Endpoints🔗
Information about endpoints that Apheris Compute Gateways communicate with.
The connection to all endpoints is via TLS / HTTPS (TCP port 443).
Note
We are currently in the process of migrating towards TCP port 443 for connections to the NVFlare servers on the Apheris Compute Orchestrator.
During this process, connections to NVFlare servers via TCP port 8002 will continue to work.
Note
All Apheris Gateways only require Egress communication, they never allow Ingress in any form!
Orchestrator Endpoints🔗
The following endpoints must be accessible to the Apheris Compute Gateway pods at runtime to ensure proper communication with our Compute Orchestrator.
| Name | URL | Description |
|---|---|---|
| Auth0 | apheris-ai-prod.eu.auth0.com |
Apheris authentication endpoint |
| Backend API | api.<subdomain>.apheris.net |
Apheris backend endpoint (used by computations, CLI and Apheris website) |
| NVFlare | *.nv.<subdomain>.apheris.net |
Apheris NVFlare endpoints (used by NVFlare clients) |
| NVFlare | *.nvflare.<subdomain>.apheris.net |
Apheris NVFlare endpoints - only for existing deployments (used by NVFlare clients) |
| Orchestrator | orchestrator.<subdomain>.apheris.net |
Apheris Orchestrator endpoint (used by the Gateway agent) |
| Quay | quay.io |
Apheris Custom Models |
AWS EKS Compute Gateways🔗
For Gateways deployed with the Apheris EKS reference setup, in addition to the Orchestrator Endpoints above, the following endpoints must be accessible to different components of the EKS cluster and Kubernetes services at various points in time:
| Name | URL | Description |
|---|---|---|
| Cloudwatch | logs.<region>.amazonaws.com |
In case EKS audit logs are enabled |
| EC2 | ec2.<region>.amazonaws.com |
So Kubernetes nodes can join the cluster |
| ECR | api.ecr.<region>.amazonaws.com |
Access to private ECR images |
| Private ECR (EKS specific) | <account>.dkr.ecr.<region>.amazonaws.com |
EKS images (CNI, CoreDNS, EBS, Kube-Proxy) |
| Public ECR | public.ecr.aws |
Karpenter |
| S3 | <bucket>.s3.<region>.amazonaws.com |
Access to S3 objects (data) |
| SSM | ssm.<region>.amazonaws.com |
Required by Karpenter autoscaler |
| STS | sts.<region>.amazonaws.com |
IAM roles assumed by Kubernetes service accounts |
The AWS endpoints are public and should be reachable using a NAT Gateway from private subnets.
However, such AWS endpoints can be reached internally by enabling VPC Endpoints for each of above services. The Apheris reference setup creates VPC Endpoints for S3 and ECR by default.
Gateway Installer🔗
Our Gateway Installer downloads and deploys several components at installation time.
It needs to be able to reach the Orchestrator Endpoints above at runtime and, in addition, the following domains (egress only) at installation time:
| Name | URLs | Description |
|---|---|---|
| AWS ECR | public.ecr.aws |
for Open Policy Agent Gatekeeper |
| AWS S3 | amazonaws.com |
public tutorial datasets |
| Cilium | cilium.io |
Cilium Helm chart |
| DockerHub | cloudfront.net, docker.com, docker.io |
|
| GitHub | github.com, github.io, githubusercontent.com |
|
| Helm | helm.sh |
Helm binary |
| NVFlare | *.nvflare.<subdomain>.apheris.net |
Apheris NVFlare endpoints (used by NVFlare clients) |
| Orchestrator | orchestrator.<subdomain>.apheris.net |
Apheris Orchestrator endpoint (used by the Gateway agent) |
| Quay | quay.io |
Apheris Gateway agent image, Apheris Gateway Helm chart and Cilium images |
| k3s | k3s.io |
K3s installer |
| keybase | keybase.io |
GPG keys for validation |