Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Problem: My network contains security policies that prevent agents from reaching the SeaLights platform

This is normally caused due to security policies related to Firewalls, or other networking related security configurations that prevent access to the SeaLights API.

In order to verify this is the case, try running a cURL command to your dashboard URL:

curl -vI https://<YourCustomDNSName>.sealights.co

If you need a generic endpoints, you can use the following command

curl -vI https://csdemo.sealights.co

If using a proxy, you should add the relevant parameter

curl -vI https://<YourCustomDNSName>.sealights.co --proxy http://myproxy.mycompany.int

HTTP/2 200 code should be returned. If this code is received, you can access the SeaLights API and there is no need for this document.

In case this command fails, it is important to understand why. Looking at the detailed output (given by the -vI flags) can point us in the right direction.

The above cURL command runs on native Linux. If using Windows, you will need to run it from a PowerShell prompt as it is an alias to the native Invoke-WebRequest cmdlet.
For example, Invoke-WebRequest -Uri https://<YourCustomDNSName>.sealights.co | Select-Object -ExpandProperty BaseResponse

Solution

In case a firewall is present, it needs to allow network traffic to reach the SeaLights platform and depending on your organization policy, you can use one of the following solutions.

Allow outbound traffic to Sealights' domain

The Firewall should allow outbound connections on port 443 (TLS v1.2) to our domain https://*.sealights.co.
For a more restrictive rule, you can open the connections to your custom domain only (https://<YourCustomDNSName>.sealights.co)

Allow outbound traffic to Sealights' Range of IP Adresses

As SeaLights' networking is managed in AWS, the full list of subnets which can point to our platform, can be found in the ip-ranges.json file supplied by AWS.

Be sure to follow the next steps to understand which IP addresses need to be added to your exceptions list

  1. Download the provided ip-ranges.json file from AWS.

  2. From the file, filter out the entires related to CloudFront (using jq):

    cat ip-ranges.json | jq '.prefixes[] | select(.service=="CLOUDFRONT")'
  3. Add the subnets output from the previous stage to your Firewall exception list for outbound connections on port 443 (TLS v1.2)

  • No labels