This guide covers firewall configuration for Cloud Connectors connected via Ethernet, and provides important information about the cloud services used by Cloud Connectors - useful for addressing security and network questions regardless of connection type.
Who is this article for?
IT administrators and network engineers setting up Cloud Connectors in a managed network environment with a firewall.
What do you need?
- Access to your network firewall configuration
- Knowledge of which Cloud Connector model is installed
Firewall configuration
For Cloud Connectors to work properly, HTTPS (TCP 443) must be enabled for both inbound and outbound traffic. The DHCP server on the local network is used for DNS and NTP.
Cloud Connector (2nd Gen)
Applies to Cloud Connector (2nd Gen) only. If no NTP server is advertised on the local network, time{1,2,3,4}.google.com (UDP 123) is used.
Allow the following fully qualified domain names (TCP 443):
- ccon-manager.prod.disruptive-technologies.com
- est.prod.disruptive-technologies.com
- mender.prod.disruptive-technologies.com
- mender-artifacts.prod.disruptive-technologies.com
Applies to Cloud Connector US 4G, Cloud Connector EU 4G, Cloud Connector EU 3G/2G, Cloud Connector EU (Ethernet only), and Cloud Connector US (Ethernet only). If no NTP server is advertised on the local network, {1,2,3,4}.resinio.pool.ntp.org (UDP 123) is used.
Option A — Fully qualified domain names (TCP 443):
- sds-receiver-grpc.prod.disruptive-technologies.com
- ccon-manager.prod.disruptive-technologies.com
- est.prod.disruptive-technologies.com
- vpn.balena-cloud.com
- api.balena-cloud.com
- delta.balena-cloud.com
- delta-data.balena-cloud.com
- registry2.balena-cloud.com
- registry-data.balena-cloud.com
- registry.hub.docker.com
- production.cloudflare.docker.com
- registry.docker.io
- auth.docker.io
NTP: 0–3.resinio.pool.ntp.org (UDP 123)
Option B — Wildcard support:
- *.disruptive-technologies.com (TCP 443)
- *.pool.ntp.org (NTP)
- *.balena-cloud.com (TCP 443)
- *.docker.com (TCP 443)
- *.docker.io (TCP 443)
Layered security
DT keeps Cloud Connectors secure through over-the-air updates that fix vulnerabilities and keep firmware up to date. In addition, we recommend a layered security approach to further reduce network risk.
Zero-trust network
The Cloud Connector does not communicate with any devices or services on the local area network. We recommend installing it in a network segment that is isolated from the internal corporate network, treating it as a guest device with zero trust. Any traffic from the Cloud Connector to internal systems should pass through the same firewall that handles external traffic.
SSH connections
The Cloud Connector (2nd Gen) listens for incoming SSH connections on TCP port 22 (1st Gen uses TCP port 22222). This port does not need to be accessible from an external network.
IPv4, IPv6 & DHCP
The Cloud Connector supports IPv4, IPv6, and DHCP.
MAC address
The MAC address of a Cloud Connector can be found by selecting Show connectivity in the Sensors & Cloud Connectors module in Studio, or through the Ethernet Status Event in the API.