Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Ports

Ports Configuration lists the ports that should be enabled to allow your device to connect with Juniper Data Center Assurance.

Table 1: Ports Configuration

Direction

Service Type

Portal

Port Number

Description

Outbound

DC Assurance Admin Portal

dc.ai.juniper.net

TCP 443

Opens the DC Assurance GUI.

Outbound

Apstra Edge to Juniper Cloud Connectivity

ep-term.ai.juniper.net

TCP 443

Establishes a connection from the Apstra Edge to a cloud termination service for secure communication with cloud infrastructure.

Outbound

Apstra Edge to Amazon S3 Buckets

  • usw2-ai-prod-dc-payloads.s3.us-west-2.amazonaws.com

  • usw2-ai-prod-apstra-edge-repo.s3.us-west-2.amazonaws.com

TCP 443

Apstra Edge interacts with Amazon S3 buckets to:

  • download edge binaries during remote upgrade from JCloud.

  • upload telemetry data.

See Configure Firewall to Access AWS S3 Buckets below for more information.

Outbound

Apstra Edge to Apstra Controller

IP address of the Apstra instance

TCP 443

Performs configurations and retrieves data such as blueprints and anomalies from the Apstra controller.

Inbound

Apstra Anomalies Stream Receivers to Apstra Edge

localhost

TCP 9595

Receives pushed anomalies data from Apstra stream receivers.

Inbound

Apstra Metrics Stream Receivers to Apstra Edge

localhost

TCP 9797

Receives pushed metrics data from Apstra stream receivers.

Inbound

Local Admin Server to Apstra Edge

  • localhost

  • 0.0.0.0

TCP 8081

Used for internal health checks, metrics, and REST API access.

Outbound

Apstra Edge to Flow Server

FlowServer OpenSearch endpoint

TCP 9200

Queries OpenSearch for flow and analytics data.

Outbound

Apstra Edge to Flow Server

Metrics endpoint

TCP 8080

Retrieves metrics exposed by the Controller.

Outbound

 Apstra Edge to vCenter Server API

vCenter Server API

TCP 443

vSphere API (SOAP/SDK) is used by VMware SDK clients to authenticate, and query inventory vCenter.

Outbound

 Apstra Edge to Slurm

IP address of the Slurm REST API Server instance

TCP 6820

Queries the Slurm REST API server periodically to fetch workload/job information.

Configure Firewall to Access AWS S3 Buckets

Configure FQDN-Based Firewall Rules (Recommended)

Follow this approach if your firewall supports FQDN / DNS-based rules.

AWS S3 uses dynamic IP addresses, and the FQDN rules automatically track IP address changes. This allows you to restrict access to specific buckets only and does not require ongoing IP maintenance.

What to allow—Outbound HTTPS (TCP 443) from the Edge Service to the specific S3 bucket hostnames in the following format: bucket-name.s3.region.amazonaws.com

Configure IP-Based Firewall Rules

If your firewall does not support FQDN-based rules, you may allow access using AWS-published IP ranges.

AWS S3 IP ranges are not static and may change at any time. Therefore, you must keep your firewall rules up to date to avoid service disruption. The Edge Service must also be able to resolve AWS endpoints via DNS. You must ensure that outbound access to your DNS resolver(s) is permitted.

What to allow—Outbound HTTPS (TCP 443) from the Edge Service to the destination IP ranges corresponding to the S3 AWS service and the AWS region(s) used by the service.

For the complete list of AWS regions and IP address ranges, see https://ip-ranges.amazonaws.com/ip-ranges.json.

Note:

To refine your search for the relevant region and IP ranges from the complete list, filter for entries with:

  • "service":"S3"

  • "region":"applicable-region"