This topic describes how to configure security group rules for Elastic Compute Service (ECS) instances on which Cloud Assistant Agent is installed to facilitate the management of network permissions on Cloud Assistant Agent.
Background information
To ensure that you can use Cloud Assistant on an ECS instance, the instance must have access to the endpoints or IP addresses that are required to perform specific operations, such as running Cloud Assistant commands. You must configure security group rules to allow outbound access to the endpoints or IP addresses that are described in the following table.
Endpoint or IP address | Description |
https://{region-id}.axt.aliyun.com:443/ | This endpoint is used to access the Cloud Assistant server. |
http://100.100.100.200:80/ | This URL is used to access MetaServer. |
https://aliyun-client-assist-{region-id}.oss-{region-id}-internal.aliyuncs.com:443/ | This endpoint is used to access the server where the Cloud Assistant Agent installation package resides to install or update Cloud Assistant Agent. |
{region-id} specifies the region ID of the instance. For example, if the instance resides in the China (Hangzhou) region, set this parameter to cn-hangzhou.
You can use one of the following methods to configure security group rules for an instance on which Cloud Assistant Agent is installed:
General configurations: In most cases, you can use this method to configure security group rules to allow access to the CIDR blocks and ports of the Cloud Assistant server and the server where the Cloud Assistant Agent installation package resides.
Fine-grained configurations: If you want to manage network permissions in a fine-grained manner, you can use this method to allow access to the specified ports and IP addresses based on the region of the instance on which Cloud Assistant Agent is installed.
General configurations
To simplify the configuration and management of network permissions, you can configure security group rules to allow access to the CIDR blocks and ports of the Cloud Assistant server and the server where the Cloud Assistant Agent installation package resides.
The CIDR block of the Cloud Assistant server is 100.100.0.0/16. The CIDR block of the server where the Cloud Assistant Agent installation package resides is 100.0.0.0/8.
By default, basic security groups allow all outbound access. A basic security group allows all outbound traffic from ECS instances in the security group. By default, advanced security groups deny all outbound access. An advanced security group denies all outbound traffic from ECS instances in the security group. For advanced security groups, configure security group rules to allow outbound access to the URLs, CIDR blocks, or ports that are described in the following table. For more information, see Add a security group rule.
URL, CIDR block, or port | Description |
DNS/UDP port 53 | This port is used to resolve domain names. |
https://<100.100.0.0/16>:443/ | This URL is used to access the Cloud Assistant server. |
https://<100.0.0.0/8>:443/ | This URL is used to access the server where the Cloud Assistant Agent installation package resides to install or update Cloud Assistant Agent. |
Fine-grained configurations
If you want to manage network permissions in a fine-grained manner, allow access to the IP addresses of the Cloud Assistant server and the server where the Cloud Assistant Agent installation package resides in specific regions.
For example, if your instance resides in the China (Hangzhou) region, configure rules in an advanced security group of the instance to allow outbound access to the URLs, IP addresses, or ports that are described in the following table. For more information, see Add a security group rule.
URL, IP address, or port | Description |
DNS/UDP port 53 | This port is used to resolve domain names. |
https://100.100.45.106:443/ | This URL is used to access the Cloud Assistant server in the China (Hangzhou) region. |
https://100.118.28.50:443/ | This URL is used to access the server where the Cloud Assistant Agent installation package resides in the China (Hangzhou) region to install or update Cloud Assistant Agent. |
The following table lists the endpoints and IP addresses that Cloud Assistant must be able to access in each region.
The first row in the Endpoint column of each region indicates the endpoint and IP address of the Cloud Assistant server. The second row indicates the endpoint and IP address of the server where the Cloud Assistant Agent installation package resides.
Region | Region ID | Endpoint | IP address |
China (Qingdao) | cn-qingdao | cn-qingdao.axt.aliyun.com | 100.100.15.4 |
aliyun-client-assist-cn-qingdao.oss-cn-qingdao-internal.aliyuncs.com | 100.115.173.9 | ||
China (Beijing) | cn-beijing | cn-beijing.axt.aliyun.com | 100.100.18.120 |
aliyun-client-assist-cn-beijing.oss-cn-beijing-internal.aliyuncs.com | 100.118.58.9 | ||
China (Zhangjiakou) | cn-zhangjiakou | cn-zhangjiakou.axt.aliyun.com | 100.100.99.23 |
aliyun-client-assist-cn-zhangjiakou.oss-cn-zhangjiakou-internal.aliyuncs.com | 100.118.90.245 | ||
China (Hohhot) | cn-huhehaote | cn-huhehaote.axt.aliyun.com | 100.100.126.8 |
aliyun-client-assist-cn-huhehaote.oss-cn-huhehaote-internal.aliyuncs.com | 100.118.195.21 | ||
China (Ulanqab) | cn-wulanchabu | cn-wulanchabu.axt.aliyun.com | 100.100.0.3 |
aliyun-client-assist-cn-wulanchabu.oss-cn-wulanchabu-internal.aliyuncs.com | 100.118.214.0 | ||
China (Hangzhou) | cn-hangzhou | cn-hangzhou.axt.aliyun.com | 100.100.45.106 |
aliyun-client-assist-cn-hangzhou.oss-cn-hangzhou-internal.aliyuncs.com | 100.118.28.50 | ||
China (Shanghai) | cn-shanghai | cn-shanghai.axt.aliyun.com | 100.100.36.108 |
aliyun-client-assist-cn-shanghai.oss-cn-shanghai-internal.aliyuncs.com | 100.118.102.35 | ||
China (Nanjing - Local Region) | cn-nanjing | cn-nanjing.axt.aliyun.com | 100.100.0.1 |
aliyun-client-assist-cn-nanjing.oss-cn-nanjing-internal.aliyuncs.com | 100.114.142.7 | ||
China (Fuzhou - Local Region) | cn-fuzhou | cn-fuzhou.axt.aliyun.com | 100.100.0.26 |
aliyun-client-assist-cn-fuzhou.oss-cn-fuzhou-internal.aliyuncs.com | 100.114.211.4 | ||
China (Wuhan - Local Region) | cn-wuhan-lr | cn-wuhan-lr.axt.aliyun.com | 100.100.0.8 |
aliyun-client-assist-cn-wuhan-lr.oss-cn-hangzhou-internal.aliyuncs.com | 100.118.28.50 | ||
China (Shenzhen) | cn-shenzhen | cn-shenzhen.axt.aliyun.com | 100.100.0.70 |
aliyun-client-assist-cn-shenzhen.oss-cn-shenzhen-internal.aliyuncs.com | 100.118.78.4 | ||
China (Heyuan) | cn-heyuan | cn-heyuan.axt.aliyun.com | 100.100.0.5 |
aliyun-client-assist-cn-heyuan.oss-cn-heyuan-internal.aliyuncs.com | 100.98.83.0 | ||
China (Guangzhou) | cn-guangzhou | cn-guangzhou.axt.aliyun.com | 100.100.0.4 |
aliyun-client-assist-cn-guangzhou.oss-cn-guangzhou-internal.aliyuncs.com | 100.115.33.49 | ||
China (Chengdu) | cn-chengdu | cn-chengdu.axt.aliyun.com | 100.100.0.42 |
aliyun-client-assist-cn-chengdu.oss-cn-chengdu-internal.aliyuncs.com | 100.115.155.18 | ||
China (Hong Kong) | cn-hongkong | cn-hongkong.axt.aliyun.com | 100.100.35.30 |
aliyun-client-assist-cn-hongkong.oss-cn-hongkong-internal.aliyuncs.com | 100.115.61.10 | ||
Singapore | ap-southeast-1 | ap-southeast-1.axt.aliyun.com | 100.100.30.60 |
aliyun-client-assist-ap-southeast-1.oss-ap-southeast-1-internal.aliyuncs.com | 100.118.219.18 | ||
Australia (Sydney) | ap-southeast-2 | ap-southeast-2.axt.aliyun.com | 100.100.44.12 |
aliyun-client-assist-ap-southeast-2.oss-ap-southeast-2-internal.aliyuncs.com | 100.100.44.1 | ||
Malaysia (Kuala Lumpur) | ap-southeast-3 | ap-southeast-3.axt.aliyun.com | 100.100.127.16 |
aliyun-client-assist-ap-southeast-3.oss-ap-southeast-3-internal.aliyuncs.com | 100.118.165.0 | ||
Indonesia (Jakarta) | ap-southeast-5 | ap-southeast-5.axt.aliyun.com | 100.100.80.165 |
aliyun-client-assist-ap-southeast-5.oss-ap-southeast-5-internal.aliyuncs.com | 100.100.16.5 | ||
Philippines (Manila) | ap-southeast-6 | ap-southeast-6.axt.aliyun.com | 100.100.0.15 |
aliyun-client-assist-ap-southeast-6.oss-ap-southeast-6-internal.aliyuncs.com | 100.115.16.209 | ||
Thailand (Bangkok) | ap-southeast-7 | ap-southeast-7.axt.aliyun.com | 100.100.0.30 |
aliyun-client-assist-ap-southeast-7.oss-ap-southeast-7-internal.aliyuncs.com | 100.98.249.15 | ||
India (Mumbai) | ap-south-1 | ap-south-1.axt.aliyun.com | 100.100.80.108 |
aliyun-client-assist-ap-south-1.oss-ap-south-1-internal.aliyuncs.com | 100.118.211.136 | ||
Japan (Tokyo) | ap-northeast-1 | ap-northeast-1.axt.aliyun.com | 100.100.0.76 |
aliyun-client-assist-ap-northeast-1.oss-ap-northeast-1-internal.aliyuncs.com | 100.100.40.129 | ||
South Korea (Seoul) | ap-northeast-2 | ap-northeast-2.axt.aliyun.com | 100.100.0.23 |
aliyun-client-assist-ap-northeast-2.oss-ap-northeast-2-internal.aliyuncs.com | 10.109.28.16 | ||
US (Silicon Valley) | us-west-1 | us-west-1.axt.aliyun.com | 100.100.29.34 |
aliyun-client-assist-us-west-1.oss-us-west-1-internal.aliyuncs.com | 100.100.29.86 | ||
US (Virginia) | us-east-1 | us-east-1.axt.aliyun.com | 100.100.152.140 |
aliyun-client-assist-us-east-1.oss-us-east-1-internal.aliyuncs.com | 100.115.60.17 | ||
Germany (Frankfurt) | eu-central-1 | eu-central-1.axt.aliyun.com | 100.100.46.12 |
aliyun-client-assist-eu-central-1.oss-eu-central-1-internal.aliyuncs.com | 100.115.154.14 | ||
UK (London) | eu-west-1 | eu-west-1.axt.aliyun.com | 100.100.0.20 |
aliyun-client-assist-eu-west-1.oss-eu-west-1-internal.aliyuncs.com | 100.100.41.198 | ||
UAE (Dubai) | me-east-1 | me-east-1.axt.aliyun.com | 100.100.43.7 |
aliyun-client-assist-me-east-1.oss-me-east-1-internal.aliyuncs.com | 100.100.43.1 | ||
SAU (Riyadh - Partner Region) Important The SAU (Riyadh) region is operated by a partner. | me-central-1 | me-central-1.axt.aliyun.com | 100.100.0.15 |
aliyun-client-assist-me-central-1.oss-me-central-1.aliyuncs.com | 8.213.1.62 | ||
China East 2 Finance | cn-shanghai-finance-1 | cn-shanghai-finance-1.axt.aliyun.com | 100.100.0.46 |
aliyun-client-assist-cn-shanghai-finance-1.oss-cn-shanghai-finance-1-internal.aliyuncs.com | 100.100.36.8 | ||
China North 2 Finance (Preview) | cn-beijing-finance-1 | cn-beijing-finance-1.axt.aliyun.com | 100.100.0.165 |
aliyun-client-assist-cn-beijing-finance-1.oss-cn-beijing-finance-1-internal.aliyuncs.com | 100.112.52.151 | ||
China South 1 Finance | cn-shenzhen-finance-1 | cn-shenzhen-finance-1.axt.aliyun.com | 100.103.0.140 |
aliyun-client-assist-cn-shenzhen-finance-1.oss-cn-shenzhen-finance-1-internal.aliyuncs.com | 100.112.15.71 | ||
China North 2 Ali Gov 1 | cn-north-2-gov-1 | cn-north-2-gov-1.axt.aliyun.com | 100.100.0.67 |
aliyun-client-assist-cn-north-2-gov-1.oss-cn-north-2-gov-1-internal.aliyuncs.com | 100.100.49.4 |