IBM Cloud Docs
RHCOS enabled locations with reduced firewall in Toronto

RHCOS enabled locations with reduced firewall in Toronto

Review the following network requirements for outbound connectivity for hosts in a minimum internet access location in the Toronto (ca-tor) region. Because this type of location requires a single network destination instead of multiple destinations, it reduces the number of outbound IP addresses that you must allow from your firewall. For more information, see Creating Red Hat CoreOS enabled Locations with reduced firewall footprint.

You can verify your host setup with the satellite-host-check script. For more information, see Checking your host setup.

The following outbound network requirements are specific for hosts in the Toronto (ca-tor) region.

Allow Link tunnel clients to connect to the Link tunnel server endpoint.
  • Destination IP addresses: 163.74.67.114, 163.75.70.74, 158.85.79.18
  • Destination hostnames: c-01-ws.ca-tor.link.satellite.cloud.ibm.com
  • Protocol and ports: HTTPS 443
Allow access to Red Hat network time protocol (NTP) servers.
  • Destination hostnames: 0.rhel.pool.ntp.org, 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, 3.rhel.pool.ntp.org
  • Protocol and ports: Allow NTP protocol and provide UDP on port 123

If you don't want to use Red Hat network time protocol (NTP) servers, you can instead define a custom NTP server for your RHCOS hosts.

Optional: Allow hosts to connect to HPCS for encrypting cluster secrets.
  • Domain: api.ca-tor.hs-crypto.cloud.ibm.comm
  • Port: 8000-19999

If you have a preconfigured set of instances, you can find the assigned port to your instance in the overview page and allowlist just that port on the domain.

For access to services such as IBM Cloud Log Analysis or IBM Cloud Monitoring, you must add the outbound access for them. For more information, see RHCOS enabled locations in Toronto.