How to configure Firewall settings for Cloud Connectors

This guide provides advice on installing Cloud Connectors within a network (Ethernet) with a firewall configuration.

What if I use a cellular connection or do not have a firewall?

In addition to firewall configuration, there is general information about the Cloud Connectors' cloud services. This information can be relevant for security questions, etc. 

Firewall Configuration

For maximum security, you can have a firewall to control traffic between the Cloud Connector and the external network (Internet).

Cloud Connector (2nd Gen)

Information related to Cloud Connector (2nd Gen) only.

The DHCP server on the local network is used for DNS and NTP. If no NTP server is advertised on the local network, then time{1,2,3,4}.google.com (UDP 123) is used.

Fully qualified domain names
  • ccon-manager.prod.disruptive-technologies.com (TCP 443)
  • est.prod.disruptive-technologies.com (TCP 443)
  • mender.prod.disruptive-technologies.com (TCP 443)
  • mender-artifacts.prod.disruptive-technologies.com (TCP 443)

Other Cloud Connectors

This is information related to Cloud Connector US 4G, Cloud Connector EU 4G, Cloud Connector EU 3G/2G, Cloud Connector EU (Ethernet only), and Cloud Connector US (Ethernet only).

The DHCP server on the local network is used for DNS and NTP. If no NTP server is advertised on the local network, then {1,2,3,4}.resinio.pool.ntp.org (UDP 123) is used.

Depending on your firewall options, you can allowlist based on wildcards or fully qualified domain names (FQDN).

Fully qualified domain names Wildcard support
  • sds-receiver-grpc.prod.disruptive-technologies.com (TCP 443)
  • ccon-manager.prod.disruptive-technologies.com (TCP 443)
  • est.prod.disruptive-technologies.com (TCP 443)
  • 0.resinio.pool.ntp.org (NTP)
  • 1.resinio.pool.ntp.org (NTP)
  • 2.resinio.pool.ntp.org (NTP)
  • 3.resinio.pool.ntp.org (NTP)
  • vpn.balena-cloud.com (TCP 443)
  • api.balena-cloud.com (TCP 443)
  • delta.balena-cloud.com (TCP 443)
  • delta-data.balena-cloud.com (TCP 443)
  • registry2.balena-cloud.com (TCP 443)
  • registry-data.balena-cloud.com (TCP 443)
  • registry.hub.docker.com (TCP 443)
  • production.cloudflare.docker.com (TCP 443)
  • registry.docker.io (TCP 443)
  • auth.docker.io (TCP 443)

Layered security

Disruptive Technologies keeps Cloud Connectors secure by fixing security vulnerabilities and keeping them up-to-date through over-the-air updates.

Even with this in place, we advise taking a layered security approach to further reduce the risk for the Cloud Connector and the network it is in.

Zero trust network

The Cloud Connector does not communicate with devices or services in the local area network. We advise installing it in a (virtual) network separate from the internal corporate network. The device should be treated as a guest device that enjoys zero trust. The Cloud Connector route to the internal corporate network should go via the same firewall that any external traffic traverses. 

SSH connections

Although the Cloud Connector listens for incoming SSH connections on TCP port 22222, this port does not need to be accessible from an external network.

IPv4, IPv6 & DHCP

The Cloud Connector supports IPv4, IPv6, and DHCP.

MAC address

The MAC address of a device can be found by selecting Show connectivity in the Sensors & Cloud Connectors view in Studio or through the API in the Ethernet Status Event.