Endpoints🔗
Information about endpoints that Apheris Compute Gateways communicate with.
The connection to all endpoints is via TLS / HTTPS (TCP port 443).
The exception are connections to NVFlare servers (*.nvflare.<subdomain>.apheris.net)
on the Apheris Compute orchestrator that use mTLS on TCP port 8002.
Note
All Apheris Gateways only require Egress communication, they never allow Ingress in any form!
Orchestrator Endpoints🔗
The following endpoints must be accessible to the Apheris Compute Gateway pods at runtime to ensure proper communication with our Compute Orchestrator.
| Name | URL | Description |
|---|---|---|
| Auth0 | apheris-ai-prod.eu.auth0.com |
Apheris authentication endpoint |
| Backend API | api.<subdomain>.apheris.net |
Apheris backend endpoint (used by computations, CLI and Apheris website) |
| NVFlare | *.nvflare.<subdomain>.apheris.net |
Apheris NVFlare endpoints (used by NVFlare clients) |
| Orchestrator | orchestrator.<subdomain>.apheris.net |
Apheris Orchestrator endpoint (used by the Gateway agent) |
| Quay | quay.io |
Apheris Custom Models |
AWS EKS Compute Gateways🔗
For Gateways deployed with the Apheris EKS reference setup, in addition to the Orchestrator Endpoints above, the following endpoints must be accessible to different components of the EKS cluster and Kubernetes services at various points in time:
| Name | URL | Description |
|---|---|---|
| Cloudwatch | logs.<region>.amazonaws.com |
In case EKS audit logs are enabled |
| EC2 | ec2.<region>.amazonaws.com |
So Kubernetes nodes can join the cluster |
| ECR | api.ecr.<region>.amazonaws.com |
Access to private ECR images |
| Private ECR (EKS specific) | <account>.dkr.ecr.<region>.amazonaws.com |
EKS images (CNI, CoreDNS, EBS, Kube-Proxy) |
| Public ECR | public.ecr.aws |
Karpenter |
| S3 | <bucket>.s3.<region>.amazonaws.com |
Access to S3 objects (data) |
| SSM | ssm.<region>.amazonaws.com |
Required by Karpenter autoscaler |
| STS | sts.<region>.amazonaws.com |
IAM roles assumed by Kubernetes service accounts |
The AWS endpoints are public and should be reachable using a NAT Gateway from private subnets.
However, such AWS endpoints can be reached internally by enabling VPC Endpoints for each of above services. The Apheris reference setup creates VPC Endpoints for S3 and ECR by default.
Gateway Installer🔗
Our Gateway Installer downloads and deploys several components at installation time.
It needs to be able to reach the Orchestrator Endpoints above at runtime and, in addition, the following domains (egress only) at installation time:
| Name | URLs | Description |
|---|---|---|
| AWS ECR | public.ecr.aws |
for Open Policy Agent Gatekeeper |
| AWS S3 | amazonaws.com |
public tutorial datasets |
| Cilium | cilium.io |
Cilium Helm chart |
| DockerHub | cloudfront.net, docker.com, docker.io |
|
| GitHub | github.com, github.io, githubusercontent.com |
|
| Helm | helm.sh |
Helm binary |
| NVFlare | *.nvflare.<subdomain>.apheris.net |
Apheris NVFlare endpoints (used by NVFlare clients) |
| Orchestrator | orchestrator.<subdomain>.apheris.net |
Apheris Orchestrator endpoint (used by the Gateway agent) |
| Quay | quay.io |
Apheris Gateway agent image, Apheris Gateway Helm chart and Cilium images |
| k3s | k3s.io |
K3s installer |
| keybase | keybase.io |
GPG keys for validation |