Firewall requirements

Depending on your network, you may have to configure your firewalls to use Aspera on Cloud. This article describes how to allow traffic from your network to Aspera on Cloud and to and from any Aspera High-Speed Transfer Servers (HSTS) and cloud storage you attach to your AoC organization.

Note: For Aspera IP addresses, only a few of those in the listed subnet ranges will be active at any given time. However, Aspera recommends that you allow the entire set of ranges below to ensure continuous service in the event of a failover. (To determine the set of active IP addresses, check what api.ibmaspera.com resolves to using a tool such as dig or nslookup.)

Allowing traffic from your network to Aspera on Cloud

To use AoC APIs, AoC web interfaces, or Aspera Connect clients on your network with Aspera on Cloud, and to connect to the Aspera metering system (ALEE), configure and allowlist your firewall as follows:

  • For all AoC clients, and for users of the AoC API, allow traffic on TCP/443 to the DNS name api.ibmaspera.com.
  • Allow traffic on TCP/443.
  • For Aspera Connect clients and nodes (ATS, user-managed, and so on), also allow traffic on UDP/33001 and TCP/33001.
  • Provide egress access to your AoC node IP addresses, which you can find in this table:
    FQDN IP Address
    files-prod-es-dal01.asperafiles.com 169.53.25.37
    files-prod-es-dal02.asperafiles.com 169.45.159.172
    files-prod-es-dal03.asperafiles.com 169.45.181.114
    files-prod-es-dal05.asperafiles.com 169.45.181.108
    files-prod-es-dal06.asperafiles.com 169.45.181.119
    files-prod-es-dal07.asperafiles.com 169.53.25.46
    files-prod-es-dal08.asperafiles.com 169.44.93.173
    files-prod-es-dal09.asperafiles.com 169.55.209.8
    files-prod-es-dal10.asperafiles.com 169.45.159.167
    files-prod-es-dal11.asperafiles.com 169.53.25.50
    files-prod-es-dal12.asperafiles.com 169.53.25.51
    files-prod-es-dal13.asperafiles.com 169.55.209.13
    files-prod-es-dal14.asperafiles.com 169.55.209.16
    files-prod-es-dal15.asperafiles.com 169.55.209.21
    files-prod-es-dal16.asperafiles.com 169.55.209.25
    files-prod-es-dal17.asperafiles.com 169.55.209.4
    files-prod-es-dal18.asperafiles.com 169.55.209.56
    files-prod-es-dal19.asperafiles.com 169.60.197.23
    files-prod-es-dal20.asperafiles.com 169.55.209.57
    files-prod-es-dal21.asperafiles.com 169.55.209.37
    files-prod-es-dal22.asperafiles.com 169.44.93.164
    files-prod-es-fra-01.asperafiles.com 169.50.13.181
    files-prod-es-mel-01.asperafiles.com 168.1.93.152
    files-prod-es-syd-01.asperafiles.com 168.1.53.156
    files-prod-es-tor01.asperafiles.com 169.55.132.59
    files-prod-es-tor02.asperafiles.com 169.55.132.61
    files-prod-es-tor03.asperafiles.com 169.55.132.52
    files-prod-es-tor05.asperafiles.com 169.55.209.29
    files-prod-es-tor06.asperafiles.com 158.85.65.52
    files-prod-es-tor07.asperafiles.com 169.55.209.22
    files-prod-es-tor08.asperafiles.com 169.55.209.19
    files-prod-es-tor09.asperafiles.com 169.55.132.58
    files-prod-es-tor10.asperafiles.com 169.55.209.23
    files-prod-es-tor11.asperafiles.com 169.55.132.53
    files-prod-es-tor12.asperafiles.com 169.55.132.56
    files-prod-es-tor13.asperafiles.com 169.55.132.60
    files-prod-es-tor14.asperafiles.com 169.55.132.54
    files-prod-es-tor15.asperafiles.com 169.55.132.57
    files-prod-es-tor16.asperafiles.com 169.55.132.55
    files-prod-es-tor17.asperafiles.com 169.55.169.244
    files-prod-es-tor18.asperafiles.com 158.85.65.41
    files-prod-es-tor19.asperafiles.com 158.85.65.47
    files-prod-es-tor20.asperafiles.com 158.85.65.57
    files-prod-es-tor21.asperafiles.com 158.85.65.43
    files-prod-es-tor22.asperafiles.com 169.55.169.228
    files-prod-es-tor23.asperafiles.com 158.85.65.59
    files-prod-es-tor24.asperafiles.com 169.55.169.237
    files-prod-es-tor25.asperafiles.com 158.85.65.36
    files-prod-es-tor26.asperafiles.com 158.85.65.61
    files-prod-es-tor27.asperafiles.com 169.55.169.231
    files-prod-es-tor28.asperafiles.com 158.85.65.37
    files-prod-es-tor29.asperafiles.com 158.85.65.40
    files-prod-es-tor30.asperafiles.com 158.85.65.48

Allowing traffic from Aspera on Cloud to user-managed transfer servers (tethered nodes)

To use your own transfer server with Aspera on Cloud (as a tethered node), your configure your firewall as follows:

  • Allow traffic on TCP/443.
  • For Aspera Connect clients, also allow traffic on UDP/33001 and TCP/33001.
  • Provide ingress access for the following AoC service IP addresses:
    IP Address
    169.46.4.68/31
    169.46.4.70/31
    169.48.106.192/26
    169.48.226.120/31
    169.48.236.50/31
    169.48.249.64/26
    169.60.129.66/31
    169.60.151.232/31
    169.60.197.0/26
    169.61.233.80/29
    169.61.54.112/29
  • Provide ingress access from your AoC node IP addresses, which you can find in this table:
    FQDN IP Address
    files-prod-es-ams01.asperafiles.com 159.8.39.228
    files-prod-es-ams02.asperafiles.com 159.8.39.237
    files-prod-es-dal01.asperafiles.com 169.53.25.37
    files-prod-es-dal02.asperafiles.com 169.45.159.172
    files-prod-es-dal03.asperafiles.com 169.45.181.114
    files-prod-es-dal04.asperafiles.com 169.45.181.104
    files-prod-es-dal05.asperafiles.com 169.45.181.108
    files-prod-es-dal06.asperafiles.com 169.45.181.119
    files-prod-es-dal07.asperafiles.com 169.53.25.46
    files-prod-es-dal08.asperafiles.com 169.44.93.173
    files-prod-es-dal09.asperafiles.com 169.55.209.8
    files-prod-es-dal10.asperafiles.com 169.45.159.167
    files-prod-es-dal11.asperafiles.com 169.53.25.50
    files-prod-es-dal12.asperafiles.com 169.53.25.51
    files-prod-es-dal13.asperafiles.com 169.55.209.13
    files-prod-es-dal14.asperafiles.com 169.55.209.16
    files-prod-es-dal15.asperafiles.com 169.55.209.21
    files-prod-es-dal16.asperafiles.com 169.55.209.25
    files-prod-es-dal17.asperafiles.com 169.55.209.4
    files-prod-es-dal18.asperafiles.com 169.55.209.56
    files-prod-es-dal19.asperafiles.com 169.60.197.23
    files-prod-es-dal20.asperafiles.com 169.55.209.57
    files-prod-es-dal21.asperafiles.com 169.55.209.37
    files-prod-es-dal22.asperafiles.com 169.44.93.164
    files-prod-es-fra-01.asperafiles.com 169.50.13.181
    files-prod-es-mel-01.asperafiles.com 168.1.93.152
    files-prod-es-syd-01.asperafiles.com 168.1.53.156
    files-prod-es-tok-01.asperafiles.com 161.202.227.93
    files-prod-es-tor01.asperafiles.com 169.55.132.59
    files-prod-es-tor02.asperafiles.com 169.55.132.61
    files-prod-es-tor03.asperafiles.com 169.55.132.52
    files-prod-es-tor04.asperafiles.com 169.55.169.253
    files-prod-es-tor05.asperafiles.com 169.55.209.29
    files-prod-es-tor06.asperafiles.com 158.85.65.52
    files-prod-es-tor07.asperafiles.com 169.55.209.22
    files-prod-es-tor08.asperafiles.com 169.55.209.19
    files-prod-es-tor09.asperafiles.com 169.55.132.58
    files-prod-es-tor10.asperafiles.com 169.55.209.23
    files-prod-es-tor11.asperafiles.com 169.55.132.53
    files-prod-es-tor12.asperafiles.com 169.55.132.56
    files-prod-es-tor13.asperafiles.com 169.55.132.60
    files-prod-es-tor14.asperafiles.com 169.55.132.54
    files-prod-es-tor15.asperafiles.com 169.55.132.57
    files-prod-es-tor16.asperafiles.com 169.55.132.55
    files-prod-es-tor17.asperafiles.com 169.55.169.244
    files-prod-es-tor18.asperafiles.com 158.85.65.41
    files-prod-es-tor19.asperafiles.com 158.85.65.47
    files-prod-es-tor20.asperafiles.com 158.85.65.57
    files-prod-es-tor21.asperafiles.com 158.85.65.43
    files-prod-es-tor22.asperafiles.com 169.55.169.228
    files-prod-es-tor23.asperafiles.com 158.85.65.59
    files-prod-es-tor24.asperafiles.com 169.55.169.237
    files-prod-es-tor25.asperafiles.com 158.85.65.36
    files-prod-es-tor26.asperafiles.com 158.85.65.61
    files-prod-es-tor27.asperafiles.com 169.55.169.231
    files-prod-es-tor28.asperafiles.com 158.85.65.37
    files-prod-es-tor29.asperafiles.com 158.85.65.40
    files-prod-es-tor30.asperafiles.com 158.85.65.48

Allowing traffic to Aspera transfer service (ATS) nodes

You must also allow access for any transfer service nodes. Transfer service nodes typically use the aspera.io domain.

To retrieve the public IP addresses and ports for the transfer service for allowing in your firewall rules, do the following:

  1. Go to Nodes and Storage > Nodes.
  2. In the list of nodes, scan for nodes NOT listed as Hosted by Aspera = Aspera.
  3. Click the node row and enter the node secret to view details.
  4. In the Node URL field, note the URL. The node URL contains the service provider region.
  5. Use a curl request or your browser to access the following endpoints:
  6. Search for the region you noted in step 4. Note all IP addresses associated with that region, along with the port found in the transfer_setup_url field.
  7. Enter these IP addresses and ports in your firewall allowlist rules.
    From To
    Service name Service IP address Service port
    Aspera on Cloud API client or front-end web client ATS transfer server ATS IP address range TCP/443
    Aspera Connect clients ATS transfer server ATS IP address range UDP/33001, TCP33001
    Aspera Connect browser ATS transfer server ATS IP address range UDP/33001, TCP33001

Allowing traffic using IBMid authentication

If your AoC authentication methods include IBMid, you must allowlist the following URLs:
From To
Service name Service FQDN + Port =TCP/443
Aspera on Cloud front-end web client IBM Cloud
  • iam.cloud.ibm.com
  • identity-?.*.iam.cloud.ibm.com/identity/authorize
Where:
  • ? = one character
  • * = one region name (no deeper subdomain allowed)
For example:
https://identity-2.us-south.iam.cloud.ibm.com/identity/authorize

Allowing traffic to CloudFront

To ensure seamless access to CloudFront, configure your network to allow traffic to the following domains:

Aspera URLs

URL Port Protocol Usage
api.ibmaspera.com 443 TCP Aspera on Cloud API
<your_org_subdomain>.ibmaspera.com 443 TCP Aspera on Cloud Front-end Portal, organization specific
aspera.pub 443 TCP Short URL service for file sharing
downloads.ibmaspera.com 443 TCP Provides distributions for IBM Aspera for desktop

IBM id specific URLs

URL Port Protocol Usage
login.ibm.com 443 TCP Login with IBM ID
iam.cloud.ibm.com 443 TCP IBM Cloud Identity and Access Management (IAM) authentication
identity-1.us-south.iam.cloud.ibm.com 443 TCP IAM authentication in US South region
identity-2.us-south.iam.cloud.ibm.com 443 TCP IAM authentication redundancy for US South
identity-3.us-south.iam.cloud.ibm.com 443 TCP IAM authentication redundancy for US South
identity-1.uk-south.iam.cloud.ibm.com 443 TCP IAM authentication in UK South region
identity-2.uk-south.iam.cloud.ibm.com 443 TCP IAM authentication redundancy for UK South
identity-3.uk-south.iam.cloud.ibm.com 443 TCP IAM authentication redundancy for UK South
identity-1.eu-central.iam.cloud.ibm.com 443 TCP IAM authentication in EU Central region
identity-2.eu-central.iam.cloud.ibm.com 443 TCP IAM authentication redundancy for EU Central
identity-3.eu-central.iam.cloud.ibm.com 443 TCP IAM authentication redundancy for EU Central
identity-1.ap-south.iam.cloud.ibm.com 443 TCP IAM authentication in AP South region
identity-2.ap-south.iam.cloud.ibm.com 443 TCP IAM authentication redundancy for AP South
identity-3.ap-south.iam.cloud.ibm.com 443 TCP IAM authentication redundancy for AP South
identity-1.ap-north.iam.cloud.ibm.com 443 TCP IAM authentication in AP North region
identity-2.ap-north.iam.cloud.ibm.com 443 TCP IAM authentication redundancy for AP North

Telemetry (Used by IBM Aspera SRE to monitor the application)

URL Port Protocol Usage
sentry.asperasoft.com 443 TCP Application exception monitoring
eum-coral-saas.instana.io 443 TCP Application performance monitoring

For additional information regarding CloudFront edge server locations and best practices, refer to the official AWS documentation.