Network & Firewall Requirements

SDA Gateway Connectivity and Security Requirements

Overview

The SDA Gateway requires outbound-only internet connectivity to securely communicate with SDA Cloud services. All SDA service domains use certificates signed by the Amazon Root CA 1 Certificate Authority. You must ensure your system’s trusted certificate store includes this root certificate to enable proper SSL/TLS validation.

Security Considerations

  • No Inbound Connections The Gateway initiates all communication outbound. No inbound firewall rules or port-forwarding are required.

  • Port 443 Only All SDA traffic uses standard HTTPS/SSL over TCP 443, which simplifies firewall configuration and typically aligns with corporate security policies.

  • DNS Requirements DNS resolution must be available for all SDA domains to support:

    • load balancing,

    • service discovery,

    • and failover between SDA Cloud endpoints.

  • Proxy Compatible

Tenant-Specific Domain

SDA services are scoped per tenant. Anywhere you see {tenant_id}, replace it with the Tenant ID provided by SDA Support.

Example Tenant ID: 11111111-2222-3333-4444-555555555555

Tenant domain: 11111111-2222-3333-4444-555555555555.eu1.sdaconsole.io

This domain — and the wildcard under it — must be reachable from the Gateway.

Required Domains and Ports

Domain

Port

Protocol

Description

iot.eu1.sdaconsole.io

443

SSL/TCP (WebSocket Secure)

AWS IoT Broker – maintains the persistent, secure connection for message exchange, telemetry, and command/control.

{tenant_id}.eu1.sdaconsole.io *.{tenant_id}.eu1.sdaconsole.io

443

HTTPS, SSL/TCP (OpenVPN)

Tenant Connectivity Servers – used to establish dynamic VPN tunnels on demand; DNS returns a load-balanced list.

api.eu1.sdaconsole.io

443

HTTPS

SDA APIs – Gateway authentication, control-plane operations, and Web Console access. Primarily used during onboarding/initial setup.

repository.eu1.sdaconsole.io

443

HTTPS

Application Repository – downloads SDA components, Glue updates, agent packages, and security patches. Used during install and periodic update checks.

repository.sdaconsole.io (optional)

443

HTTPS

Global Repository Mirror – alternative update source (planned enhancement).

Traffic Inspection with SDA Services

Some organizations use SSL inspection / TLS interception (e.g. Zscaler SSL Inspection, Palo Alto Decryption) for egress traffic. These tools can break SDA connectivity if they alter or resign SDA certificates, because SDA services use certificates chained to Amazon Root CA 1.

To avoid connection failures:

  1. Bypass / No-Inspect SDA Domains Add the SDA domains above (API, IoT, tenant domain, repository) to a do-not-inspect list.

  2. Allow MQTT over WebSocket Secure (WSS) SDA IoT messaging uses MQTT over WSS on port 443. Ensure this protocol is permitted.

  3. VPN Tunnels with SSL Overlay If a corporate VPN is used and traffic is inspected, ensure the tunnel supports an SSL overlay so inspection does not interfere with end-to-end TLS to SDA.

If inspection cannot be bypassed, coordinate with the SDA Team for approved certs and inspection behavior.

Firewall Whitelisting & Network Validation Checklist

Use this as a handoff to customer IT / security.

Category

Item

Requirement / Validation Step

Status (✓/✗)

Network Connectivity

Outbound internet

Gateway can initiate outbound-only sessions to the internet.

Port 443

TCP 443 is open outbound to SDA domains.

DNS

DNS resolves all SDA domains listed above.

Certificate & Encryption

Amazon Root CA 1

Root CA is present in trusted store so TLS validation succeeds.

TLS / SSL inspection

Egress inspection does not replace SDA certs, or SDA domains are bypassed.

Traffic Inspection / VPN

SSL inspection bypass

SDA domains are excluded from SSL/TLS interception (Zscaler, Palo Alto, etc.).

MQTT over WSS

WSS on port 443 is allowed (used by IoT broker).

VPN overlay

If VPN is used, it allows end-to-end TLS to SDA Cloud.

Tenant Configuration

{tenant_id} domain

{tenant_id}.eu1.sdaconsole.io and *.{tenant_id}.eu1.sdaconsole.io are reachable.

Repository Access

Updates

repository.eu1.sdaconsole.io is reachable for updates and patches.

Validation Steps (CLI-Friendly)

  1. DNS

    nslookup api.eu1.sdaconsole.io
nslookup iot.eu1.sdaconsole.io
nslookup <your-tenant-id>.eu1.sdaconsole.io

  2. HTTPS / Port 443

    curl -v https://api.eu1.sdaconsole.io

  3. TLS Chain

    openssl s_client -connect api.eu1.sdaconsole.io:443 -servername api.eu1.sdaconsole.io

    Confirm the chain ends in Amazon Root CA 1.

  4. Gateway Logs Check the Gateway’s system/service logs for successful MQTT (WSS) and HTTPS sessions.

  5. Update Test Trigger a repository sync or agent update to verify download access.

Network Topology Diagram

The Architecture/SDA Connectivity Services outlines multiple configurations for the SDA Gateway.

Support

If any of the checks above fail, or if SSL inspection cannot be bypassed in your environment, contact:

SDA Support 📧 [email protected]

Include:

  • your Tenant ID,

  • the Gateway version,

  • a copy/paste of your connectivity test outputs (curl / openssl / nslookup),

  • and relevant firewall logs (blocked 443, failed TLS).

PreviousPrerequesitesNextSDA Gateway Requirements

Last updated