Advanced Network Sandbox Common Network Patterns
Commonly blocked network traffic while testing
This is a list of common domains that we’ve seen blocked by the Network Sandbox test. We provide this to allow users to know what domains will need to be unblocked ahead of time in their Sandbox testing, as well as to track common EKS sandbox requirements.
The document provides specific domain examples for various services like Amazon EKS, Amazon ECR (both private and public), Google Container Registry, Docker Hub, GitHub Container Registry, and others. These domains are categorized based on the service they belong to, and in some cases, additional notes or caveats are provided regarding their use.
In cases where domains have <region>, the customer should ensure that they are only allowing access to requests in the DR environment region. This properly isolates the DR environment in case the primary region is down.
The user assumes responsibility by utilizing these lists to allow outbound access.
EKS Nodes - Specifically for generic EKS hosting
| Domain |
Usage |
| ec2.<region>.amazonaws.com |
ec2 NodeGroup connectivity |
| ec2messages.<region>.amazonaws.com |
ec2 NodeGroup connectivity |
| amazonlinux-2-repos-<region>.s3.dualstack.<region>.amazonaws.com |
ec2 image host |
| cdn.amazonlinux.com |
-- |
| <Unique ID>.gr7.<region>.eks.amazonaws.com |
For multiple EKS clusters to communicate with each other |
| sts.<region>.amazonaws.com |
For IAM roles for service accounts |
| ssm.<region>.amazonaws.com |
For resolving default AMIs |
| ssmmessages.<region>.amazonaws.com |
For resolving default AMIs |
| sqs.<region>.amazonaws.com |
For accessing SQS if using interruption handling |
| eks.<region>.amazonaws.com |
For Karpenter to discover the cluster endpoint |
| elasticloadbalancing.<region>.amazonaws.com |
If EKS cluster creates an ELB |
| al2023-repos-<region>-de612dc2.s3.dualstack.<region>.amazonaws.com |
Amazon Linux updates and image changes |
| sqsmessages.<region>.amazonaws.com |
For accessing SQS if using interruption handling |
Private ECR
| Domain |
Usage |
| api.ecr.<region>.amazonaws.com |
-- |
| <aws account>.dkr.ecr.<region>.amazonaws.com |
-- |
| prod-<region>-starport-layer-bucket.s3.<region>.amazonaws.com |
-- |
| <account_prefix>.dkr.ecr.<region>.amazonaws.com |
AWS managed add-on images. See: AWS Docs |
| s3.<region>.amazonaws.com |
For pulling container images |
Public ECR
Google Container Registry
| gcr.io |
| storage.googleapis.com |
| hub.docker.com |
| auth.docker.io |
| <region>-docker.pkg.dev |
| registry-1.docker.io |
| production.cloudflare.docker.com |
Github Container Registry (GHCR) - also see GitHub Meta API
| ghcr.io |
| pkg-containers.githubusercontent.com |
Redhat Quay/CDN
| cdn01.quay.io |
| cdn03.quay.io |
| *.quay.io |
| registry.k8s.io |
| Access to S3 and Docker may be needed if not already present. |
SSM Session Manager
| ssmmessages.<region>.amazonaws.com |
| ec2messages.<region>.amazonaws.com |
| ssm.<region>.amazonaws.com |
AWS Shield
| shield.<region>.amazonaws.com |
General Domains
These patterns are not region-specific and may introduce connectivity back to your primary region.
| Domain |
Usage |
| .amazonaws.com |
Opens all of Amazon, including potentially your primary region. |
| .cloudfront.com |
Opens all of Cloudfront (Public ECR) |
| .gcr.io |
Google Cloud Registry |
| .quay.io |
RH Quay |
| .docker.io |
Docker Registry |
| .docker.com |
Docker Registry |
| .docker.pkg-dev |
Docker |
| .ghcr.io |
Github Registry |
| .githubusercontent.com |
Github Registry |
| .k8s.io |
Kubernetes Registry |
