Firewall requirements for ATS and cloud storage

Edit online

Administrators must configure the proper firewall settings to enable high-speed transfers using Aspera on Cloud.

Note: For Aspera IP addresses, only a few of those in the listed subnet ranges will be active at any given time. However, Aspera recommends that you allow the entire set of ranges below to ensure continuous service in the event of a failover. (To determine the set of active IP addresses, check what api.ibmaspera.com resolves to using a tool such as dig or nslookup.)

Allowing traffic from your network to Aspera on Cloud

To use AoC APIs, AoC web interfaces, or Aspera Connect clients on your network with Aspera on Cloud, and to connect to the Aspera metering system (ALEE), configure (allowlist/whitelist) your firewall as follows:

  • Allow traffic on TCP/443.
  • For Aspera Connect clients and nodes (ATS, user-managed, and so on), also allow traffic on UDP/33001 and TCP/33001.
  • Provide egress access for the following AoC service IP addresses:
    IP Address
    169.46.4.68/31
    169.46.4.70/31
    169.48.106.192/26
    169.48.226.120/31
    169.48.236.50/31
    169.48.249.64/26
    169.60.129.66/31
    169.60.151.232/31
    169.60.197.0/26
    169.61.233.80/29
    169.61.54.112/29
  • Provide egress access to your AoC node IP addresses, which you can find in this table:
    FQDN IP Address
    files-prod-es-ams01.asperafiles.com 159.8.39.228
    files-prod-es-ams02.asperafiles.com 159.8.39.237
    files-prod-es-dal01.asperafiles.com 169.53.25.37
    files-prod-es-dal02.asperafiles.com 169.45.159.172
    files-prod-es-dal03.asperafiles.com 169.45.181.114
    files-prod-es-dal04.asperafiles.com 169.45.181.104
    files-prod-es-dal05.asperafiles.com 169.45.181.108
    files-prod-es-dal06.asperafiles.com 169.45.181.119
    files-prod-es-dal07.asperafiles.com 169.53.25.46
    files-prod-es-dal08.asperafiles.com 169.44.93.173
    files-prod-es-dal09.asperafiles.com 169.55.209.8
    files-prod-es-dal10.asperafiles.com 169.45.159.167
    files-prod-es-dal11.asperafiles.com 169.53.25.50
    files-prod-es-dal12.asperafiles.com 169.53.25.51
    files-prod-es-dal13.asperafiles.com 169.55.209.13
    files-prod-es-dal14.asperafiles.com 169.55.209.16
    files-prod-es-dal15.asperafiles.com 169.55.209.21
    files-prod-es-dal16.asperafiles.com 169.55.209.25
    files-prod-es-dal17.asperafiles.com 169.55.209.4
    files-prod-es-dal18.asperafiles.com 169.55.209.56
    files-prod-es-dal19.asperafiles.com 169.60.197.23
    files-prod-es-dal20.asperafiles.com 169.55.209.57
    files-prod-es-dal21.asperafiles.com 169.55.209.37
    files-prod-es-dal22.asperafiles.com 169.44.93.164
    files-prod-es-fra-01.asperafiles.com 169.50.13.181
    files-prod-es-mel-01.asperafiles.com 168.1.93.152
    files-prod-es-syd-01.asperafiles.com 168.1.53.156
    files-prod-es-tok-01.asperafiles.com 161.202.227.93
    files-prod-es-tor01.asperafiles.com 169.55.132.59
    files-prod-es-tor02.asperafiles.com 169.55.132.61
    files-prod-es-tor03.asperafiles.com 169.55.132.52
    files-prod-es-tor04.asperafiles.com 169.55.169.253
    files-prod-es-tor05.asperafiles.com 169.55.209.29
    files-prod-es-tor06.asperafiles.com 158.85.65.52
    files-prod-es-tor07.asperafiles.com 169.55.209.22
    files-prod-es-tor08.asperafiles.com 169.55.209.19
    files-prod-es-tor09.asperafiles.com 169.55.132.58
    files-prod-es-tor10.asperafiles.com 169.55.209.23
    files-prod-es-tor11.asperafiles.com 169.55.132.53
    files-prod-es-tor12.asperafiles.com 169.55.132.56
    files-prod-es-tor13.asperafiles.com 169.55.132.60
    files-prod-es-tor14.asperafiles.com 169.55.132.54
    files-prod-es-tor15.asperafiles.com 169.55.132.57
    files-prod-es-tor16.asperafiles.com 169.55.132.55
    files-prod-es-tor17.asperafiles.com 169.55.169.244
    files-prod-es-tor18.asperafiles.com 158.85.65.41
    files-prod-es-tor19.asperafiles.com 158.85.65.47
    files-prod-es-tor20.asperafiles.com 158.85.65.57
    files-prod-es-tor21.asperafiles.com 158.85.65.43
    files-prod-es-tor22.asperafiles.com 169.55.169.228
    files-prod-es-tor23.asperafiles.com 158.85.65.59
    files-prod-es-tor24.asperafiles.com 169.55.169.237
    files-prod-es-tor25.asperafiles.com 158.85.65.36
    files-prod-es-tor26.asperafiles.com 158.85.65.61
    files-prod-es-tor27.asperafiles.com 169.55.169.231
    files-prod-es-tor28.asperafiles.com 158.85.65.37
    files-prod-es-tor29.asperafiles.com 158.85.65.40
    files-prod-es-tor30.asperafiles.com 158.85.65.48

Allowing traffic to transfer service nodes connected to cloud storage

You must also allow access for any transfer service nodes that attach your cloud storage to your Aspera on Cloud organization. Transfer service nodes typically use the aspera.io domain.

To retrieve the public IP addresses and ports for the transfer service for allowing in your firewall rules, do the following:

  1. Go to Nodes and Storage > Nodes.
  2. In the list of nodes, scan for nodes NOT listed as Hosted by Aspera = Aspera.
  3. Click the node row and enter the node secret to view details.
  4. In the Node URL field, note the URL. The node URL contains the service provider region.
  5. Use a curl request or your browser to access the following endpoints:
  6. Search for the region you noted in step 4. Note all IP addresses associated with that region, along with the port found in the transfer_setup_url field.
  7. Enter these IP addresses and ports in your firewall allowlist (whitelist) rules.
    From To
    Service name Service IP address Service port
    Aspera on Cloud API client or front-end web client ATS transfer server ATS IP address range TCP/443
    Aspera Connect clients ATS transfer server ATS IP address range UDP/33001, TCP33001
    Aspera Connect browser ATS transfer server ATS IP address range UDP/33001, TCP33001

Allowing traffic using IBMid authentication

If your AoC authentication methods include IBMid, you must allow (allowlist/whitelist) the following URLs:
From To
Service name Service FQDN + Port =TCP/443
Aspera on Cloud front-end web client IBM Cloud
  • iam.cloud.ibm.com
  • identity-?.*.iam.cloud.ibm.com/identity/authorize
Where:
  • ? = one character
  • * = one region name (no deeper subdomain allowed)
For example:
https://identity-2.us-south.iam.cloud.ibm.com/identity/authorize