Endpoints🔗
Information about endpoints that Apheris Compute Gateways communicate with.
Note
The connection to all endpoints is via HTTPS (TCP port 443).
The exception are connections to NVFlare servers (*.nvflare.
Orchestrator endpoints🔗
The following endpoints must be accessible to the Apheris Compute Gateway pods at runtime to ensure proper communication with our Compute Orchestrator.
| Name | URL | Description |
|---|---|---|
| Auth0 | <env>.eu.auth0.com |
Apheris authentication endpoint |
| Backend API | api.<subdomain>.apheris.net |
Apheris backend endpoint (used by computations, CLI and Apheris website) |
| NVFlare | *.nvflare.<subdomain>.apheris.net |
Apheris NVFlare endpoints (used by NVFlare clients) |
| Orchestrator | orchestrator.<subdomain>.apheris.net |
Apheris Orchestrator endpoint (used by the Gateway agent) |
| Quay | quay.io |
Apheris Custom Models |
AWS EKS Compute Gateways🔗
For the Gateways deployed in an AWS environment, the following endpoints must be accessible to different components of the EKS cluster and Kubernetes services.
The AWS endpoints are public and should be reachable using a NAT Gateway from private subnets. However, such AWS endpoints can be reached internally by enabling VPC Endpoints for each of above services. The Apheris reference setup creates VPC Endpoints for S3 and ECR by default.
| Name | URL | Description |
|---|---|---|
| Auth0 | <env>.eu.auth0.com |
Apheris authentication endpoint |
| Backend API | api.<subdomain>.apheris.net |
Apheris backend endpoint (used by computations, CLI and Apheris website) |
| Cloudwatch | logs.<region>.amazonaws.com |
In case EKS audit logs are enabled |
| EC2 | ec2.<region>.amazonaws.com |
So Kubernetes nodes can join the cluster |
| ECR | api.ecr.<region>.amazonaws.com |
Access to private ECR images |
| NVFlare | *.nvflare.<subdomain>.apheris.net |
Apheris NVFlare endpoints (used by NVFlare clients) |
| Orchestrator | orchestrator.<subdomain>.apheris.net |
Apheris Orchestrator endpoint (used by the Gateway agent) |
| Private ECR (EKS specific) | <account>.dkr.ecr.<region>.amazonaws.com |
EKS images (CNI, CoreDNS, EBS, Kube-Proxy) |
| Public ECR | public.ecr.aws |
Karpenter |
| Quay | quay.io |
Apheris Custom Models |
| S3 | <bucket>.s3.<region>.amazonaws.com |
Access to S3 objects (data) |
| SSM | ssm.<region>.amazonaws.com |
Required by Karpenter autoscaler |
| STS | sts.<region>.amazonaws.com |
IAM roles assumed by Kubernetes service accounts |
Gateway Installer🔗
Our Gateway Installer downloads and deploys several components and needs to be able to reach the following domains (egress only):
| Name | URLs | Description |
|---|---|---|
| AWS ECR | public.ecr.aws |
for Open Policy Agent Gatekeeper |
| AWS S3 | amazonaws.com |
public tutorial datasets |
| Auth0 | <env>.eu.auth0.com |
Apheris authentication endpoint |
| Cilium | cilium.io |
Cilium Helm chart |
| DockerHub | cloudfront.net, docker.com, docker.io |
|
| GitHub | github.com, github.io, githubusercontent.com |
|
| Helm | helm.sh |
Helm binary |
| NVFlare | *.nvflare.<subdomain>.apheris.net |
Apheris NVFlare endpoints (used by NVFlare clients) |
| Orchestrator | orchestrator.<subdomain>.apheris.net |
Apheris Orchestrator endpoint (used by the Gateway agent) |
| Quay | quay.io |
Apheris Gateway agent image, Apheris Gateway Helm chart and Cilium images |
| k3s | k3s.io |
K3s installer |
| keybase | keybase.io |
GPG keys for validation |
| Auth0 | <env>.eu.auth0.com |
Apheris authentication endpoint |
| Backend API | api.<subdomain>.apheris.net |
Apheris backend endpoint (used by computations, CLI and Apheris website) |
| NVFlare | *.nvflare.<subdomain>.apheris.net |
Apheris NVFlare endpoints (used by NVFlare clients) |
| Orchestrator | orchestrator.<subdomain>.apheris.net |
Apheris Orchestrator endpoint (used by the Gateway agent) |
| Quay | quay.io |
Apheris Custom Models |