Skip to main content
All CollectionsInstallation GuidesDisruptive Technologies (DT)
Firewall configuration for Cloud Connectors (connected via ethernet)
Firewall configuration for Cloud Connectors (connected via ethernet)

This guide provides advice on installing Cloud Connectors within a network (Ethernet) with a firewall configuration.

Dan Allen avatar
Written by Dan Allen
Updated over 3 months ago

What if I use a cellular connection or do not have a firewall?

In addition to firewall configuration, there is general information about the Cloud Connectors' (CCON) cloud services. This information can be relevant for security questions, etc.

Firewall Configuration

You can have a firewall to control traffic between the Cloud Connector and the external network (Internet) for maximum security.

Cloud Connector (2nd Gen)

Information related to Cloud Connector (2nd Gen) only.

The DHCP server on the local network is used for DNS and NTP. If no NTP server is advertised on the local network, then time{1,2,3,4}.google.com (UDP 123) is used.

Fully qualified domain names

  • ccon-manager.prod.disruptive-technologies.com (TCP 443)

  • est.prod.disruptive-technologies.com (TCP 443)

  • mender.prod.disruptive-technologies.com (TCP 443)

  • mender-artifacts.prod.disruptive-technologies.com (TCP 443)

Other Cloud Connectors

Information related to Cloud Connector US 4G, Cloud Connector EU 4G, Cloud Connector EU 3G/2G, Cloud Connector EU (Ethernet only), and Cloud Connector US (Ethernet only).

The DHCP server on the local network is used for DNS and NTP. If no NTP server is advertised on the local network, then {1,2,3,4}.resinio.pool.ntp.org (UDP 123) is used.

Depending on your firewall options, you can allowlist based on wildcards or fully qualified domain names (FQDN).

Fully qualified domain names

  • sds-receiver-grpc.prod.disruptive-technologies.com (TCP 443)

  • ccon-manager.prod.disruptive-technologies.com (TCP 443)

  • est.prod.disruptive-technologies.com (TCP 443)

  • 0.resinio.pool.ntp.org (NTP)

  • 1.resinio.pool.ntp.org (NTP)

  • 2.resinio.pool.ntp.org (NTP)

  • 3.resinio.pool.ntp.org (NTP)

  • vpn.balena-cloud.com (TCP 443)

  • api.balena-cloud.com (TCP 443)

  • delta.balena-cloud.com (TCP 443)

  • delta-data.balena-cloud.com (TCP 443)

  • registry2.balena-cloud.com (TCP 443)

  • registry-data.balena-cloud.com (TCP 443)

  • registry.hub.docker.com (TCP 443)

  • production.cloudflare.docker.com (TCP 443)

  • registry.docker.io (TCP 443)

  • auth.docker.io (TCP 443)

Wildcard support

  • *.disruptive-technologies.com (TCP 443)

  • *.pool.ntp.org (NTP)

  • *.balena-cloud.com (TCP 443)

  • *.docker.com (TCP 443)

  • *.docker.io (TCP 443)

Layered security

Disruptive Technologies keep Cloud Connectors secure by fixing security vulnerabilities and keeping them up-to-date through over-the-air updates.

Even with this in place, we advise having a layered security approach to further reduces the risk for both the Cloud Connector and the network it is installed in.

Zero trust network

The Cloud Connector does not communicate with devices or services in the local area network. We advise installing the Cloud Connector in a (virtual) network separate from the internal corporate network. The device should be treated as a guest device that enjoys zero trust. The Cloud Connector route to the internal corporate network should go via the same firewall that any external traffic traverses.

SSH connections

Although the Cloud Connector listens for incoming SSH connections on TCP port 22222, this port does not need to be accessible from an external network.

IPv4, IPv6 & DHCP

The Cloud Connector supports IPv4, IPv6 and DHCP.

MAC address

To get the device MAC addresses contact Support and we can provide that for you.

Related Articles
Installing a Cloud Connector (CCON)
Troubleshooting a Gen 1 Cloud Connector (CCON)
Firewall configuration for Vergesense
Troubleshooting a Gen 2 Cloud Connector (CCON)
Did this answer your question?