Firewall configuration incorrect

Hi, we’re deploying our devices behind a strictly controlled, firewalled network and the network team had asked us for the ports/hostnames we needed them to open for our Raspberry 3 devices running the latest version of balenaOS (managed via balenaCloud).

We gave them the following configuration (after going through balena network and security docs):

Hostnames: *.balena-cloud.com, *.docker.com, *.docker.io
Ports: UDP 53, UDP 123 and TCP 443
Direction: Unidirectional (from device to internet)

I can confirm that this access has been given. However, the device still doesn’t appear ‘Online’ on our balenaCloud dashboard.

The IT team has also informed us that the configuration we’ve given is not correct since the device is still making requests to other IP addresses and ports (one real IP it was making requests to: 34.237.229.125 being accesed by open VPN).

Can somebody from the balena team please provide an exhaustive list of ports/IP addresses my balenaCloud device will be accessing so I can pass on the same to our client’s network team?

The IP you mention is one of the IP addresses our VPN server resolves to. You may check with dig vpn.balena-cloud.com or nslookup vpn.balena-cloud.com.

There is not any IP list that we can provide, as IP addresses may change eventually, but the hostnames will be the same. We establish connections by hostname in our code.

You are probably facing a problem because of the wildcards. Does your firewall support DNS packet parsing for refreshing its IP/hostname mapping data structures?

1 Like

Hey @majorz, thank you for the reply!

so I just spoke to the IT team and they informed me that they were having problems because of the wildcard entry. They do not have any issues whitelisting vpn.balena-cloud.com or any other specific hostnames.

Would it be possible to give them a list of hostnames so I can connect to my balenaCloud device from behind the corporate firewall?

We are currently providing only wildcard domain rules as we do not have control over the docker.io and docker.com subdomains. Those are used for upgrading supervisor and the OS and are essential features.

We are discussing this right now and will get back with more information on this soon.

@majorz Thanks, I understand!

Any chance you can provide me with a list of hostnames for *.balena-cloud.com at least?

I really need to at least be able to remotely control my device if not upgrade the OS.

For posting the subdomains here I will need internal confirmation, as I am not sure we would like to lock people out of updates (since others will read this page if they face issues with firewalls).

Alternatively you may set up a proxy. This will automatically resolve the issue you face with a firewall that does not support wildcard domains: https://www.balena.io/docs/reference/OS/network/2.x/#connecting-behind-a-proxy

@majorz Thanks for the clarity.

Please let me know if those subdomains can be shared with me. It’d be really helpful for me since this is a corporate client and we’ve already deployed our devices there to find out now that they have such strict firewall restrictions.

Thanks again.

Just to post an update here. I worked with @dakshshah96 last week over a PM to resolve his setup issues so that he is not blocked by this.

We will be providing a complete list of subdomains in our docs for the firewall settings.

I can confirm that all balenaCloud features work as expected.

Thank you @majorz and balena team!

@majorz because I am facing the same Issue with the configuration of my Firewall Policies and I haven´t found the list of the subdomains.
So I would be pleased if you could help me out here as well.

Hello @knaps have a look at https://www.balena.io/docs/reference/OS/network/2.x/#network-requirements for a list of the required subdomains, let us know if you need any additional help in setting this up.

Thanks for the fast reply, the problem is that our firewall can`t handle Wildcard Domains. So the only solution i can find is implementing a proxy server which would cause additional cost to us.
Do you have another solution?

Hi @knaps

Unfortunately not. This is something we are currently debating internally.

The list of subdomains can and do occasionally change (and are also dynamic, for example the use of UUIDs as part of the domain), so if you’re not able to handle wildcarded domains then I believe the only guaranteed solution at the moment is that of a proxy server.

Best regards,

Heds