This guide provides advice on installing Cloud Connectors within a network (Ethernet) with a firewall configuration.
What if I use a cellular connection or do not have a firewall?
In addition to firewall configuration, there is general information about the Cloud Connectors' cloud services. This information can be relevant for security questions, etc.
You can have a firewall to control traffic between the Cloud Connector and the external network (Internet) for maximum security.
Depending on your firewall options, you can whitelist based on wildcards or by using the fully qualified domain names (FQDN). Additionally, DNS (TCP/UDP port 53) and NTP (UDP, port 123) need to be whitelisted.
- *.disruptive-technologies.com (443)
- *.pool.ntp.org (NTP)
- *.balena-cloud.com (443)
- *.docker.com (443)
- *.docker.io (443)
- sds-receiver-grpc.prod.disruptive-technologies.com (443)
- ccon-manager.prod.disruptive-technologies.com (443)
- 0.resinio.pool.ntp.org (NTP)
- 1.resinio.pool.ntp.org (NTP)
- 2.resinio.pool.ntp.org (NTP)
- 3.resinio.pool.ntp.org (NTP)
- vpn.balena-cloud.com (443)
- api.balena-cloud.com (443)
- delta.balena-cloud.com (443)
- delta-data.balena-cloud.com (443)
- registry2.balena-cloud.com (443)
- registry-data.balena-cloud.com (443)
- registry.hub.docker.com (443)
- production.cloudflare.docker.com (443)
- registry.docker.io (443)
- auth.docker.io (443)
Disruptive Technologies has the ambition to keep Cloud Connectors secure by fixing security vulnerabilities and keeping them up-to-date through over-the-air updates.
Even with this in place, we advise having a layered security approach to further reduces the risk for both the Cloud Connector and the network it is installed in.
Zero trust network
The Cloud Connector does not communicate with devices or services in the local area network. We advise installing the Cloud Connector in a (virtual) network separate from the internal corporate network. The device should be treated as a guest device that enjoys zero trust. The Cloud Connector route to the internal corporate network should go via the same firewall that any external traffic would traverse.
Although the Cloud Connector listens for incoming SSH connections on TCP port 22222, this port does not need to be accessible from an external network.
IPv6 & DHCP
The Cloud Connector supports IPv6 and DHCP.