Firewall Configuration#

The following table lists the network endpoints for Edge Orchestrator and edge nodes. You can use this to configure Edge Orchestrator firewall ingress rules appropriate for your network environment.

ArgoCD Admin UI at argo.{domain}. Intel recommends that you restrict the incoming traffic to a subset of known source IPs because this is an administrator interface.
BIOS Onboarding accesses tinkerbell-nginx.{domain}.
You can access all other services from edge nodes agents, UI, and APIs of Edge Orchestrator.

Network Ingress Endpoints for Edge Orchestrator and Edge Nodes#
Source	Destination	Protocol:Port	Description
Edge Orchestrator UI and API	{domain}	TCP:443	Web UI
Edge Orchestrator UI and API	web-ui.{domain}	TCP:443	Web UI
Edge Orchestrator API	api.{domain}	TCP:443	Tenancy API
Edge Orchestrator UI and API	app-service-proxy.{domain}	TCP:443	Application orchestration
Edge Orchestrator UI and API	gitea.{domain}	TCP:443	Application orchestration
Edge Orchestrator UI and API	vnc.{domain}	TCP:443	Application orchestration
Edge Orchestrator UI and API	keycloak.{domain}	TCP:443	Identity and Access Management
Edge Orchestrator UI and API	observability-admin.{domain}	TCP:443	Observability
Edge Orchestrator UI and API	observability-ui.{domain}	TCP:443	Observability
Edge Orchestrator UI and API	registry-oci.{domain}	TCP:443	Harbor* UI
Edge Orchestrator UI and API	vault.{domain}	TCP:443	Vault* UI
Edge node	cluster-orch-node.{domain}	TCP:443	Cluster orchestration
Edge node	infra-node.{domain}	TCP:443	Edge Infrastructure Manager
Edge node	attest-node.{domain}	TCP:443	Edge Infrastructure Manager
Edge node	onboarding-node.{domain}	TCP:443	Edge Infrastructure Manager
Edge node	onboarding-stream.{domain}	TCP:443	Edge Infrastructure Manager
Edge node	release.{domain}	TCP:443	Release service token
Edge node	metrics-node.{domain}	TCP:443	Observability
Edge node	telemetry-node.{domain}	TCP:443	Observability
Edge node	logs-node.{domain}	TCP:443	Observability
Edge node	tinkerbell-server.{domain}	TCP:443	Onboarding
Edge node	update-node.{domain}	TCP:443	Edge Infrastructure Manager
Edge node	connect-gateway.{domain}	TCP:443	Cluster orchestration
Edge node	fleet.{domain}	TCP:443	Cluster orchestration
Edge node	tinkerbell-nginx.{domain}	TCP:443	BIOS onboarding
Edge Orchestrator admin	argo.{domain}	TCP:443	ArgoCD UI

To install Edge Orchestrator and Edge Node, the following Egress rules are required:

Network Egress for Edge Orchestrator and Edge Nodes#
Source	Destination	Description
Edge Orchestrator	https://docker.io	Container images
Edge Orchestrator	https://ghcr.io	Container images
Edge Orchestrator	https://registry.k8s.io	Container images
Edge Orchestrator	https://quay.io	Container images
Edge Orchestrator	https://cr.fluentbit.io	Container images
Edge Orchestrator	https://k8s.gcr.io	Container images
Edge Orchestrator	https://registry-rs.edgeorchestration.intel.com	Container images
Edge Orchestrator	https://files-rs.edgeorchestration.intel.com	Installation files
Edge Orchestrator		Container images
Edge Orchestrator	https://aws.github.io/	Helm Chart
Edge Orchestrator	https://kubernetes-sigs.github.io/	Helm Chart
Edge Orchestrator	https://charts.jetstack.io	Helm Chart
Edge Orchestrator	https://kubernetes.github.io/	Helm Chart
Edge Orchestrator	https://charts.external-secrets.io	Helm Chart
Edge Orchestrator	https://rancher.github.io/	Helm Chart
Edge Orchestrator	https://helm.goharbor.io	Helm Chart
Edge Orchestrator	https://istio-release.storage.googleapis.com/	Helm Chart
Edge Orchestrator	https://kiali.org/	Helm Chart
Edge Orchestrator	https://kyverno.github.io/	Helm Chart
Edge Orchestrator	https://metallb.github.io/	Helm Chart
Edge Orchestrator	https://prometheus-community.github.io/	Helm Chart
Edge Orchestrator	https://charts.bitnami.com/	Helm Chart
Edge Orchestrator	https://stakater.github.io/	Helm Chart
Edge Orchestrator	https://helm.traefik.io/	Helm Chart
Edge Orchestrator	https://helm.releases.hashicorp.com	Helm Chart
Edge Node	https://*.github.io	Onboarding
Edge Node	https://*.github.com	Onboarding
Edge Node	https://*.githubusercontent.com	Onboarding
Edge Node	https://*.haxx.se	Onboarding
Edge Node	https://*.curl.se	Onboarding
Edge Node	https://*.intel.com	Onboarding
Edge Node	https://*.infra-host.com	Onboarding
Edge Node	https://*.docker.io	Onboarding
Edge Node	https://*.docker.com	Onboarding
Edge Node	https://*.quay.io	Onboarding
Edge Node	https://*.fluentbit.io	Onboarding
Edge Node	https://*.k8s.io	Onboarding
Edge Node	https://*.pkg.dev	Onboarding
Edge Node	https://*.amazonaws.com	Onboarding
Edge Node	https://*.letsencrypt.org	Onboarding
Edge Node	https://*.public.ecr.aws	Onboarding
Edge Node	https://*.cloudfront.net	Onboarding
Edge Node	https://*.api.snapcraft.io	Onboarding
Edge Node	https://*.snapcraftcontent.com	Onboarding
Edge Node	https://*.rke2.io	Onboarding
Edge Node	https://*.archive.ubuntu.com	Onboarding
Edge Node	https://ppa.launchpad.net	Onboarding
Edge Node	https://esm.ubuntu.com	Onboarding
Edge Node	https://ports.ubuntu.com	Onboarding
Edge Node	https://security.ubuntu.com	Onboarding
Edge Node	https://ddebs.ubuntu.com	Onboarding
Edge Node	https://mirrors.ubuntu.com	Onboarding
Edge Node	https://*.archive.canonical.com	Onboarding
Edge Node	https://*.extras.ubuntu.com	Onboarding
Edge Node	https://changelogs.ubuntu.com	Onboarding
Edge Node	https://cloud-images.ubuntu.com	Onboarding
Edge Node	https://*.debian.org	Onboarding
Edge Node	http://cdn.debian.net	Onboarding
Edge Node	http://http.debian.net	Onboarding