Cloud access requirements - BlueCat Edge - Service Point v4.x.x

BlueCat Edge Deployment Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x

The following section lists out CNAME records and endpoints that the Service Point must be able to resolve and connect to, ensuring that the service point can successfully communicate with the BlueCat Edge Cloud.

Based on the region that your Edge CI is deployed in and the services that you are using, you might need a subset of the required cloud access requirements. You can view the information about the AWS region that your Edge CI is deployed in, and the cloud access requirements for your environment by clicking in the top-right bar. The Cloud endpoints page opens.

Click to copy the cloud access endpoints requirements to your clipboard.

Cloud access endpoint descriptions

The service point must be able to lookup and resolve the following CNAME records before it can successfully connect to the BlueCat Edge Cloud:

  • cwlogs-<customer name>.edge.bluec.at (Service Point v3 only)
  • cwmetrics-<customer name>.edge.bluec.at (Service Point v3 only)
  • kinesis-<customer name>.edge.bluec.at
  • spm-<customer name>.edge.bluec.at (Service Point v3 only)
    Note: The spm-<customer name>.edge.bluec.at CNAME record is also required for Service Point v4 running DNS Resolver Service v3.10.0 and earlier.

Where <customer name> is the name of your BlueCat Edge Cloud instance. For example, if your BlueCat Edge Cloud instance name is demo, a CNAME record that must be resolvable would be cwlogs-demo.edge.bluec.at.

If your service point has direct access to the BlueCat Edge Cloud, the service point must be able to resolve and connect to the following endpoints:
Note: These endpoints change periodically –– you must add them to the trust list to prevent them from being blocked.
General service point cloud access requirements:
  • *.bluec.at – Used to communicate with the BlueCat Edge Cloud API and UI.
  • *.us-west-2.elb.amazonaws.com (for Edge CIs in US regions) or *.eu-central-1.elb.amazonaws.com (for Edge CIs in European regions) – Used to check for changes in the configuration, such as policy and namespace updates.
  • firehose.us-west-2.amazonaws.com (for Edge CIs in US regions) or firehose.eu-central-1.amazonaws.com (for Edge CIs in European regions) – Used to send all DNS events that flow through the Service Point to the BlueCat Edge Cloud.
Additional Service Point v3 cloud access requirements:
  • logs.us-west-2.amazonaws.com (for Edge CIs in US regions) or logs.eu-central-1.amazonaws.com (for Edge CIs in European regions) – Used to send container logs and system-level logs for BlueCat to monitor and troubleshoot.
  • monitoring.us-west-2.amazonaws.com (for Edge CIs in US regions) or monitoring.eu-central-1.amazonaws.com (for Edge CIs in European regions) – Used to send various system metrics for BlueCat to monitor and troubleshoot.
  • public.update.core-os.net – Used by the CoreOS of the Service Point to poll for updates.
  • update.release.core-os.net – Used by the CoreOS of the Service Point to poll for updates.
  • *.ecr.us-east-1.amazonaws.com – Used to pull updated docker images during upgrades.
  • prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com – Used to pull updated docker images during upgrades.
Additional Service Point v4 cloud access requirements:
  • <customer name>-m.edge.bluec.at - Used to communicate with the CI to retrieve DNS resolver service settings. (For Service Points with DNS Resolver Service v3.11.1 only)
  • service-layer.us.fleet.bluec.at (for Edge CIs in US regions) or service-layer.eu.fleet.bluec.at (for Edge CIs in European regions) - Used to communicate with the Fleet management service, and to pull DNS resolver service updates.
  • images.us.fleet.bluec.at (for Edge CIs in US regions) or images.eu.fleet.bluec.at (for Edge CIs in European regions) - Used to pull Service Point v4 hotfix updates.
  • vertex.prod.edge.bluec.at (for Edge CIs in US regions) or vertex.eu.edge.bluec.at (for Edge CIs in European regions) - Used to register devices and update the device certificates.
  • vertex-m.prod.edge.bluec.at (for Edge CIs in US regions) or vertex-m.eu.edge.bluec.at (for Edge CIs in European regions) - Used to register devices and update the device certificates.

If you are using a proxy, the proxy must be able to resolve and connect to the previously mentioned endpoints. Your Service Point must only be able to resolve and connect to your proxy.