Firewall requirements for tethered nodes

Edit online

Administrators must configure the proper firewall settings to enable high-speed transfers using Aspera on Cloud.

For Aspera IP addresses, only a few of those in the listed subnet ranges will be active at any given time. However, you should allow the entire set of ranges below to ensure continuous service in the event of a failover. (To determine the set of active IP addresses, check what api.ibmaspera.com resolves to using a tool such as dig or nslookup.)

This is step 2 in tethering a node

Before you begin step 2, be sure you have completed step 1: Installing SSL certificates for tethered nodes.

ssl certs firewall HTTPs proxy configure node nginx transfer user optional for HA cluster add node mark remote storage alee and aejd backup and restore

Allowing traffic from your network to AoC

To use AoC APIs, web interfaces, or Aspera Connect clients on your network with Aspera on Cloud, and to connect to the Aspera metering system (ALEE), configure (allowlist/whitelist) your firewall as follows:

  • Allow traffic on TCP/443.
  • For Aspera Connect clients and nodes (ATS, user-managed, and so on), also allow traffic on UDP/33001 and TCP/33001.
  • Provide egress access for the following AoC service IP addresses:
    IP Address
    169.46.4.68/31
    169.46.4.70/31
    169.48.106.192/26
    169.48.226.120/31
    169.48.236.50/31
    169.48.249.64/26
    169.60.129.66/31
    169.60.151.232/31
    169.60.197.0/26
    169.61.233.80/29
    169.61.54.112/29

Allowing traffic from AoC to tethered nodes (user-managed transfer servers)

To use your own transfer server as a tethered node with Aspera on Cloud, configure your firewall as follows:

  • Allow traffic on TCP/443.
  • For Aspera Connect clients, also allow traffic on UDP/33001 and TCP/33001.
  • Provide ingress access for the following AoC service IP addresses:
    IP Address
    169.46.4.68/31
    169.46.4.70/31
    169.48.106.192/26
    169.48.226.120/31
    169.48.236.50/31
    169.48.249.64/26
    169.60.129.66/31
    169.60.151.232/31
    169.60.197.0/26
    169.61.233.80/29
    169.61.54.112/29

Allowing traffic using IBMid authentication

If your AoC authentication methods include IBMid, you must allow (allowlist/whitelist) the following URLs:

From To
Service name Service FQDN + Port =TCP/443
Aspera on Cloud front-end web client IBM Cloud
  • iam.cloud.ibm.com
  • identity-?.*.iam.cloud.ibm.com/identity/authorize

Where:

  • ? = one character
  • * = one region name (no deeper subdomain allowed)

For example:

https://identity-2.us-south.iam.cloud.ibm.com/identity/authorize

Next step in tethering a node

You've completed the firewall configuration for your tethered node. For step 3 in tethering the HSTS node to your AoC organization, go to Using an HTTPS proxy for outgoing ALEE and AEJD traffic from your tethered node.