The management and monitoring tools we use require network access between your servers and ours. This page details the network access requirements.
Both the server names and the IP addresses for our servers have been provided in the following tables. If a you manage a firewall in your network, it would be preferable to use the server names in the firewall rules (if possible) so that we can migrate services from one IP address to another without requiring any changes to your firewall.
Connectivity Options
Ideally, we would have direct connectivity between your servers and ours as detailed below. However, we recognise that this may not always be possible; for example, you may have multiple servers behind one public IP address, making it difficult for us to directly connect to each of your servers.
Under those circumstances, we require:
- direct ssh access as detailed below to one of your servers (the “gateway server”), and
- ssh access from the gateway server to your remaining servers, and
- outbound connections from each of your servers to ours as detailed below (“Outbound connections to our servers”), including OpenVPN access
Inbound Connections To Your Server
We need access to the following ports:
- ICMP
- TCP port 22 (SSH remote management)
- TCP port 5665 and 5666 (remote monitoring)
We can connect to your server over either IPv4 or IPv6 (only one is required, but we recommend both). For IPv6, we need access to the above ports from:
- 2001:678:32c:57a0::/60 (Primary privileged range)
- 2a00:1098:86:93::1/128 (thames.tiger-computing.co.uk)
- 2a03:ee40:718::/64 (Secondary privileged subnet)
- 2a05:d01c:23c:e00::/56 (AWS privileged subnet)
For IPv4, we need access to the above ports from:
- 3.9.136.217/32 (icinga1.aws.tiger-computing.co.uk)
- 3.9.137.146/32 (icinga2.aws.tiger-computing.co.uk)
- 83.97.16.80/29 (Primary privileged range)
- 93.93.131.119 (thames.tiger-computing.co.uk)
Outbound Connections To Our Servers
OpenVPN Access
Protocol | Destination Port | Destination | IPv4 Address | IPv6 Address |
---|---|---|---|---|
UDP | 1194 | tame.tiger-computing.co.uk | 83.97.16.82 | 2a03:ee40:718::1 |
UDP | 1194 | thames.tiger-computing.co.uk | 93.93.131.119 | 2a00:1098:86:93::1 |
This is only required if direct inbound access is not possible. An IPsec tunnel may be configured instead, if needed.
Monitoring Servers
Protocol | Destination Port | Destination | IPv4 Address | IPv6 Address |
---|---|---|---|---|
TCP | 5665 | icinga1.aws.tiger-computing.co.uk | 3.9.136.217 | 2a05:d01c:23c:e00::/56 |
TCP | 5665 | icinga2.aws.tiger-computing.co.uk | 3.9.137.146 | 2a05:d01c:23c:e00::/56 |
Configuration Management Server
Protocol | Destination Port | Destination | IPv4 Address | IPv6 Address |
---|---|---|---|---|
TCP | 443 | puppet.tiger-computing.co.uk | 83.97.16.90/32 | 2001:678:32c:f500::/128 |
Access via HTTP proxy is possible if required.
Software Distribution Servers
Protocol | Destination Port | Destination | IPv4 Address | IPv6 Address |
---|---|---|---|---|
TCP | 80 | Any | 0.0.0.0/0 | ::/0 |
TCP | 443 | Any | 0.0.0.0/0 | ::/0 |
Access via HTTP proxy is possible.
Network Time Servers
Protocol | Destination Port | Destination | IPv4 Address | IPv6 Address |
---|---|---|---|---|
UDP | 123 | Any | 0.0.0.0/0 | ::/0 |
Internal NTP servers provided by your organisation may be used instead.
Outbound Email Access
At a minimum, your servers need to be able to send email to the following addresses:
- security@tiger-computing.co.uk
Usually, the servers will send their own email directly, but it is possible to use any specified SMTP relay, or dedicated aliases that relay to those two addresses if that is preferred.