VSHN Infrastructure - IP Addresses and Firewall Rules

This page describes the various services VSHN provides and which IP addresses are in use.

Default Firewall Rules

Incoming

By default, all incoming connections are dropped.

Depending on the provided service on the VM the corresponding ports need to be opened.

Source Port Protocol Description Explanation

*

-

ICMP

Ping

At least ICMP Echo Request to monitor reachability

*

22

TCP

SSH

Remote Management

*

80

TCP

HTTP

Webservice unsecured (HTTP)

*

443

TCP

HTTPS

Webservice secured (HTTPS)

Outgoing

Port Protocol Description Destination (minimum) IPv4 IPv6 Explanation

22

TCP

SSH

  • git.vshn.net

  • management1.corp.vshn.net

  • Github

Git and SSH management

25

TCP

SMTP

  • *

or local mail relay

Mail

80

TCP

HTTP

  • Ubuntu package repositories

  • Puppetlabs package repositories

  • Key servers

Required during initial server setup. Ubuntu repositories not available via HTTPS. apt-key doesn’t support HTTPS.

Workaround for package repositories

Use https for the puppetlabs repository (works) and use https with a mirror that supports it instead of the Ubuntu repos, for example 'https://ftp.uni-mainz.de/ubuntu'.

Workaround for key servers

Export all keys on another server, copy via scp and import.

123

UDP

NTP

  • *

or local NTP server

Time synchronization

443

TCP

HTTPS

  • cache1.vshn.net

  • cache2.vshn.net

  • registry.vshn.net

  • Docker Hub

  • Red Hat Docker Registry

  • 5.102.151.77

  • 159.100.242.228

  • 5.102.151.92

  • unknown

  • unknown

  • 2a06:c00::3b22

  • -

  • 2a06:c00::3554

  • unknown

  • unknown

Package repositories, Docker Registry

4971/4972

TCP

BURP

  • backup*.rma.cloudscale.vshn.net

  • backup*.lpg.cloudscale.vshn.net

or local Backup server

  • 185.72.23.224/27

  • 185.72.21.0/27

  • 2a05:3d80:8000::/48

  • 2a05:3d81:8000::/48

Backup Server (BURP)

8140

TCP

Puppet

  • master.puppet.vshn.net

  • 5.102.151.83

  • 5.102.151.36

  • 2a06:c00::3bc5

  • 2a06:c00::3df5

Puppet Configuration Management Server

11371

TCP

HKP

  • keyserver.ubuntu.com

  • 162.213.33.8

  • 162.213.33.9

GPG Key Exchange to add repositories

5665

TCP

Icinga2 API

  • master.monitoring.vshn.net

  • master2.prod.monitoring.vshn.net

  • 45.81.71.100

  • 5.102.145.243

  • 2a06:c00::575a

  • 2a06:c01:1:1102::243

Icinga2 API for client > (satellite >) master connection

Additional requirements for RHEL systems

Port Protocol Description Destination (minimum) IPv4 IPv6 Explanation

443

TCP

HTTPS

subscription.rhsm.redhat.com

required for RHEL subscription management.

443

TCP

HTTPS

yum.puppetlabs.com

Required for downloading the RPM GPG key for the Puppet RPM packages.

Additional requirements for OpenShift systems

For OpenShift 4 the base requirements are documented in the official OpenShift documentation.

Port Protocol Description Destination (minimum) IPv4 IPv6 Explanation

443

TCP

HTTPS

required to pull docker images for both OpenShift Components (Master, Node, …​) and images for builds, for example base images and s2i builder images.

443

TCP

HTTPS

GitHub

Github help

Github help

Fetching Ansible roles etc. from GitHub

443

TCP

HTTPS

  • 5.102.146.128

  • 5.102.146.162

  • 5.102.146.185

Project Syn management API

443

TCP

HTTPS

  • 5.102.146.128

  • 5.102.146.162

  • 5.102.146.185

Project Syn Vault instance

636

TCP

LDAP

ldap.vshn.net

5.102.151.183

2a06:c00::346c

required for authentication

443

TCP

HTTPS

  • 5.102.151.2

  • 5.102.151.3

OpenShift integration in customer portal

Important VSHN IP addresses

Name Hostnames IPv4 IPv6

VSHN Office

n/a

212.51.145.245

2a02:168:4607:100::/64

Don’t use this as the only IP in ACLs, use as addition to a Jumphost IP.

VSHN Jumphost

management1.corp.vshn.net

5.102.151.165

2a06:c00::380d

VSHN Customer Portal

control.vshn.net

  • 5.102.151.2

  • 5.102.151.3