Commonly blocked network traffic while testing
This is a list of common domains that we’ve seen blocked by the Network Sandbox test. We provide this to allow users to know what domains will need to be unblocked ahead of time in their Sandbox testing, as well as to track common EKS sandbox requirements.
The document provides specific domain examples for various services like Amazon EKS, Amazon ECR (both private and public), Google Container Registry, Docker Hub, GitHub Container Registry, and others. These domains are categorized based on the service they belong to, and in some cases, additional notes or caveats are provided regarding their use.
In cases where domains have <region>, the customer should ensure that they are only allowing access to requests in the DR environment region. This properly isolates the DR environment in case the primary region is down.
The user assumes responsibility by utilizing this list to allow generic access to any domains.
EKS Nodes - Specifically for generic EKS hosting
| Domain | Usage |
| ec2.<region>.amazonaws.com | ec2 NodeGroup connectivity |
| ec2messages.<region>.amazonaws.com | ec2 NodeGroup connectivity |
| amazonlinux-2-repos-<region>.s3.dualstack.<region>.amazonaws.com | ec2 image host |
| cdn.amazonlinux.com | |
| <Unique ID>.gr7.<region>.eks.amazonaws.com | For multiple EKS clusters to communicate with each other |
| sts.<region>.amazonaws.com | For IAM roles for service accounts |
| ssm.<region>.amazonaws.com | For resolving default AMIs |
| ssmmessages.<region>.amazonaws.com | For resolving default AMIs |
| sqs.<region>.amazonaws.com | For accessing SQS if using interruption handling |
| eks.<region>.amazonaws.com | For Karpenter to discover the cluster endpoint |
| elasticloadbalancing.<region>.amazonaws.com | If EKS cluster creates an ELB |
| al2023-repos-<region>-de612dc2.s3.dualstack.<region>.amazonaws.com | Amazon Linux updates and image changes |
| Possible others | |
| sqsmessages.<region>.amazonaws.com | For accessing SQS if using interruption handling |
Private ECR
| Domain | Usage |
| api.ecr.<region>.amazonaws.com | |
| <aws account>.dkr.ecr.<region>.amazonaws.com | |
| prod-<region>-starport-layer-bucket.s3.<region>.amazonaws.com | |
| <account_prefix>.dkr.ecr.<region>.amazonaws.com | AWS managed add-on images. See: AWS Docs |
| s3.<region>.amazonaws.com | For pulling container images |
Public ECR
| public.ecr.aws |
| <distribution_id>.cloudfront.net |
| User may not want to open up to all of Cloudfront, so can specify just these (from here) |
| d5l0dvt14r5h8.cloudfront.net |
| d2glxqk2uabbnd.cloudfront.net |
Google Container Registry
| gcr.io |
| storage.googleapis.com |
Docker Hub - also see Docker allow-list
| hub.docker.com |
| auth.docker.io |
| <region>-docker.pkg.dev |
| registry-1.docker.io |
| production.cloudflare.docker.com |
Github Container Registry (GHCR) - also see GitHub Meta API
| ghcr.io |
| pkg-containers.githubusercontent.com |
Redhat Quay/CDN
| cdn01.quay.io |
| cdn03.quay.io |
| *.quay.io |
K8s Registry - also see Official Documentation
| registry.k8s.io |
| Access to S3 and Docker may be needed if not already present. |
SSM Session Manager
| ssmmessages.<region>.amazonaws.com |
| ec2messages.<region>.amazonaws.com |
| ssm.<region>.amazonaws.com |
AWS Shield (note: this is for all workload, not just Shield advanced)
| shield.<region>.amazonaws.com |
Unique seen
| oci.external-secrets.io | external secrets operator |
Generics - Security Warning
| Domain | Usage |
| .amazonaws.com | opens all of amazon, including potentially your primary region. |
| .cloudfront.com | opens all of cloudfront (Public ECR) |
| .gcr.io | google cloud registry |
| .quay.io | RH Quay |
| .docker.io | Docker Registry |
| .docker.com | Docker Registry |
| .docker.pkg-dev | Docker |
| .ghcr.io | Github Registry |
| .githubusercontent.com | Github Registry |
| .k8s.io | Kubernetes Registry |