This guide provides advice on how to install Cloud Connectors within a network (Ethernet) that has a firewall configuration.
What if I use a cellular connection or do not have a firewall?
This information only applies if you connect your Cloud Connector to the cloud service using Ethernet and a firewall is controlling the traffic.
For maximum security, you can have a firewall to control traffic between the Cloud Connector and the external network (Internet).
Depending on the options in your firewall, you can whitelist based on wildcards or by using the fully qualified domain names (FQDN). Additionally, DNS (TCP/UDP port 53) and NTP (UDP, port 123) need to be whitelisted.
- *.disruptive-technologies.com (443)
- *.pool.ntp.org (NTP)
- *.balena-cloud.com (443)
- *.docker.com (443)
- *.docker.io (443)
- sds-receiver-grpc.prod.disruptive-technologies.com (443)
- ccon-manager.prod.disruptive-technologies.com (443)
- 0.resinio.pool.ntp.org (NTP)
- 1.resinio.pool.ntp.org (NTP)
- 2.resinio.pool.ntp.org (NTP)
- 3.resinio.pool.ntp.org (NTP)
- vpn.balena-cloud.com (443)
- api.balena-cloud.com (443)
- delta.balena-cloud.com (443)
- delta-data.balena-cloud.com (443)
- registry2.balena-cloud.com (443)
- registry-data.balena-cloud.com (443)
- registry.hub.docker.com (443)
- production.cloudflare.docker.com (443)
- registry.docker.io (443)
- auth.docker.io (443)
Disruptive Technologies has the ambition to keep Cloud Connectors secure by fixing security vulnerabilities and keeping them up-to-date through over the air updates.
Even with this in place, we advise having a layered security approach to further reduces the risk for both the Cloud Connector and the network it is installed in.
Zero trust network
The Cloud Connector does not communicate with devices or services in the local area network and we advise installing the Cloud Connector in a (virtual) network separate from the internal corporate network. The device should be treated as a guest device that enjoys zero trusts. The route from the Cloud Connector to the internal corporate network should go via the same firewall that any external traffic would traverse.
Despite the fact that the Cloud Connector listens for incoming SSH connections on TCP port 22222, this port does not need to be accessible from an external network.
IPv6 & DHCP
The Cloud Connector supports IPv6 and DHCP.