Skip to main content

About

Orka Cluster was designed with minimal internet access to increase security, however, users must set up some restricted internet access. This document lists the required URLs that must be enabled to use Orka Cluster. These are rulesets tested on a Cisco virtual Firepower appliance, running the Firepower Threat Defense operating system. These rulesets permit the minimum amount of traffic required for Orka functionality. NOTE
  • Orka Cluster customers must manage these URLs to support Orka Cluster functionality.
  • This only applies to customers who have security requirements that filter URLs - either from the MacStadium side or through tunneling traffic to another firewall.
  • Traffic: Client-Side vs LAN-Side Rulesets.

Overview

The ruleset are divided into two sections:
  • Client-Side Traffic
The client-side traffic is any traffic whose destination is the ORKA API controller, the ORKA physical hosts, the ORKA virtual machines, and the single sign-on (SSO).
  • URL LAN-Side Traffic
The LAN-side traffic is any traffic originating from the ORKA network that exist behind the firewall. Note
  • The document assumes that the Orka network is on 10.221.188.x.

Rulesets

Client-Side Ruleset

SourceDestinationProtocol and Port #ApplicationsURLsDescriptions
Permit ClientPublic DNS serverDNSDNS Resolution
Permit ClientPublic DNS serverDNS over HTTPSDNS Resolution
Permit ClientHTTP
HTTPShttp://idp.macstadium.com
sso.macstadium.comSingle sign-on requirement
Permit ClientAPI Controllers
10.221.188.19
10.221.188.20HTTP
TCP 6443.19 requires TCP/6443 - Ku. LB
.20 requires HTTP - ORKA API
Permit Client10.221.188.22HTTPSTraefik - a reverse proxy
Use case: if customer is using HTTPS to access ORKA
Permit Client10.221.188.31 through 10.221.189.254TCP 5900-5912
TCP 5999-6011
TCP 8822-8834Reserved ports for interacting with created VMs
Permit Client10.221.188.0/23ICMP
SSHAsk/Requirement for ORKA Support during troubleshooting sessions
Deny ClientANYA catch all deny rule if traffic doesn’t match the above

LAN-Side Ruleset

SourceDestinationProtocol and Port #ApplicationsURLsDescriptions
Permit Orka NetworkANYNTPClient and Administration requirement for DNS and NTP services
Permit Orka NetworkANYDNSClient and Administration requirement for DNS and NTP services
Permit Orka NetworkANYDNS over HTTPSClient and Administration requirement for DNS and NTP services
Permit Orka Network207.254.1.172
207.254.72.172
208.83.0.22
199.19.85.74TCP 2049NFS needed for Remote ISO shares. Set per market; where client download ISO files from MacStadium:
ATL - 207.254.1.172,
LSV - 207.254.72.172,
DUB - 208.83.0.22,
SJC - 199.19.85.74
Permit Orka NetworkHTTPmirror.math.princeton.eduFCOS Linux Internal Packages: for the environment during the provisioning process; where dependencies are pulled - administration purposes; not client usage
Permit Orka NetworkHTTPShooks.slack.comAction Runner (typically 10.221.188.10) to update Slack - administration purposes; not needed for client use
Permit Orka NetworkHTTPSus-west2-docker.pkg.devNeeded for Administrative purpose; in case POD needs to repull image; for client; if they are deploying Intel VMs then this rule is needed.
Permit Orka NetworkHTTPS
Web Applications
SSL Clientproduction.cloudflare.docker.comRequirement for Docker certificates
Permit Orka NetworkHTTPShub.docker.comAdministration rule requirement: Requirement for Docker Container Images
Permit Orka Networkk8s.gcr.ioAdministration rule reuirement; Requirement for K8S Container Images
Permit Orka NetworkTCP 10259
TCP 2379
TCP 2380
TCP 6443registry.k8s.ioAdministration traffic; client use not necessary: review rules
Permit Orka NetworkHTTPSpkgs.k8s.ioAdministration Stacks requirement
Permit Orka NetworkHTTPSk8s.iocatch-all for the URL
Permit Orka NetworkHTTP
HTTPSget.helm.shAdministration Requirement for K8 Stack
Permit Orka NetworkHTTPSprojectcalico.orgAdministration Requirement for K8 Stack
Permit Orka NetworkHTTPSupdates.cdn-apple.comClient and Administration requirement - especially based on VMs OS
Permit Orka NetworkHTTPSconfiguration.apple.comClient and Administration requirement - especially based on VMs OS
Permit Orka NetworkHTTPSadc.apple.comClient and Administration requirement - especially based on VMs OS
Permit Orka NetworkHTTPSswscan.apple.comClient and Administration requirement - especially based on VMs OS
Permit Orka NetworkHTTPSapple.comCatchall for any other apple site that appeared as blocked during the earlier POC session
Permit Orka NetworkHTTPSformulae.brew.shClient and Administration requirement - dependency for MacOs package manager
Permit Orka NetworkAmazon Web ServicesAdministration Requirement for ORKA Stack
Permit Orka NetworkHTTPSmimir.nap.macstadium.comAdministration Requirement for monitoring Stack
Permit Orka NetworkHTTPSgrafana.orka.devAdministration Requirement for monitoring Stack
Permit Orka NetworkHTTPSdns-challenge-validator.orka.devClient and Administration Requirement for Certificate Validation
Permit Orka NetworkHTTPSloki.orka.devAdministration Requirement for monitoring Stack
Permit Orka NetworkHTTPSorka.devCatch-all for the URL
Permit Orka NetworkHTTPSpypi.orgAdministration Requirement for Docker Authentication
Permit Orka NetworkHTTPSpypi.orgAdministration Requirement for Docker Authentication
Permit Orka NetworkHTTPSauth.docker.ioAdministration Requirement for Container images
Permit Orka NetworkHTTPScharts.jetstack.ioAdministration Requirement for Container images
Permit Orka NetworkHTTPSfedoraproject.orgAdministration Requirement for Container images
Permit Orka NetworkHTTPSedge.kernel.orgAdministration Requirement for Container images
Permit Orka NetworkHTTPSfiles.pythonhosted.orgAdministration Requirement for python dependencies
Permit Orka NetworkHTTPSgchr.ioAdministration Requirement for Container and Client images
Permit Orka NetworkGithubClient and Admin Requirement for OCI
Permit Orka NetworkHTTPSquay.ioAdministration Requirement for Container and Client images
Permit Orka NetworkHTTPSpackages.cloud.google.comAdministration Requirement for Container images
Deny Orka NetworkANYA catch all deny rule if traffic doesn’t match the above