White Listing
Faqs
Please contact the security team at security@rafay.co for questions not covered in the documentation.
This section captures details about the SaaS Controller that customers can use to optionally whitelist inbound (emails) and outbound (control channel destinations) in their enterprise's firewalls and proxies.
Emails¶
A 3rd Party service is used for emails sent by the SaaS Controller (i.e. for first time user activation, password resets, notifications etc). To guarantee delivery of emails from the SaaS Controller to users in the customer org, we strongly recommend that customers "whitelist" the IP address used for sending emails in their inbound email security systems.
The dedicated IP address currently used for sending emails from the Controller is "149.72.39.92"
Network Firewall¶
The SaaS Controller has been specially designed so that customers can deploy and manage their clusters in both Internet (public IP) and on-premises (private IP) type environments.
| Deployment Model |
|---|
| Internet Facing, Public IP |
| Non Internet Facing, Private IP |
To onboard an on-premise or cloud-based cluster onto the Controller for ongoing operations and lifecycle management
- A “Kubernetes Operator” is installed on each managed cluster.
- This establishes and maintains a "long-running" outbound TLS based control channel to the Controller (hosted in Amazon Web Services (AWS) for SaaS).
- No Inbound Ports need to be opened on the customer's external firewall for control plane traffic.
Outbound Ports¶
The Kubernetes Management Operator deployed on the customer's cluster uses only "TCP Port 443, Outbound" to communicate with the SaaS Controller.
| Outbound Port | Security | Purpose |
|---|---|---|
| 443/tcp | TLS with Mutual Auth | All Control Plane functionality |
SaaS Controller IP¶
Customers that wish to lock down communication further can optionally whitelist the IP addresses of the SaaS Controller in their firewalls to ensure that outbound connectivity is only allowed to these IPs.
IP Addresses¶
The SaaS Controller is currently deployed in a highly available manner across three availability zones (AZ) on AWS. The three, load balanced IP Addresses for the SaaS Controller are:
| Server | IP Address |
|---|---|
| IP Address 1 | 52.42.211.235 |
| IP Address 2 | 52.10.6.79 |
| IP Address 3 | 35.167.70.143 |
Managed Cluster -> Controller FQDNs¶
The Kubernetes Management Operator components (deployed on managed clusters) will make outbound connections over port 443 to the Controller on the following FQDNs. Add these to your firewall's whitelist if necessary.
| Controller FQDNs |
|---|
| tunnel.rafay-edge.net |
| api.rafay.dev |
| control.rafay.dev |
| fluentd-aggr.rafay-edge.net |
| influxdb01.core.rafay-edge.net |
| debug.core.rafay-edge.net |
| edge.core.rafay-edge.net |
| registry.rafay-edge.net |
| app.rafay.dev |
| console.rafay.dev |
| *.connector.kubeapi-proxy.rafay.dev |
| *.user.kubeapi-proxy.rafay.dev |
| event.core.rafay-edge.net |
| repo.rafay-edge.net |
| *.connector.cdrelay.rafay.dev |
| *.user.cdrelay.rafay.dev |
| *.connector.infrarelay.rafay.dev |
| *.user.infrarelay.rafay.dev |
End User -> Controller FQDNs¶
Add the following to your organization's firewall or proxy whitelist if end users of your Org will be on the corporate network and need to interact with the controller from their laptops/desktops. For example, developers that need to remotely perform Kubectl operations on managed clusters using the zero trust kubectl service.
| Controller FQDNs |
|---|
| *.user.kubeapi-proxy.rafay.dev |
ECR Registry Access¶
Users that use the controller's integration with AWS ECR (managed container registry) will need to white list the following controller IP addresses.
| IP Address |
|---|
| 54.244.183.118 |
| 34.208.240.165 |
The ECR integration allows the users to use the SaaS Controller to "configure, update and validate" access credentials with ECR.
System Registry¶
The System Container Registry (RCR) is available as an option for customers to manage their container images. This is based on Docker Registry v2. It uses OAuth2 for authentication (laptops etc using the RCTL CLI).
Users are automatically redirected to an OAuth service which uses the provided credentials in docker login to authenticate and authorize the request for a resource on the registry. For successful requests, a bearer token is returned, which is used to access a resource on the Container Registry.
Please ensure that the network security policies implemented either in the corporate network OR the endpoint are configured to allow outbound connections from the RCTL CLI to the Controller on the ports listed below.
| Outbound Port | Security | Purpose |
|---|---|---|
| 443/tcp | TLS (https) | Access the Controller Platform via REST APIs |
Please add the following ports if you wish to use the System Container Registry.
| Outbound Port | Security | Purpose |
|---|---|---|
| 5001/tcp | TLS (https) | OAuth Authentication Service for Hosted Container Registry |
| 6000/tcp | TLS (https) | Access to Hosted Container Registry |