Firewall Configuration

When you deploy StreamSets engines to on-premise or cloud computing machines that reside behind a firewall or in a system that limits access to specific IP addresses, allow the required inbound and outbound traffic to each machine.

Inbound Connections

Control Hub does not directly send requests to machines running StreamSets engines. However, you must configure your firewall to allow the following inbound connections to the machines, depending on the engine type and configuration:


Engine Type	Port	Protocol	Usage
Transformer	Transformer port - 19630 by default	TCP	The Apache Spark cluster must be able to access Transformer at this port number to send the status, metrics, and offsets for running pipelines.
Data Collector and Transformer	HTTPS port defined in the engine advanced configuration properties of the deployment	TCP	When using direct engine REST APIs for browser to engine communication, web browsers must be able to reach engines on the configured HTTPS port number. In most cases, you can use the default WebSocket tunneling communication method and do not need to allow an inbound connection to the HTTPS port number. For more information, see Engine Communication.

In addition, if you want to use SSH to connect to machines running StreamSets engines, configure your firewall to allow the following inbound connection to the machines. Control Hub does not require SSH access to the machines. However, you might want to enable access for troubleshooting purposes.


Engine Type	Port	Protocol	Usage
Data Collector and Transformer	22	TCP	Optionally connect to the machine using SSH.

Outbound Connections

StreamSets engines make outbound connections to the following systems. Ensure that your firewall allows outbound connectivity to these systems.

Important: The StreamSets systems are available in several geographic regions operated by different infrastructure providers. Some of the IP addresses listed below are not within the control of StreamSets and might change. As a best practice, allow the provided DNS names so that your firewall is always up to date.


System	DNS and IP Address	Port	Protocol	Usage
StreamSets authentication service	cloud.login.streamsets.com Allow all of the following: 3.133.68.10 3.134.148.19 3.137.15.194	443	TCP, TLS 1.2 or later	User authentication with StreamSets.
StreamSets identity provider	Allow all of the following: Current - identitytoolkit.googleapis.com Future - idp.login.streamsets.com	443	TCP, TLS 1.2 or later	Identity management for username/password and social logins. SAML logins use the StreamSets authentication service.
StreamSets Control Hub	Allow all of the following: na01.hub.streamsets.com - 34.145.124.26 na02.hub.streamsets.com - 35.237.72.69 eu01.hub.streamsets.com - 35.246.207.204 eu02.hub.streamsets.com - 35.195.241.100 ap01.hub.streamsets.com - 34.87.199.210	443	TCP, TLS 1.2 or later	Engine communication with Control Hub.
StreamSets server that hosts engine installation and stage library files	archives.streamsets.com	443	TCP, TLS 1.2	Engine and stage library file downloads.
StreamSets telemetry server	Allow all of the following: telemetry.streamsets.com prod-customer-support-bundles.s3.amazonaws.com	443	HTTPS	Telemetry data collection.
External origin and destination systems	Depends on the system	Depends on the system	Depends on the system	External system connections so that pipeline stages can process your data.