to a Jumphost IP.

VSHN Jumphost

management2.corp.vshn.net

5.102.151.165

2a06:c00::380d

VSHN Customer Portal

control.vshn.net

  • 5.102.151.2

  • 5.102.151.3