Cloud access requirements - BlueCat Edge - Service Point v4.x.x

BlueCat Edge Deployment Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x

The following section lists out CNAME records and endpoints that the Service Point must be able to resolve and connect to, ensuring that the service point can successfully communicate with the BlueCat Edge Cloud.

The service point must be able to lookup and resolve the following CNAME records before it can successfully connect to the BlueCat Edge Cloud:
  • cwlogs-<customer name>.edge.bluec.at
  • cwmetrics-<customer name>.edge.bluec.at
  • kinesis-<customer name>.edge.bluec.at
  • spm-<customer name>.edge.bluec.at

Where <customer name> is the name of your BlueCat Edge Cloud instance. For example, if your BlueCat Edge Cloud instance name is demo, a CNAME record that must be resolvable would be cwlogs-demo.edge.bluec.at.

If your service point has direct access to the BlueCat Edge Cloud, the service point must be able to resolve and connect to the following endpoints:
Note: These endpoints change periodically –– you must add them to the trust list to prevent them from being blocked.
General service point cloud access requirements:
  • *.bluec.at – Used to communicate with the BlueCat Edge Cloud API and UI.
  • *.us-west-2.elb.amazonaws.com (for Edge CIs in US regions) or *.eu-central-1.elb.amazonaws.com (for Edge CIs in European regions) – Used to check for changes in the configuration, such as policy and namespace updates.
  • logs.us-west-2.amazonaws.com (for Edge CIs in US regions) or logs.eu-central-1.amazonaws.com (for Edge CIs in European regions) – Used to send container logs and system-level logs for BlueCat to monitor and troubleshoot.
  • monitoring.us-west-2.amazonaws.com (for Edge CIs in US regions) or monitoring.eu-central-1.amazonaws.com (for Edge CIs in European regions) – Used to send various system metrics for BlueCat to monitor and troubleshoot.
  • firehose.us-west-2.amazonaws.com (for Edge CIs in US regions) or firehose.eu-central-1.amazonaws.com (for Edge CIs in European regions) – Used to send all DNS events that flow through the Service Point to the BlueCat Edge Cloud.
  • prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com – Used to pull updated docker images during upgrades.
Additional Service Point v3 cloud access requirements:
  • public.update.core-os.net – Used by the CoreOS of the Service Point to poll for updates.
  • update.release.core-os.net – Used by the CoreOS of the Service Point to poll for updates.
  • *.ecr.us-east-1.amazonaws.com – Used to pull updated docker images during upgrades.
Additional Service Point v4 cloud access requirements:
  • service-layer.us.fleet.bluec.at (for Edge CIs in US regions) or service-layer.eu.fleet.bluec.at (for Edge CIs in European regions) - Used to communicate with the Fleet management service, and to pull DNS resolver service updates.
  • images.us.fleet.bluec.at (for Edge CIs in US regions) or images.eu.fleet.bluec.at (for Edge CIs in European regions) - Used to pull Service Point v4 hotfix updates.
  • vertex.prod.edge.bluec.at (for Edge CIs in US regions) or vertex.eu.edge.bluec.at (for Edge CIs in European regions) - Used to register devices and update the device certificates.
  • vertex-m.prod.edge.bluec.at (for Edge CIs in US regions) or vertex-m.eu.edge.bluec.at (for Edge CIs in European regions) - Used to register devices and update the device certificates.

If you are using a proxy, the proxy must be able to resolve and connect to the previously mentioned endpoints. Your Service Point must only be able to resolve and connect to your proxy.