docs: Restructure Enteprise networking. #556
Conversation
✅ Deploy Preview for seqera-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
We need to update the IP addresses listed in the documentation. I'm also wondering if it makes sense to include them there at all. Additionally, we should add a list of the services that sit behind those IPs for better clarity. At the moment, the documentation focuses only on the Enterprise offering, but there are scenarios where Cloud customers also need access to this information, so we may want to expand the scope accordingly. On a related note, we've recently updated meta.seqera.io to display both ingress and egress IPs, which should make it easier to surface and maintain this information. I updated this PR to show the correct IPs, which should look like below. |
bebosudo
left a comment
bebosudo
left a comment
There was a problem hiding this comment.
Seqera Cloud requires no inbound connectivity to their environment.
I'm not sure that's correct; take the case of customers who are using the wave service with mirror and/or freeze functionalities, they'd need to allowlist our egress IPs in order for wave to store images in their Container Registry of choice, or for Fusion to call home, etc
platform-enterprise_versioned_docs/version-25.1/enterprise/configuration/networking.md
Outdated
Show resolved
Hide resolved
platform-enterprise_versioned_docs/version-25.1/enterprise/configuration/networking.md
Outdated
Show resolved
Hide resolved
platform-enterprise_versioned_docs/version-25.1/enterprise/configuration/networking.md
Outdated
Show resolved
Hide resolved
platform-enterprise_versioned_docs/version-25.1/enterprise/configuration/networking.md
Outdated
Show resolved
Hide resolved
platform-enterprise_versioned_docs/version-25.1/enterprise/configuration/networking.md
Outdated
Show resolved
Hide resolved
platform-enterprise_versioned_docs/version-25.1/enterprise/configuration/networking.md
Outdated
Show resolved
Hide resolved
platform-cloud/docs/enterprise/advanced-topics/firewall-configuration.md
Show resolved
Hide resolved
platform-enterprise_versioned_docs/version-25.1/enterprise/configuration/networking.md
Outdated
Show resolved
Hide resolved
platform-cloud/docs/enterprise/advanced-topics/firewall-configuration.md
Show resolved
Hide resolved
gavinelder
force-pushed
the
ge/docs/firewall-config
branch
from
53eb7a2 to
e54de3c
Compare
gavinelder
changed the title
bebosudo
left a comment
bebosudo
left a comment
There was a problem hiding this comment.
This isn't a complete review, but I'll continue the discussion on slack
| title: "Networking" | ||
| description: Seqera configuration options for networking | ||
| date: "21 Apr 2023" | ||
| date: "27 Jan 2026" |
There was a problem hiding this comment.
| date: "27 Jan 2026" | |
| date: "2026-01-27" |
|
|
||
| ## Introduction | ||
|
|
||
| Seqera hosts Platform services on AWS infrastructure. For the most up-to-date list of IP addresses used by Seqera-hosted services, see the `ingress` and `egress` sections at [https://meta.seqera.io/v3](https://meta.seqera.io/v3). |
There was a problem hiding this comment.
| Seqera hosts Platform services on AWS infrastructure. For the most up-to-date list of IP addresses used by Seqera-hosted services, see the `ingress` and `egress` sections at [https://meta.seqera.io/v3](https://meta.seqera.io/v3). | |
| Seqera-hosted services use dedicated IP addresses. To view the complete and up-to-date list of these IPs, consult the `ingress` and `egress` sections at https://meta.seqera.io/v3. |
|
|
||
| Seqera hosts Platform services on AWS infrastructure. For the most up-to-date list of IP addresses used by Seqera-hosted services, see the `ingress` and `egress` sections at [https://meta.seqera.io/v3](https://meta.seqera.io/v3). | ||
|
|
||
| Seqera services such as Wave and plugin distribution use Cloudflare as a CDN for content delivery and caching. If you use these services and your firewall requires IP-based allowlists, you must allow Cloudflare IP addresses in addition to Seqera-specific IPs. For the complete list of Cloudflare IP addresses, see [https://www.cloudflare.com/ips-v4/](https://www.cloudflare.com/ips-v4/). |
There was a problem hiding this comment.
| Seqera services such as Wave and plugin distribution use Cloudflare as a CDN for content delivery and caching. If you use these services and your firewall requires IP-based allowlists, you must allow Cloudflare IP addresses in addition to Seqera-specific IPs. For the complete list of Cloudflare IP addresses, see [https://www.cloudflare.com/ips-v4/](https://www.cloudflare.com/ips-v4/). | |
| Seqera services, such as Wave, container registries, Nextflow plugin distribution, and others, use Cloudflare as a CDN for content delivery and caching. If you use these services and your firewall requires IP-based allowlists, you must allow all Cloudflare IP addresses in addition to IP addresses for Seqera services. For the complete list of Cloudflare IP addresses, see https://www.cloudflare.com/ips-v4/. |
|
|
||
| ## HTTP proxy environment variables | ||
|
|
||
| :::caution |
There was a problem hiding this comment.
the example below with the proxy variables export-ed doesn't make much sense, since customers will need to set those variables in the docker compose file or on the k8s pods, but using export may confuse users thinking they need to set those values in a shell
| :::note | ||
| The following list is non-exhaustive and covers core networking connectivity requirements for operating Seqera Platform. Compute environment networking requirements will vary depending on pipeline configuration and specific dependencies for your use case. | ||
| ::: | ||
|
|
There was a problem hiding this comment.
| :::note | |
| The following list is non-exhaustive and covers core networking connectivity requirements for operating Seqera Platform. Compute environment networking requirements will vary depending on pipeline configuration and specific dependencies for your use case. | |
| ::: |
let's move this from a note to be the introductory sentence of the "networking requirements" section
|
|
||
| #### Source code hosting providers | ||
|
|
||
| The Platform must access source code hosting providers to pull pipeline definitions and validate credentials (e.g., GitHub, GitLab, Bitbucket, Gitea). Consult your source code hosting provider's documentation for specific networking requirements and IP allowlists. |
There was a problem hiding this comment.
| The Platform must access source code hosting providers to pull pipeline definitions and validate credentials (e.g., GitHub, GitLab, Bitbucket, Gitea). Consult your source code hosting provider's documentation for specific networking requirements and IP allowlists. | |
| Platform must be allowed to access source code hosting providers to pull your pipeline definitions (e.g., GitHub, GitLab, Bitbucket, Gitea). Consult your source code hosting provider's documentation for specific networking requirements and IP allowlists. |
the "validating credentials" part sounds implicit to me
|
|
||
| #### Container registries | ||
|
|
||
| The Platform must access container registries to validate credentials and pull container metadata (e.g., Docker Hub, Quay.io, AWS ECR, Azure ACR, Google GCR, or private registries). Consult your container registry provider's documentation for specific networking requirements and IP allowlists. |
There was a problem hiding this comment.
| The Platform must access container registries to validate credentials and pull container metadata (e.g., Docker Hub, Quay.io, AWS ECR, Azure ACR, Google GCR, or private registries). Consult your container registry provider's documentation for specific networking requirements and IP allowlists. | |
| Platform must access container registries to pull container metadata and images (e.g., Docker Hub, Quay.io, AWS ECR, Azure ACR, Google GCR, or private registries), depending on which images are used in your pipelines. Consult your container registry provider's documentation for specific networking requirements and IP allowlists. |
| - `private.cr.seqera.io` | ||
| - `community.cr.seqera.io` | ||
| - `auth.cr.seqera.io` | ||
| - `cr.seqera.io` |
There was a problem hiding this comment.
| - `cr.seqera.io` |
I don't think cr.seqera.io is needed for Wave?
| - `wave.seqera.io` | ||
| - `public.cr.seqera.io` | ||
| - `private.cr.seqera.io` | ||
| - `community.cr.seqera.io` | ||
| - `auth.cr.seqera.io` |
There was a problem hiding this comment.
| - `wave.seqera.io` | |
| - `public.cr.seqera.io` | |
| - `private.cr.seqera.io` | |
| - `community.cr.seqera.io` | |
| - `auth.cr.seqera.io` | |
| - `wave.seqera.io` | |
| - `public.cr.seqera.io` | |
| - `auth.cr.seqera.io` | |
| - `community.cr.seqera.io` | |
| - `cerbero.seqera.io` | |
| - `private.cr.seqera.io` |
reordered by pairs and added cerbero
| #### Seqera AI (optional) | ||
|
|
||
| Required if using Seqera AI features. | ||
|
|
||
| - `ai.seqera.io` | ||
|
|
There was a problem hiding this comment.
| #### Seqera AI (optional) | |
| Required if using Seqera AI features. | |
| - `ai.seqera.io` | |
| #### Seqera AI (optional) | |
| Required if using [Seqera AI](https://seqera.io/ask-ai/chat-v2). | |
| - `intern.seqera.io` | |
| #### Seqera containers (optional) | |
| Required if using [Seqera Containers](https://seqera.io/containers/). | |
| - `hub.seqera.io` | |
ai.seqera.io is just a redirect to seqera.io/ask-ai/chat
There was a problem hiding this comment.
| #### Seqera AI (optional) | |
| Required if using Seqera AI features. | |
| - `ai.seqera.io` |
intern and hub aren't used by Platform, they are accessed by users via their browsers, so they should probably get removed
Currently the network configuration requirements for Cloud are within the Enterprise section as such these have been moved to the Cloud under
enterprise/advanced-topics/firewall-configuration.mdThe original content can be viewed at https://docs.seqera.io/platform-enterprise/25.1/enterprise/advanced-topics/firewall-configuration
Further to that for Enterprise customers self-hosting their own installation
licences.seqera.ioon port 443 the ip addresses for this are the ones defined asingressat https://meta.seqera.ioEnterprise Plugins & Fusion
Seqera Enterprise plugins & fusion have licence checking built-in as such it's not sufficient to only allow outbound traffic to port 443 from the Seqera Enterprise installation , they will also have to allow network traffic from the Compute Environment executing the Nextflow jobs.
Wave
If the customer is using Seqera Cloud hosted Wave and they're using the Mirror or Freeze functionality which requires Wave to store built containers within their container registry then they will have to ensure that the wave-build VPC is allowed to push to their container registry, for most cloud providers this requires additional configuration to lock down as such it's not normally a problem.
These would be the IP addresses on port 443 defined as
egressat https://meta.seqera.ioIf the customer would like to restrict outbound traffic from their installation they would be responsible for ensuring they allow access to Seqera Assets hosted on Cloudflare along with Nextflow assets hosted on Github artifacts along with any code hosting solutions or third party dependancies they're using such as Github / Gitlab / Artifactory.
Structure.
I have tried to follow the following structure for the networking requirements.
The main item I am trying to do with the docs is inform the customer of our networking needs and how their pipeline and external services used create different networking requirements slightly outside of the scope of our documentation as it's non-exhaustive and they should take into consideration their intended usage patterns.
In short customers only need Licence manager access & cloud info as an optional service all other items can be hosted inside their internal network and are not required for platform to function.
There is a feature of Studios which needs to talk to wave however this is not released fully and is being re-worked by the team.