Port Information for Firewalls

Map the following service ports to the Service Set VRRP IP addresses listed in IP address relationship between the cluster's direct interfaces and external access.

VLAN/VIP address for CAPWAP Master and API services (TCP 80/UDP 12222/TCP 2083/443)
VLAN/VIP address for CAPWAP Server 1 service (TCP 80/UDP 12222)
VLAN/VIP address for CAPWAP Server 2 (TCP 80/UDP 12222)

ExtremeCloud IQ on-premises installations require access to ExtremeCloud IQ core services. Make sure the firewall configuration allows for access to ExtremeCloud IQ core services.

The following tables list outbound ports for use when the firewall configuration requires rules that enable outbound traffic.

Basic Access for ExtremeCloud Services

This is required for ExtremeCloud applications to run properly on ExtremeCloud Edge RDC.

Table 1. Firewall Configuration Details (Outbound Traffic)
Domain Name	IPv4 Addresses	Protocol	Port
hac.extremecloudiq.com	34.253.190.192 ~ 34.253.190.255	HTTPS	443
<rdc>-inlets.extremecloudiq.com	Dynamic IP range	TCP	8090
hmupdates-ng.aerohive.com	54.86.95.132	HTTPS	443
extremecloudiq.com	34.253.190.192 ~ 34.253.190.255	HTTPS	443
	18.194.95.0 ~ 18.194.95.15
	3.234.248.0 ~ 3.234.248.31
	44.234.22.92 ~ 44.234.22.95
mx.extremecloudiq.com	34.202.197.56/57	TCP	587
stun.extremecloudiq.com	3.234.248.28 - 29	UDP	12222
api.ip2location.com	Dynamic IP range	HTTPS	443
docker.io	Dynamic IP range	HTTPS	443
gcr.io	Dynamic IP range	HTTPS	443
maven.org	Dynamic IP range	HTTPS	443
Amazon S3	Dynamic IP range	HTTPS	443
NTP Service	<Any NTP Server IP>	UDP/TCP	123
extremeportal.force.com	Dynamic IP range	HTTPS	443
prod.extreme.sentinelcloud.com	Dynamic IP range	HTTPS	443
cloud-status.extremecloudiq.com	18.67.39.6	HTTPS	443
cloud-cdn2.extremecloudiq.com	Dynamic IP range	HTTPS	443
rest.nexmo.com	Dynamic IP range	HTTPS	443

Access

Table 2. Outbound Traffic
Domain Name	IPv4 Addresses	Protocol	Port
lc-eu.extremecloudiq.com	3.64.95.0/29	HTTPS	443

Note

Rancher connection is required for day-to-day service operation. (It creates a tunnel to Kubernetes cluster for CloudOps remote access/management.)

For NAT deployments where you deploy your cluster with private addressing, you must provide the CloudOps team with direct admin access to the cluster nodes in your internal network. Use the mappings in the following table to map inbound ports on the public side of the NAT router to specific cluster nodes and ports in your private network.

Note

Make sure to let the CloudOps team know which IP address you are using for inbound connections. As a best practice, use the first public IP address, although you can use another address, including a public IP address that is dedicated to this connection type.

Table 3. Inbound Traffic Port Mapping (when using NAT)
Service	Source IP	Inbound IP (public NAT)	Inbound Port (public NAT)	Forward to UCP Node	On Port	Protocol
SSH	Restricted IP list Extreme Bastion servers: Raleigh Bastion Host 134.141.117.45/32 Salem Bastion Host 134.141.4.8/32 San Jose: 208.185.247.165 Thornhill: 216.123.81.194 Bangalore AMR: 14.143.116.18 Bangalore Bagmane: 121.244.44.28 Bangalore Ecospace: 115.110.157.126 LC-EU: 3.64.95.7	Your public IP address	20001	Node 1	22	TCP
			20002	Node 2	22	TCP
			20003	Node 3	22	TCP
			20004	Node 4	22	TCP
			20005	Node 5	22	TCP
			20006	Node 6	22	TCP
UCP Remote Access		Your public IP address	20501	Node 1	5825	HTTPS
			20502	Node 2	5825	HTTPS
			20503	Node 3	5825	HTTPS
			20504	Node 4	5825	HTTPS
			20505	Node 5	5825	HTTPS
			20506	Node 6	5825	HTTPS

Note

For SSH or UCP Remote access, inbound access is needed only on-demand for the initial deployment, software upgrade, or issue troubleshooting. For <rdc>-inlets, inbound access is needed on an ongoing basis.

Access for Production Sanity Verification

The Extreme QA team will run production santify verification after the release upgrade to make sure all of the services are still working properly. The following table shows the connection info they'll use, including the public-facing IPs from which they'll connect (column 1) and the destination ports mappings to access the cluster (column 5).

Table 4. Inbound Traffic
Source IPs	Protocol	IP Port	Description	Destination Port Mapping
Restricted IP list Extreme Bastion servers: Raleigh Bastion Host 134.141.117.45/32 Salem Bastion Host 134.141.4.8/32 San Jose: 208.185.247.165 Thornhill: 216.123.81.194 Bangalore AMR: 14.143.116.18 Bangalore Bagmane: 121.244.44.28 Bangalore Ecospace: 115.110.157.126 LC-EU: 3.64.95.7	HTTPS (TCP)	443	GDC Web Service RDC Web Service	IP1:443 → VRRP1:443 IP4:443 → VRRP4:443
	TCP	80	CAPWAP Services	IP1:80 → VRRP1:80 IP2:80 → VRRP2:80 IP3:80 → VRRP3:80 IP4:80 → VRRP4:80
	UDP	12222	CAPWAP Services	IP1:12222 → VRRP1:12222 IP2:12222 → VRRP2:12222 IP3:12222 → VRRP3:12222 IP4:12222 → VRRP4:12222
	TCP	2083	RADSEC Proxy	IP1:2083 → VRRP1:2083