What URIs does Turbot need access to via a proxy?

Turbot has the ability to run behind a proxy, as long as it can still reach cloud service provider APIs via that outbound internet access proxy. To set proxy configuration in Turbot, rerun the Turbot-Console cloud formation stack in the Turbot Master AWS account. The following settings must be specified:

ProxyHttp = http://proxy_hostname_or_ip_addr:port
ProxyHttps = http://proxy_hostname_or_ip_addr:port
ProxyNo = 169.254.169.254

Please note that typically the HTTPS proxy points at a http://address:port to avoid certificate issues, also 169.254.169.254 is set to no proxy as it is a static route to reach AWSs internal metadata service.

The web proxy/filter that Turbot connects to must whitelist the following URIs for access to each cloud service:

Amazon Web Services
Note: Must be enabled for the local Turbot master account regardless of the cloud service provider you are using Turbot to manage.
https://*.amazonaws.com
https://signin.aws.amazon.com

Microsoft Azure
https://login.microsoftonline.com
https://login.windows.net
https://management.azure.com
https://graph.windows.net

Google Cloud Platform
https://accounts.google.com
https://*.googleapis.com

Alternatively, you can micro segment if needed
https://accounts.google.com
https://www.googleapis.com
https://cloudresourcemanager.googleapis.com
https://logging.googleapis.com
https://servicemanagement.googleapis.com
https://iam.googleapis.com

Turbot periodically does a health check to determine if it can reach the internet. We do a https GET request to google.com, this is not a required whitelist, but doing so will help reduce health check errors in the logs and improve troubleshooting.

Was this article helpful?
0 out of 0 found this helpful