Firewall configuration
In order for the SSM agent and optionally the Fleet Control Installer tool to be able to work properly on the target
machines, outbound connections to HTTPS endpoints listed in the following section on port 443 should be allowed by
the firewall.
If those connections can not be made directly due to security restrictions applied on the machine
the appropriate proxy settings should be applied.
Endpoints to be allowed
Some endpoints contain <placeholders> described in the section below.
| Endpoint | Description |
|---|---|
| fleet-control-prod-host-installer-cli.s3.eu-west-1.amazonaws.com | Host Installer CLI |
| fleet-control-prod-uk-host-installer-cli.s3.eu-west-2.amazonaws.com | Host Installer CLI for UK FleetControl instance |
| fleet-control-prod-us-host-installer-cli.s3.us-east-2.amazonaws.com | Host Installer CLI for US FleetControl instance |
| api.fleetcontrol.nordcloudapp.com | Fleet Control API |
| api.fleetcontrol.uk.nordcloudapp.com | Fleet Control API for UK FleetControl instance |
| api.fleetcontrol.us.nordcloudapp.com | Fleet Control API for US FleetControl instance |
ssm.<region>.amazonaws.com | SSM agent operation |
ec2messages.<region>.amazonaws.com | SSM agent operation |
ssmmessages.<region>.amazonaws.com | SSM agent operation |
ec2.<region>.amazonaws.com | SSM agent operation |
kms.<region>.amazonaws.com | Logs encryption |
| s3.amazonaws.com | SSM documents and logs storage |
s3-<region>.amazonaws.com | Logs storage |
s3.<region>.amazonaws.com | Logs storage |
s3.dualstack.<region>.amazonaws.com | Logs storage |
<logs-bucket>.s3.<region>.amazonaws.com | Logs storage |
aws-ssm-<region>.s3.<region>.amazonaws.com | SSM documents |
aws-windows-downloads-<region>.s3.<region>.amazonaws.com | SSM documents |
amazon-ssm-<region>.s3.<region>.amazonaws.com | SSM documents |
amazon-ssm-packages-<region>.s3.<region>.amazonaws.com | SSM documents |
<region>-birdwatcher-prod.s3.<region>.amazonaws.com | SSM documents |
patch-baseline-snapshot-<region>.s3.<region>.amazonaws.com | SSM documents |
| nordcloud-fleetcontrol-patch-baseline-prod.s3.eu-west-1.amazonaws.com | SSM documents |
| nordcloud-fleetcontrol-patch-baseline-prod-uk.s3.eu-west-2.amazonaws.com | SSM documents for UK FleetControl instance |
| nordcloud-fleetcontrol-patch-baseline-prod-us.s3.us-east-2.amazonaws.com | SSM documents for US FleetControl instance |
How to fill in the placeholders
<region>
Endpoints with the <region> placeholder must be replaced with AWS region codes for every region where the SSM agent
will operate. This means that a single endpoint entry from the table above should be replaced with multiple entries,
one for each region. List of regions to be considered must also include a region where EC2 instances are located.
In which regions the SSM agent operates?
List of those region can be found under customerSettings field in our API.
Execute the following GraphQL query to get them:
query getAllCustomerSettings {
customers {
id
name
customerSettings {
regions
}
}
}
Find the customer you are interested in and look for the regions field in the returned JSON.
<logs-bucket>
Endpoints with the <logs-bucket> placeholder must be replaced with the name of the S3 bucket where the SSM agent will
store logs.
How to get the logs bucket name?
For now, the only way to get the bucket name is by extracting it from the AWS template generated by our API for the onboarding process. Execute the following GraphQL query to get the template:
query getAwsOnboardingTemplate {
awsOnboardingTemplate
}
In the returned YAML template look for the section that look like this:
# ...
# Access to S3 bucket used for logs storage
- Effect: Allow
Action:
- "s3:PutObject"
# ...
Resource:
- "arn:aws:s3:::fleet-control-resources-logsbucket-1q9hi4x7j9s4h8"
# ...
In this example the bucket name you are looking for is fleet-control-resources-logsbucket-1q9hi4x7j9s4h8.