Advanced Network Sandbox Common Network Patterns
Commonly blocked network traffic while testing
This is a list of common domains that we’ve seen blocked by the Network Sandbox test. We provide this to allow users to know what domains will need to be unblocked ahead of time in their Sandbox testing, as well as to track common EKS sandbox requirements.
The document provides specific domain examples for various services in AWS and Azure like Amazon EKS, Amazon ECR (both private and public), Google Container Registry, Docker Hub, GitHub Container Registry, and others. These domains are categorized based on the service they belong to, and in some cases, additional notes or caveats are provided regarding their use.
In cases where domains have <region>, the customer should ensure that they are only allowing access to requests in the DR environment region. This properly isolates the DR environment in case the primary region is down.
The user assumes responsibility by utilizing these lists to allow outbound access.
| Domain | Usage |
| ec2.<region>.amazonaws.com | ec2 NodeGroup connectivity |
| ec2messages.<region>.amazonaws.com | ec2 NodeGroup connectivity |
| amazonlinux-2-repos-<region>.s3.dualstack.<region>.amazonaws.com | ec2 image host |
| cdn.amazonlinux.com | -- |
| <Unique ID>.gr7.<region>.eks.amazonaws.com | For multiple EKS clusters to communicate with each other |
| sts.<region>.amazonaws.com | For IAM roles for service accounts |
| ssm.<region>.amazonaws.com | For resolving default AMIs |
| ssmmessages.<region>.amazonaws.com | For resolving default AMIs |
| sqs.<region>.amazonaws.com | For accessing SQS if using interruption handling |
| eks.<region>.amazonaws.com | For Karpenter to discover the cluster endpoint |
| elasticloadbalancing.<region>.amazonaws.com | If EKS cluster creates an ELB |
| al2023-repos-<region>-de612dc2.s3.dualstack.<region>.amazonaws.com | Amazon Linux updates and image changes |
| sqsmessages.<region>.amazonaws.com | For accessing SQS if using interruption handling |
Private ECR
| Domain | Usage |
| api.ecr.<region>.amazonaws.com | -- |
| <aws account>.dkr.ecr.<region>.amazonaws.com | -- |
| prod-<region>-starport-layer-bucket.s3.<region>.amazonaws.com | -- |
| <account_prefix>.dkr.ecr.<region>.amazonaws.com | AWS managed add-on images. See: AWS Docs |
| s3.<region>.amazonaws.com | For pulling container images |
Public ECR
| Domain | Usage |
| public.ecr.aws | -- |
| <distribution_id>.cloudfront.net | -- |
| d5l0dvt14r5h8.cloudfront.net | For EKS Anywhere package ECR container images |
| d2glxqk2uabbnd.cloudfront.net |
SSM Session Manager
|
Domain |
| ssmmessages.<region>.amazonaws.com |
| ec2messages.<region>.amazonaws.com |
| ssm.<region>.amazonaws.com |
AWS Shield
|
Domain |
| shield.<region>.amazonaws.com |
Azure
AKS Nodes — Specifically for generic AKS hosting
|
Domain |
Usage |
|
*.hcp.<region>.azmk8s.io |
AKS managed cluster API server endpoint |
|
management.azure.com |
Azure Resource Manager (ARM) API |
|
login.microsoftonline.com |
Azure AD / Entra ID authentication |
|
mcr.microsoft.com |
Microsoft Container Registry (system images) |
|
*.data.mcr.microsoft.com |
MCR data endpoint for image layer pulls |
|
packages.microsoft.com |
Node OS package updates (Azure Linux / Ubuntu) |
|
acs-mirror.azureedge.net |
AKS binary and component downloads |
|
<region>.dp.kubernetesconfiguration.azure.com |
Azure Arc / cluster config service |
|
<region>.monitoring.azure.com |
Azure Monitor for containers |
|
dc.services.visualstudio.com |
Application Insights / diagnostics telemetry |
|
*.blob.core.windows.net |
Azure Blob Storage (node images, logs, state) |
|
ntp.ubuntu.com |
NTP time sync for Linux nodes |
|
<region>.osprequests.azure.com |
OS security updates for AKS node pools |
|
*.servicebus.windows.net |
Event-driven autoscaling (KEDA) if enabled |
Private Azure Container Registry (ACR)
|
Domain |
Usage |
|
<registry>.azurecr.io |
ACR login server (image push / pull) |
|
<registry>.<region>.data.azurecr.io |
ACR data endpoint for image layer transfers |
|
login.microsoftonline.com |
Azure AD authentication for ACR token exchange |
|
management.azure.com |
ARM operations for ACR management |
Microsoft Container Registry (MCR) — Public
|
Domain |
Usage |
|
mcr.microsoft.com |
Microsoft public container registry |
|
*.data.mcr.microsoft.com |
MCR data endpoint for public image layers |
|
<distribution_id>.azureedge.net |
Azure CDN distribution for MCR content |
Azure Bastion / Serial Console
|
Domain |
|
management.azure.com |
|
*.bastion.azure.com |
|
login.microsoftonline.com |
Azure DDoS Protection
|
Domain |
|
management.azure.com |
Generic
Google Container Registry
| gcr.io |
| storage.googleapis.com |
Docker Hub - also see Docker allow-list
| hub.docker.com |
| auth.docker.io |
| <region>-docker.pkg.dev |
| registry-1.docker.io |
| production.cloudflare.docker.com |
Github Container Registry (GHCR) - also see GitHub Meta API
| ghcr.io |
| pkg-containers.githubusercontent.com |
Redhat Quay/CDN
| cdn01.quay.io |
| cdn03.quay.io |
| *.quay.io |
K8s Registry - also see Official Documentation
| registry.k8s.io |
| Access to S3 and Docker may be needed if not already present. |
General
These patterns are not region-specific and may introduce connectivity back to your primary region.
| Domain | Usage |
| .amazonaws.com | Opens all of Amazon, including potentially your primary region. |
| .cloudfront.com | Opens all of Cloudfront (Public ECR) |
| .gcr.io | Google Cloud Registry |
| .quay.io | RH Quay |
| .docker.io | Docker Registry |
| .docker.com | Docker Registry |
| .docker.pkg-dev | Docker |
| .ghcr.io | Github Registry |
| .githubusercontent.com | Github Registry |
| .k8s.io | Kubernetes Registry |
|
.azure.com |
Opens all Azure services, including potentially your primary region. |
|
.azurecr.io |
Azure Container Registry |
|
.azureedge.net |
Azure CDN (AKS components, MCR image layers) |
|
.microsoft.com |
Microsoft services including OS package updates |
|
.microsoftonline.com |
Azure AD / Entra ID authentication |
|
.blob.core.windows.net |
Azure Blob Storage |
|
.servicebus.windows.net |
Azure Service Bus (KEDA / interruption handling) |