Firewall requirements
Depending on your network, you may have to configure your firewalls to use Aspera on Cloud. This article describes how to allow traffic from your network to Aspera on Cloud and to and from any Aspera High-Speed Transfer Servers (HSTS) and cloud storage you attach to your AoC organization.
Allowing traffic from your network to Aspera on Cloud
To use AoC APIs, AoC web interfaces, or Aspera Connect clients on your network with Aspera on Cloud, and to connect to the Aspera metering system (ALEE), configure and allowlist your firewall as follows:
- For all AoC clients, and for users of the AoC API, allow traffic on TCP/443 to the DNS name
api.ibmaspera.com
. - Allow traffic on TCP/443.
- For Aspera Connect clients and nodes (ATS, user-managed, and so on), also allow traffic on UDP/33001 and TCP/33001.
- Provide egress access to your AoC node IP addresses, which you can find in this
table:
FQDN IP Address files-prod-es-dal01.asperafiles.com 169.53.25.37 files-prod-es-dal02.asperafiles.com 169.45.159.172 files-prod-es-dal03.asperafiles.com 169.45.181.114 files-prod-es-dal05.asperafiles.com 169.45.181.108 files-prod-es-dal06.asperafiles.com 169.45.181.119 files-prod-es-dal07.asperafiles.com 169.53.25.46 files-prod-es-dal08.asperafiles.com 169.44.93.173 files-prod-es-dal09.asperafiles.com 169.55.209.8 files-prod-es-dal10.asperafiles.com 169.45.159.167 files-prod-es-dal11.asperafiles.com 169.53.25.50 files-prod-es-dal12.asperafiles.com 169.53.25.51 files-prod-es-dal13.asperafiles.com 169.55.209.13 files-prod-es-dal14.asperafiles.com 169.55.209.16 files-prod-es-dal15.asperafiles.com 169.55.209.21 files-prod-es-dal16.asperafiles.com 169.55.209.25 files-prod-es-dal17.asperafiles.com 169.55.209.4 files-prod-es-dal18.asperafiles.com 169.55.209.56 files-prod-es-dal19.asperafiles.com 169.60.197.23 files-prod-es-dal20.asperafiles.com 169.55.209.57 files-prod-es-dal21.asperafiles.com 169.55.209.37 files-prod-es-dal22.asperafiles.com 169.44.93.164 files-prod-es-fra-01.asperafiles.com 169.50.13.181 files-prod-es-mel-01.asperafiles.com 168.1.93.152 files-prod-es-syd-01.asperafiles.com 168.1.53.156 files-prod-es-tor01.asperafiles.com 169.55.132.59 files-prod-es-tor02.asperafiles.com 169.55.132.61 files-prod-es-tor03.asperafiles.com 169.55.132.52 files-prod-es-tor05.asperafiles.com 169.55.209.29 files-prod-es-tor06.asperafiles.com 158.85.65.52 files-prod-es-tor07.asperafiles.com 169.55.209.22 files-prod-es-tor08.asperafiles.com 169.55.209.19 files-prod-es-tor09.asperafiles.com 169.55.132.58 files-prod-es-tor10.asperafiles.com 169.55.209.23 files-prod-es-tor11.asperafiles.com 169.55.132.53 files-prod-es-tor12.asperafiles.com 169.55.132.56 files-prod-es-tor13.asperafiles.com 169.55.132.60 files-prod-es-tor14.asperafiles.com 169.55.132.54 files-prod-es-tor15.asperafiles.com 169.55.132.57 files-prod-es-tor16.asperafiles.com 169.55.132.55 files-prod-es-tor17.asperafiles.com 169.55.169.244 files-prod-es-tor18.asperafiles.com 158.85.65.41 files-prod-es-tor19.asperafiles.com 158.85.65.47 files-prod-es-tor20.asperafiles.com 158.85.65.57 files-prod-es-tor21.asperafiles.com 158.85.65.43 files-prod-es-tor22.asperafiles.com 169.55.169.228 files-prod-es-tor23.asperafiles.com 158.85.65.59 files-prod-es-tor24.asperafiles.com 169.55.169.237 files-prod-es-tor25.asperafiles.com 158.85.65.36 files-prod-es-tor26.asperafiles.com 158.85.65.61 files-prod-es-tor27.asperafiles.com 169.55.169.231 files-prod-es-tor28.asperafiles.com 158.85.65.37 files-prod-es-tor29.asperafiles.com 158.85.65.40 files-prod-es-tor30.asperafiles.com 158.85.65.48
Allowing traffic from Aspera on Cloud to user-managed transfer servers (tethered nodes)
To use your own transfer server with Aspera on Cloud (as a tethered node), your configure your firewall as follows:
- Allow traffic on TCP/443.
- For Aspera Connect clients, also allow traffic on UDP/33001 and TCP/33001.
- Provide ingress access for the following AoC service IP addresses:
IP Address 169.46.4.68/31 169.46.4.70/31 169.48.106.192/26 169.48.226.120/31 169.48.236.50/31 169.48.249.64/26 169.60.129.66/31 169.60.151.232/31 169.60.197.0/26 169.61.233.80/29 169.61.54.112/29 - Provide ingress access from your AoC node IP addresses, which you can find in this
table:
FQDN IP Address files-prod-es-ams01.asperafiles.com 159.8.39.228 files-prod-es-ams02.asperafiles.com 159.8.39.237 files-prod-es-dal01.asperafiles.com 169.53.25.37 files-prod-es-dal02.asperafiles.com 169.45.159.172 files-prod-es-dal03.asperafiles.com 169.45.181.114 files-prod-es-dal04.asperafiles.com 169.45.181.104 files-prod-es-dal05.asperafiles.com 169.45.181.108 files-prod-es-dal06.asperafiles.com 169.45.181.119 files-prod-es-dal07.asperafiles.com 169.53.25.46 files-prod-es-dal08.asperafiles.com 169.44.93.173 files-prod-es-dal09.asperafiles.com 169.55.209.8 files-prod-es-dal10.asperafiles.com 169.45.159.167 files-prod-es-dal11.asperafiles.com 169.53.25.50 files-prod-es-dal12.asperafiles.com 169.53.25.51 files-prod-es-dal13.asperafiles.com 169.55.209.13 files-prod-es-dal14.asperafiles.com 169.55.209.16 files-prod-es-dal15.asperafiles.com 169.55.209.21 files-prod-es-dal16.asperafiles.com 169.55.209.25 files-prod-es-dal17.asperafiles.com 169.55.209.4 files-prod-es-dal18.asperafiles.com 169.55.209.56 files-prod-es-dal19.asperafiles.com 169.60.197.23 files-prod-es-dal20.asperafiles.com 169.55.209.57 files-prod-es-dal21.asperafiles.com 169.55.209.37 files-prod-es-dal22.asperafiles.com 169.44.93.164 files-prod-es-fra-01.asperafiles.com 169.50.13.181 files-prod-es-mel-01.asperafiles.com 168.1.93.152 files-prod-es-syd-01.asperafiles.com 168.1.53.156 files-prod-es-tok-01.asperafiles.com 161.202.227.93 files-prod-es-tor01.asperafiles.com 169.55.132.59 files-prod-es-tor02.asperafiles.com 169.55.132.61 files-prod-es-tor03.asperafiles.com 169.55.132.52 files-prod-es-tor04.asperafiles.com 169.55.169.253 files-prod-es-tor05.asperafiles.com 169.55.209.29 files-prod-es-tor06.asperafiles.com 158.85.65.52 files-prod-es-tor07.asperafiles.com 169.55.209.22 files-prod-es-tor08.asperafiles.com 169.55.209.19 files-prod-es-tor09.asperafiles.com 169.55.132.58 files-prod-es-tor10.asperafiles.com 169.55.209.23 files-prod-es-tor11.asperafiles.com 169.55.132.53 files-prod-es-tor12.asperafiles.com 169.55.132.56 files-prod-es-tor13.asperafiles.com 169.55.132.60 files-prod-es-tor14.asperafiles.com 169.55.132.54 files-prod-es-tor15.asperafiles.com 169.55.132.57 files-prod-es-tor16.asperafiles.com 169.55.132.55 files-prod-es-tor17.asperafiles.com 169.55.169.244 files-prod-es-tor18.asperafiles.com 158.85.65.41 files-prod-es-tor19.asperafiles.com 158.85.65.47 files-prod-es-tor20.asperafiles.com 158.85.65.57 files-prod-es-tor21.asperafiles.com 158.85.65.43 files-prod-es-tor22.asperafiles.com 169.55.169.228 files-prod-es-tor23.asperafiles.com 158.85.65.59 files-prod-es-tor24.asperafiles.com 169.55.169.237 files-prod-es-tor25.asperafiles.com 158.85.65.36 files-prod-es-tor26.asperafiles.com 158.85.65.61 files-prod-es-tor27.asperafiles.com 169.55.169.231 files-prod-es-tor28.asperafiles.com 158.85.65.37 files-prod-es-tor29.asperafiles.com 158.85.65.40 files-prod-es-tor30.asperafiles.com 158.85.65.48
Allowing traffic to Aspera transfer service (ATS) nodes
You must also allow access for any transfer service nodes. Transfer service nodes typically use
the aspera.io
domain.
To retrieve the public IP addresses and ports for the transfer service for allowing in your firewall rules, do the following:
- Go to Nodes and Storage > Nodes.
- In the list of nodes, scan for nodes NOT listed as Hosted by Aspera = Aspera.
- Click the node row and enter the node secret to view details.
- In the Node URL field, note the URL. The node URL contains the service provider region.
- Use a curl request or your browser to access the following endpoints:
- IBM Cloud: https://ats.aspera.io/pub/v1/servers/softlayer
- Amazon S3: https://ats.aspera.io/pub/v1/servers/AWS
- Microsoft Azure: https://ats.aspera.io/pub/v1/servers/AZURE
- Google Cloud: https://ats.aspera.io/pub/v1/servers/Google
- Search for the region you noted in step 4. Note all IP addresses associated with that region, along with the port found in the transfer_setup_url field.
- Enter these IP addresses and ports in your firewall allowlist rules.
From To Service name Service IP address Service port Aspera on Cloud API client or front-end web client ATS transfer server ATS IP address range TCP/443 Aspera Connect clients ATS transfer server ATS IP address range UDP/33001, TCP33001 Aspera Connect browser ATS transfer server ATS IP address range UDP/33001, TCP33001
Allowing traffic using IBMid authentication
From | To | |
---|---|---|
Service name | Service FQDN + Port =TCP/443 | |
Aspera on Cloud front-end web client | IBM Cloud |
Where:
For example:
https://identity-2.us-south.iam.cloud.ibm.com/identity/authorize |
Allowing traffic to CloudFront
To ensure seamless access to CloudFront, configure your network to allow traffic to the following domains:
Aspera URLs
URL | Port | Protocol | Usage |
---|---|---|---|
api.ibmaspera.com |
443 | TCP | Aspera on Cloud API |
<your_org_subdomain>.ibmaspera.com |
443 | TCP | Aspera on Cloud Front-end Portal, organization specific |
aspera.pub |
443 | TCP | Short URL service for file sharing |
downloads.ibmaspera.com |
443 | TCP | Provides distributions for IBM Aspera for desktop |
IBM id specific URLs
URL | Port | Protocol | Usage |
---|---|---|---|
login.ibm.com |
443 | TCP | Login with IBM ID |
iam.cloud.ibm.com |
443 | TCP | IBM Cloud Identity and Access Management (IAM) authentication |
identity-1.us-south.iam.cloud.ibm.com |
443 | TCP | IAM authentication in US South region |
identity-2.us-south.iam.cloud.ibm.com |
443 | TCP | IAM authentication redundancy for US South |
identity-3.us-south.iam.cloud.ibm.com |
443 | TCP | IAM authentication redundancy for US South |
identity-1.uk-south.iam.cloud.ibm.com |
443 | TCP | IAM authentication in UK South region |
identity-2.uk-south.iam.cloud.ibm.com |
443 | TCP | IAM authentication redundancy for UK South |
identity-3.uk-south.iam.cloud.ibm.com |
443 | TCP | IAM authentication redundancy for UK South |
identity-1.eu-central.iam.cloud.ibm.com |
443 | TCP | IAM authentication in EU Central region |
identity-2.eu-central.iam.cloud.ibm.com |
443 | TCP | IAM authentication redundancy for EU Central |
identity-3.eu-central.iam.cloud.ibm.com |
443 | TCP | IAM authentication redundancy for EU Central |
identity-1.ap-south.iam.cloud.ibm.com |
443 | TCP | IAM authentication in AP South region |
identity-2.ap-south.iam.cloud.ibm.com |
443 | TCP | IAM authentication redundancy for AP South |
identity-3.ap-south.iam.cloud.ibm.com |
443 | TCP | IAM authentication redundancy for AP South |
identity-1.ap-north.iam.cloud.ibm.com |
443 | TCP | IAM authentication in AP North region |
identity-2.ap-north.iam.cloud.ibm.com |
443 | TCP | IAM authentication redundancy for AP North |
Telemetry (Used by IBM Aspera SRE to monitor the application)
URL | Port | Protocol | Usage |
---|---|---|---|
sentry.asperasoft.com |
443 | TCP | Application exception monitoring |
eum-coral-saas.instana.io |
443 | TCP | Application performance monitoring |
For additional information regarding CloudFront edge server locations and best practices, refer to the official AWS documentation.