Unexpected EC2 domain communication

Hi all,

We’ve recently deployed a Pi on Balena to a customer network, and provided them with the firewall rules as per the network requirements page. To the best of my knowledge, this has now been setup however we are only seeing ‘Online (Heartbeat only)’ on the GUI for the device, and the network administrator has flagged that the unit is talking to an EC2 address, which I’m not familiar with.

Is there a chance that the network requirements section of your site is out of date, and this is in fact a Balena endpoint?

The address being blocked is:
image

Thanks

Hi - can anybody help me with this?

@mpous - we talked about tunnelling the Node-RED dashboard previously, so perhaps you can help me?

Thanks

Perhaps @pdcastro ? I’m stuck for answers so could really use some guidance from the Balena team.

Hi Joe,

The network requirements page advises whitelisting *.balena-cloud.com, which includes several hostnames such as:

api.balena-cloud.com
registry2.balena-cloud.com
s3.balena-cloud.com
tunnel.balena-cloud.com
vpn.balena-cloud.com

and probably more. Each of these hostnames resolves to multiple IPv4 and IPv6 addresses that change over time. The last hostname, vpn, currently includes the IP address of your screenshot (35.169.76.143) among them:

$ host vpn.balena-cloud.com
vpn.balena-cloud.com is an alias for ab62c62b8a0004e8cbc98d804db4adee-ab269b2a66b510a2.elb.us-east-1.amazonaws.com.
ab62c62b8a0004e8cbc98d804db4adee-ab269b2a66b510a2.elb.us-east-1.amazonaws.com has address 35.169.89.252
ab62c62b8a0004e8cbc98d804db4adee-ab269b2a66b510a2.elb.us-east-1.amazonaws.com has address 3.227.28.93
ab62c62b8a0004e8cbc98d804db4adee-ab269b2a66b510a2.elb.us-east-1.amazonaws.com has address 35.169.76.143
ab62c62b8a0004e8cbc98d804db4adee-ab269b2a66b510a2.elb.us-east-1.amazonaws.com has IPv6 address 2600:1f18:6600:7f00:3b29:5e04:b6af:68b7
ab62c62b8a0004e8cbc98d804db4adee-ab269b2a66b510a2.elb.us-east-1.amazonaws.com has IPv6 address 2600:1f18:6600:7f01:b5fc:e785:75fc:2e80
ab62c62b8a0004e8cbc98d804db4adee-ab269b2a66b510a2.elb.us-east-1.amazonaws.com has IPv6 address 2600:1f18:6600:7f02:3ef5:d239:9bb4:6036

Therefore, the EC2 address you referred to is indeed a balena endpoint – the VPN, which would explain the “Online (Heartbeat only)” status on the device web dashboard in case the network’s local firewall is blocking that IP address.

In this regard, the network requirements section is not out of date, but note that the IP addresses associated with each whitelisted hostname change over time.

I understand that some firewalls do no allow setting up whitelisting such as *.balena-cloud.com, in particular not supporting the wildcard configuration. Furthermore, even when the wildcard restriction is worked around by whitelisting a full hostname like vpn.balena-cloud.com, I understand that some firewalls are slow to catch up with IP address changes, blocking access for minutes / hours / days depending on the firewall’s implementation. Unfortunately I am not aware of good solutions to these specific firewall difficulties, other than replacing the firewall, automating the firewall reconfiguration with scripts, or bypassing the firewall with additional proxy / tunnel / VPN services (services that themselves would have to be whitelisted…). In the past, customers have requested that balena offered a definitive list of IP addresses that they could whitelist, but unfortunately that’s not compatible with our auto scaling, infrastructure-as-code backend architecture hosted on AWS, especially in the context of a dwindling availability of public static IPv4 addresses.

Let us know if you have further questions.

2 Likes

Thanks. I think in this occasion, as the customer’s firewall rules are managed centrally (in the US) and I can’t push any changes due to compatibility or security, I’ll have to look for something else. Shame!