Firewall settings
Our experience after installing numerous gateways, is that there are a couple of things that are good to know and prepare for, before going to the customer site and start installing. First of all, most gateways must be connected to the internet. One problem is that if we are using the customer’s internet they need to open up port 8883 (MQTT) and port 443 (HTTPS) in the firewall (outgoing connections), some customers will require even more security and will need to block outgoing traffic on domain level or even IP address.
Setting up the firewall
When setting up firewall rules for outgoing traffic we strongly recommend to block using domain names instead of IP-addresses. The servers' IP addresses are dynamically allocated and change over time. Therefore, it is not practical to configure your firewall exceptions using IP addresses. The list of IP addresses is long, and they may change from time-to-time. The best way to configure your firewall exceptions is using the wildcard domains.
This explanation is from Azure support: “The IoT Hub IP address can be discovered by using a reverse DNS lookup on the cname (*.azure-devices.net). However, the IP mapped is subject to change without notice. This also doesn’t help discover the geo-paired Hub IP address, that would be needed in case of a failover/disaster recovery“.
Here is an explanation of the domains and ports that need to be added to the firewall rules:
| Domain | Outgoing port | Description |
|---|---|---|
| *.connectitude.com | 443 | Used to download configuration and update gateway software. |
| ctudeiiot-iothub.azure-devices.net | 443 and 8883 | Used to send telemetry to IoT-Hub and to upload blobs. |
| ctudeiiotstorage.blob.core.windows.net | 443 | Used to upload blobs. |
| ctudeiiot.azurecr.io | 443 | Used to update gateway software. |
| * | 123 (UDP) | Used for time synchronization. |
| security.debian.org | 80 and 443 | Used for Debian OS security updates (Gen 2 & 3). |
| deb.debian.org | 80 and 443 | Used for Debian OS security updates (Gen 2 & 3). |
| security.ubuntu.com | 80 and 443 | Used for Ubuntu OS security updates (Evaluation). |
| archive.ubuntu.com | 80 and 443 | Used for Ubuntu OS security updates (Evaluation). |
| download.docker.com | 443 | Used for Docker updates. |
If there is a requirement to block on IP address, the current IP addresses can be downloaded from Azure IP ranges or you can manually look them up with the following commands:
nslookup portal.connectitude.com nslookup ctudeiiot-iothub.azure-devices.net nslookup ctudeiiotstorage.blob.core.windows.net