Map the following service ports to the Service Set VRRP IP addresses listed in IP address relationship between the cluster's direct interfaces and external access.
ExtremeCloud IQ on-premises installations require access to ExtremeCloud IQ core services. Make sure the firewall configuration allows for access to ExtremeCloud IQ core services.
The following tables list outbound ports for use when the firewall configuration requires rules that enable outbound traffic.
This is required for ExtremeCloud applications to run properly on ExtremeCloud Edge RDC.
| Domain Name | IPv4 Addresses | Protocol | Port |
|---|---|---|---|
| redirector.aerohive.com | 54.172.0.252 | TCP | 80 |
| HTTPS | 443 | ||
| UDP | 12222 | ||
| hac.extremecloudiq.com | 34.253.190.192 ~ 34.253.190.255 | HTTPS | 443 |
| hmupdates-ng.aerohive.com | 54.86.95.132 | HTTPS | 443 |
| extremecloudiq.com | 34.253.190.192 ~ 34.253.190.255 | HTTPS | 443 |
| 18.194.95.0 ~ 18.194.95.15 | |||
| 3.234.248.0 ~ 3.234.248.31 | |||
| 44.234.22.92 ~ 44.234.22.95 | |||
| mx.extremecloudiq.com | 34.202.197.56/57 | TCP | 587 |
| stun.extremecloudiq.com | 3.234.248.28 - 29 | UDP | 12222 |
| api.ip2location.com | Dynamic IP range | HTTPS | 443 |
| gcr.io | Dynamic IP range | HTTPS | 443 |
| Amazon S3 | Dynamic IP range | HTTPS | 443 |
| NTP Service | <Any NTP Server IP> | UDP/TCP | 123 |
| extremeportal.force.com | Dynamic IP range | HTTPS | 443 |
| prod.extreme.sentinelcloud.com | Dynamic IP range | HTTPS | 443 |
| cloud-status.extremecloudiq.com | 18.67.39.6 | HTTPS | 443 |
| cloud-cdn2.extremecloudiq.com | Dynamic IP range | HTTPS | 443 |
| rest.nexmo.com | Dynamic IP range | HTTPS | 443 |
This is required for CloudOps team to handle service deployment and day to day operations and to maintain the service SLA.
| Service | IPv4 Addresses | Protocol | Port |
|---|---|---|---|
| SSH | 3.64.95.0/29 | TCP | 22 |
| UCP Remote Access | 134.141.117.45 134.141.4.8 | HTTPS | 5825 |
Note
Both inbound accesses are only needed on-demand. For the initial deployment, firmware upgrade, or issue troubleshooting.| Domain Name | IPv4 Addresses | Protocol | Port |
|---|---|---|---|
| lc-eu.extremecloudiq.com | 3.64.95.0/29 | HTTPS | 443 |
Note
Rancher connection is required for day-to-day service operation. (It creates a tunnel to Kubernetes cluster for CloudOps remote access/management.)For NAT deployments where you deploy your cluster with private addressing, you must provide the CloudOps team with direct admin access to the cluster nodes in your internal network. Use the mappings in the following table to map inbound ports on the public side of the NAT router to specific cluster nodes and ports in your private network.
Note
Make sure to let the CloudOps team know which IP address you are using for inbound connections. We recommend using the first public IP address, although you can use another address, including a public IP address that is dedicated to this connection type.| Service | Source IP | Inbound IP (public NAT) | Inbound Port (public NAT) | Forward to UCP Node | On Port | Protocol |
|---|---|---|---|---|---|---|
| SSH |
3.64.95.0/29 216.123.81.194 |
Your public IP address | 20001 | Node 1 | 22 | TCP |
| 20002 | Node 2 | 22 | TCP | |||
| 20003 | Node 3 | 22 | TCP | |||
| 20004 | Node 4 | 22 | TCP | |||
| 20005 | Node 5 | 22 | TCP | |||
| 20006 | Node 6 | 22 | TCP | |||
| UCP Remote Access |
134.141.117.45 134.141.4.8 216.123.81.194 |
Your public IP address | 20501 | Node 1 | 5825 | HTTPS |
| 20502 | Node 2 | 5825 | HTTPS | |||
| 20503 | Node 3 | 5825 | HTTPS | |||
| 20504 | Node 4 | 5825 | HTTPS | |||
| 20505 | Node 5 | 5825 | HTTPS | |||
| 20506 | Node 6 | 5825 | HTTPS |
The Extreme QA team will run production santify verification after the release upgrade to make sure all of the services are still working properly.
| Service | IPv4 Address | Protocol | Port |
|---|---|---|---|
| GDC Web Service | 208.185.247.165/32 (San Jose) 216.123.81.194/32 (Thornhill) 14.143.116.18/32 (Bangalore) |
HTTPS | 443 |
| RDC Web Service | HTTPS | 443 | |
| CAPWAP Service | TCP | 80 | |
| UDP | 12222 | ||
| Radsecproxy | TCP | 2083 |