Endpoints🔗
Here you will find information about communication endpoints related to Apheris 3.0 Compute Gateways.
AWS API endpoints🔗
For the Gateways deployed in an AWS environment, the following endpoints must be accessible to different components of the EKS cluster and Kubernetes services.
Name | URL | Description |
---|---|---|
Cloudwatch | https://logs.<region>.amazonaws.com/ |
In case EKS audit logs are enabled |
EC2 | https://ec2.<region>.amazonaws.com/ |
So Kubernetes nodes can join the cluster |
ECR | https://api.ecr.<region>.amazonaws.com/ |
Access to private ECR images |
S3 | https://<bucket>.s3.<region>.amazonaws.com/ |
Access to S3 objects (data) |
SSM | https://ssm.<region>.amazonaws.com/ |
Required by Karpenter autoscaler |
STS | https://sts.<region>.amazonaws.com/ |
IAM roles assumed by Kubernetes service accounts |
The endpoints above are public and should be reachable using the NAT Gateway from the private subnets. However, such endpoints can be reached internally by enabling VPC Endpoints for each of above services. The Apheris reference setup creates VPC Endpoints for S3 and ECR by default.
Container registries endpoints🔗
The table below displays the container registries that host images utilized within the platform.
Name | URL | Description |
---|---|---|
Private ECR (EKS specific) | https://<account>.dkr.ecr.<region>.amazonaws.com/ |
EKS images (CNI, CoreDNS, EBS, Kube-Proxy) |
Public ECR | https://public.ecr.aws/ |
Karpenter |
Quay | https://quay.io/ |
Apheris Gateway agent Apheris Gateway Helm chart Apheris custom models Cilium |
Orchestrator endpoints🔗
The following endpoints must be accessible to the Apheris Compute Gateway pods to ensure proper communication with our Orchestrator.
Name | URL | Description |
---|---|---|
Auth0 | https://<env>.eu.auth0.com |
Apheris authentication endpoint |
Backend API | https://api.<subdomain>.apheris.net |
Apheris backend endpoint (used by computations, CLI and Apheris website) |
NVFlare | https://*.nvflare.<subdomain>.apheris.net |
Apheris NVFlare endpoints (used by NVFlare clients) |
Orchestrator | https://orchestrator.<subdomain>.apheris.net |
Apheris Orchestrator endpoint (used by the Gateway agent) |
S3 (optional) | https:// |
Required when using datasets hosted on S3 |
Gateway Installer🔗
Our Gateway Installer downloads and deploys several components and needs to be able to reach the following domains (egress only):
amazonaws.com (public tutorial dataset)
apheris.net (orchestrator)
auth0.com (authentication)
cilium.io (cilium helm chart)
cloudfront.net (dockerhub)
docker.com (dockerhub)
docker.io (dockerhub)
github.com (github hosted files)
github.io (github hosted files)
githubusercontent.com (github hosted files)
helm.sh (helm binary)
k3s.io (K3s installer)
keybase.io (gpg keys)
public.ecr.aws (gatekeeper)
quay.io (Apheris and Cilium images)
All endpoints are reachable on port 443, except for those related to the Apheris orchestrator domain (apheris.net), which listen on both port 443 and port 8002.