Skip to content

Firewall settings

Our experience after installing numerous gateways, is that there are a couple of things that are good to know and prepare for, before going to the customer site and start installing. First of all, most gateways must be connected to the internet. One problem is that if we are using the customer’s internet they need to open up port 8883 (MQTT) and port 443 (HTTPS) in the firewall (outgoing connections), some customers will require even more security and will need to block outgoing traffic on domain level or even IP address.

Setting up the firewall

When setting up firewall rules for outgoing traffic we strongly recommend to block using domain names instead of IP-addresses. The servers' IP addresses are dynamically allocated and change over time. Some Azure services requires you to allow several IP addresses, like Azure IoT-hub and Azure container registry, see below.

Here is an explanation of the domains and ports that need to be added to the firewall rules:

Domain Outgoing port Description
*.connectitude.com1 443 Used to download configuration and update gateway software.
ctudeiiot-iothub.azure-devices.net2 443 and 8883 Used to send telemetry to IoT-Hub and to upload blobs.
ctudeiiotstorage.blob.core.windows.net 443 Used to upload blobs.
ctudeiiot.azurecr.io3 443 Used to update gateway software.
* 123 (UDP) Used for time synchronization.
security.debian.org 80 and 443 Used for Debian OS security updates (Gen 2 & 3).
deb.debian.org 80 and 443 Used for Debian OS security updates (Gen 2 & 3).
security.ubuntu.com 80 and 443 Used for Ubuntu OS security updates (Evaluation).
archive.ubuntu.com 80 and 443 Used for Ubuntu OS security updates (Evaluation).
download.docker.com 443 Used for Docker updates.

  1. Currently: portal.connectitude.com, remote.connectitude.com, packages.connectitude.com 

  2. Configure rules to access an Azure IoT Hub behind a firewall 

  3. Configure rules to access an Azure container registry behind a firewall