Using Resin.io behind a firewall requiring destination IP addresses/ranges

support
network

#1

Hi there,
I’ve been required to install a Resin device behind a firewall.
I’ve already read https://docs.resin.io/reference/OS/network/2.x/#network-requirements so I know that TCP ports 80 and 443 have to be open to reach both *.resin.io and *.pubnub.com, but the firewall administrator asked me how to map *.resin.io and *.pubnub.com to specific IP addresses/ranges!
I’ve also asked him to evaluate the use of a HTTP proxy, but…
Any solutions?
Regards,
Danilo


#4

Hey there,
So it is worth noting that recent OS versions record logs through a resin.io endpoint, so depending on how up to date your fleet is you might not need pubnub.
Also note that our domain names are served by Amazon Load Balancer, so the resolution of domain name to IP address can and will change over time. This is true of any domain name, as hosting providers may change, but more generally firewall configurations should not rely on a particular domain being always served on a particular IP.


#5

I’ll try to change my question slightly.
Let’s take Red Hat as an example. They gives you the opportunity to whitelist specific IPs/CIDR of their CDN in you firewall in order to access updates even when it blocks outgoing Internet connections, not only incoming one (just like it happens in the big automotive company I’m working for). See https://access.redhat.com/articles/1525183.
When talking about Amazon, I just remember https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.
Again, is there any chance to make a Resin device work even behind a firewall that only allows IP-based rules?

Have you something link ready at head on how to not use PubNub? Still googling…
Also, I will google/search to a way to remove the need for pubnub, but