Installation Requirements
The following URLs and their associated ports are required for the installation of CloudSoda. For the best user experience, we recommend allowing access to all the URLs and ports listed in this document.
Important: These are URL-based endpoints that reside behind load balancers whose IPs may change. Firewall rules must be configured by URL/FQDN, not by IP address. Using static IPs will result in inconsistent or failed behavior. CloudSoda does not support the use of proxies when accessing these resources.
Container Image Pulling
- Description: CloudSoda application assets and dependencies are pulled from Google Artifact Registry.
- Ports: TCP 80, 443
-
URLs:
- us-west1-docker.pkg.dev
Control Plane
- Description: Enables CloudSoda to push software to the on-premises server and maintain control plane operations. Port 3080 is required for Teleport-based control plane communication. For more details please see Appendix A.
- Ports: TCP 80, 443, 3080
-
URLs:
- cloudsoda.teleport.sh
- charts.releases.teleport.dev
Install Scripts
- Description: Installation scripts that bootstrap the CloudSoda platform. Once installation is complete, these URLs are no longer required.
- Ports: TCP 443
-
URLs:
- soda-public.s3.us-west-2.amazonaws.com
- cloudsodainitscripts-usw2-p-1.s3.amazonaws.com
- cannery.cloudsoda.io
Upgrade Requirements
The following URLs are required for CloudSoda upgrades. There is some overlap with the installation requirements, but these are broken out here in case CloudSoda must be restricted from the internet post-installation.
CloudSoda typically releases new software every six weeks. To upgrade successfully, you must reopen these ports at upgrade time (or, preferably, leave them open permanently to avoid maintenance overhead).
Container Image Pulling
- Description: Retrieves updated CloudSoda application images from Google Artifact Registry.
- Ports: TCP 80, 443
-
URLs:
- us-west1-docker.pkg.dev
Control Plane
- Description: Required for CloudSoda to push new software to the on-premises server during upgrades. Port 3080 is required for Teleport-based control plane communication.
- Ports: TCP 80, 443, 3080
-
URLs:
- cloudsoda.teleport.sh
Optional Managed CloudSoda Services
The following services are optional and not required for installing or upgrading CloudSoda. However, enabling them provides the full functionality of the platform. Each service can be enabled individually — you may choose the ones that best fit your environment and leave others closed if not needed.
Important: Unlike installation and upgrade requirements (which can be temporary), the ports and URLs for optional services must remain open at all times if you want to use them.
DNS & Certificate Management (Highly Recommended)
- Description: CloudSoda can automatically manage DNS records and SSL/TLS certificate rotations. If you are using a cloudsoda.io domain, these URLs must remain open. If you prefer to manage DNS and certificates yourself, see the self-managed guide.
- Ports: UDP 53, TCP 443
-
URLs:
- route53.amazonaws.com
- acme-v02.api.letsencrypt.org/directory
Location & Price Book Service (Highly Recommended)
- Description: Validates cloud bucket regions and retrieves CloudSoda price books. Required if you want access to cloud price book data.
- Port: TCP 50051
-
URLs:
- compass.cloudsoda.io
- books.cloudsoda.io
SMTP Notifications (Recommended)
- Description: Enables CloudSoda to send email alerts and notifications via its managed SMTP service. If you run your own SMTP service or do not require email notifications, this is not needed.
- Port: TCP 465
-
URLs:
- email-smtp.us-west-2.amazonaws.com
Datadog Monitoring (Recommended)
- Description: Allows Datadog Agents to send logs and custom metrics to the Datadog US1 site and synchronize time. This integration improves observability and assists CloudSoda support with troubleshooting.
- Ports: TCP 443, UDP 123
-
URLs:
- agent-http-intake.logs.datadoghq.com
- api.datadoghq.com
- app.datadoghq.com
Exception Monitoring (Recommended)
- Description: Enables applications to report exceptions, errors, and stack traces to Rollbar’s API for real-time monitoring and alerting. This helps CloudSoda support identify and resolve software issues in your environment.
- Port: TCP 443
-
URLs:
- api.rollbar.com
Appendix A: Security Details
A.1 Teleport Control Plane Security
Overview
CloudSoda uses Teleport to establish a secure, zero-trust control plane for software deployment and cluster management. Teleport is deployed as a pod within your Kubernetes environment and operates on the principle of cryptographic identity with no standing privileges. This secure control plane ensures the CloudSoda ops team can rapidly deploy critical security fixes, software patches, and new features while maintaining zero-trust security principles.
Deployment Architecture
- In-Cluster Deployment: Teleport runs as a pod within your Kubernetes cluster
-
Network Communication: Uses port 3080 for secure control plane communication with
cloudsoda.teleport.sh - Zero Standing Access: No persistent credentials or access tokens are stored in your environment
A.2 Authentication and Authorization
Initial Authentication
- Bootstrap Process: During helm chart installation, the application receives a randomly generated key with a 2-day expiration
- Automatic Renewal: After successful initial negotiation, the system continuously re-authenticates and refreshes/rotates keys ephemerally
- No Static Credentials: All authentication tokens are short-lived and automatically rotated
Machine Identity for CI/CD
- Machine ID Integration: CI/CD pipelines use Teleport's Machine ID for automated deployments
- Ephemeral Credentials: Short-lived, automatically rotated identities are issued to CI workloads
- No Persistent Access: CI runners retain no persistent access once jobs complete
- GitLab Integration: All installs and upgrades are handled through GitLab CI pipelines with machine identity tokens
Human Access Controls
- Multi-Factor Authentication: Access to both GitLab and Teleport requires Okta-gated MFA authentication
- Principle of Least Privilege: Once authenticated, access is scoped to minimum required permissions
- Session Expiration: Access sessions last only hours before requiring re-authentication and key refresh
- Approval Workflow: CloudSoda ops team members must request permission to access customer clusters, which requires approval from another ops team member
A.3 Access Controls and Scope
Who Has Access
- Limited Access: Only CloudSoda operations team members have access to the CI pipeline and Teleport
- Automated Operations: All deployments and upgrades are handled through automated CI/CD processes
Access Scope and Limitations
- Application-Specific: Access is limited to CloudSoda application components only
- No Infrastructure Access: The system does not provide general infrastructure or cluster administrative access
- Troubleshooting Only: Human access to customer clusters is restricted to troubleshooting application-specific issues
- Time-Limited Sessions: All access sessions have automatic expiration
Zero-Trust Principles
- No Network Trust: Access is based on cryptographic identity verification, not network location
- Continuous Verification: Identity and permissions are continuously validated throughout sessions
- Encrypted Communication: All control plane communications use encrypted channels
A.4 Security Considerations and Risk Mitigation
Compliance and Auditing
- SOC 2 Compliance: Teleport maintains SOC 2 compliance for security controls
- Complete Audit Trail: All requests and access to customer clusters are logged and audited by Teleport
- Session Recording: Access sessions can be recorded for security and compliance purposes
Rogue Actor Mitigation
- Approval Requirements: Any human access to customer environments requires approval from another team member
- Time-Limited Access: All access automatically expires, limiting exposure window
- Audit Logging: All actions are logged and can be reviewed for unauthorized activity
- No Persistent Credentials: Ephemeral credentials prevent long-term compromise
- Principle of Least Privilege: Access is scoped to only what's necessary for the specific task
Credential Security
- No Static Secrets: System eliminates risks associated with static credentials
- Automatic Rotation: All authentication keys are automatically rotated
- Certificate-Based Auth: Uses certificate-based authentication instead of passwords
- Encrypted Storage: All credentials and certificates are encrypted in transit and at rest
Network Security
- Minimal Attack Surface: Only requires outbound connections on specified ports
- No Inbound Access: No inbound connections required to customer infrastructure
- Firewall Friendly: Works through standard firewall configurations without special rules
A.5 Operational Security
Monitoring and Alerting
- Real-time Monitoring: Access attempts and sessions are monitored in real-time
- Anomaly Detection: Unusual access patterns trigger alerts
- Integration Ready: Can integrate with customer SIEM and monitoring systems
Incident Response
- Immediate Revocation: Access can be immediately revoked if suspicious activity is detected
- Forensic Capabilities: Complete audit logs support incident investigation
- Rapid Response: CloudSoda security team can respond quickly to security incidents
Updates and Maintenance
- Automatic Security Updates: Teleport components receive automatic security updates
- Vulnerability Management: Regular security assessments and vulnerability patching
- Security Hardening: Default configurations follow security best practices
Comments
0 comments
Please sign in to leave a comment.