Firewall configuration without wildcards

Hello,

We have an installation where the IT department refuses to allow wildcards in their firewall. The Network requirements document states that they need to grant access to *.balena-cloud.com. We need a list of actual hostnames for them. Is that possible?

Also, at some point there was a requirement to allow access to *.pubnub.com. Is that still necessary? What is it used for? If it is necessary, we would also need specific hostnames.

Thanks.

Hello, access to pubnub is no longer necessary. For maximum compatibility and uptime of customer’s devices, we don’t officially publish hostnames used, since they can get added/removed based on internal requirements/priorities. However you could try limiting the list devices can connect to:

api.
delta.
delta-data.
registry2.
registry-data.
vpn.
1 Like

Thank you @ab77. The CNAMEs should be fine. To be precise, are those hostnames above in the .balena-cloud.com domain, and use port 443?

Also, I assume that access to dockerhub.com is not needed, since the images are pulled from the Balena registry. Is this correct?

Yes, that sounds right. No need to whitelist dockerhub

For anyone else reading this later - you should only do this if its not an option. The correct way is still to follow our network requirements and allow the wildcard
*.balena-cloud.com.

Balena might change the way our backend works in the future, where we might require access to another domain. This can potentially interfere with normal operation of your devices.