Network Configuration Requirements

Nutanix Xi Frame DaaS requires Frame Platform to be able to communicate with the workload (Sandbox, Production, and Utility Server) VMs. Additionally for Frame-managed workloads on Nutanix AHV clusters, Frame Platform must be able to communicate with Prism Element and Prism Central.

The following document describes each deployment model on public cloud infrastructure and Nutanix AHV cluster infrastructure and the associated network requirements.

Note

As of November 5, 2020, users are now redirected to https://console.nutanix.com/ after authentication. Customers who whitelist external FQDNs are advised to add console.nutanix.com and *.console.nutanix.com to their firewall and proxy server whitelists.

Attention

As of August 2, 2020, customers who wish to deploy Cloud Connector Appliance 3.0 GA for Frame-managed workloads on Nutanix AHV must ensure their firewalls and proxy servers will allow new FQDNs. Refer to the CCA 3.0 GA section for further details.

Attention

In order for customers to download Frame agent updates from Nutanix’s Content Delivery Network (CDN), prod-sup-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com will be replaced by downloads.console.nutanix.com in the near future. Refer to the appropriate section below for further details.

Deployment Models

Three are five primary deployment models (3 for public cloud and 2 for Nutanix AHV clusters):

  1. Public Cloud (Default): All workload VMs (Sandbox, Production, and Utility Server VMs) have public IP addresses and are directly accessed by users.

  2. Public Cloud with Private Networking: All workload VMs only have private IP addresses. Users must access the workload VMs through a private network.

  3. Public Cloud with Private Networking and SGA: All workload VMs have private IP addresses. However, users can access the workload VMs through a Streaming Gateway Appliance (SGA) from the Internet.

  4. AHV using Private Networking without SGA: All workload VMs only have private IP addresses. Users must access the workload VMs through a private network.

  5. AHV using Private Networking with SGA: All workload VMs have private IP addresses. However, users can access the workload VMs through a Streaming Gateway Appliance (SGA) from the Internet.

Public Cloud

Public Cloud (Default)

With the default public cloud deployment model, users access virtualized applications/desktops from the Internet. These virtualized applications/desktops communicate directly to the Internet for publicly-accessible resources. If users must access network resources on-premises or in a private network, a private network connection (e.g., VPN, direct connection, SD-WAN) with the appropriate routing must be implemented.

Source to Destination

Source IP Address

Destination FQDN(s)

Protocol: Port

▴ Frame Platform to Workload VMs

18.214.119.1/32 18.232.236.200/32 35.173.64.151/32

  • Public IP address

  • tcp/443 (HTTPS)

  • tcp/8112 (HTTPS)

▴ Workload VMs to Frame Platform

Public IP address

  • gateway-external-api-prod.frame.nutanix.com

  • img.frame.nutanix.com

  • prod-kds-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • prod-sup-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • downloads.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ End user to Frame Platform

Public IP address

  • console.nutanix.com

  • img.console.nutanix.com

  • All tcp/443 (HTTPS)

▴ End user to Workload VM

Public IP address

  • *.nutanixframe.com or *.nutanix-frame.com resolving to public IP address

  • tcp/443 (HTTPS, Secure WebSocket)

Note

The table above includes all protocols/ports needed for Frame-managed workloads on AWS, Azure, or GCP. Items with the ▴ symbol identify communication paths that traverse the public-private network boundary.

Default Frame Account on Public Cloud Topology

../_images/default_public.png

Public Cloud with Private Networking

Private Networking requires users to access virtualized applications/desktops from within the organization’s network. Virtualized applications/desktops must communicate to the Internet through the organization’s network. With Private Networking, there is no direct Internet access to/from workload VMs.

Source to Destination

Source IP Address

Destination FQDN(s)

Protocol: Port

▴ Workload Cloud Connector Appliance (WCCA) to Frame Platform

Public IP address (NAT from private IP address), as seen by Frame Platform

  • frame.nutanix.com

  • cpanel-backend-prod.frame.nutanix.com

  • gateway-external-api-prod.frame.nutanix.com

  • ccc-bridge-external-prod.frame.nutanix.com

  • ccc-prod.frame.nutanix.com

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS, Secure WebSocket)

WCCA to Workload VMs (Sandbox VM, Production VMs)

Private IP address within VPC/VNET

  • Private IP addresses within VPC/VNET

  • tcp/8112 (HTTPS)

▴ Workload VMs to Frame Platform

Public IP address (NAT from private IP address), from perspective of Frame Platform

  • gateway-external-api-prod.frame.nutanix.com

  • img.console.nutanix.com

  • prod-kds-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • prod-sup-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • downloads.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ End user to Frame Platform

Public IP address (NAT from private IP address if end user in private network), from perspective of Frame Platform

  • console.nutanix.com

  • img.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

End user to Workload VM

Private IP address

  • *.nutanixframe.com or *.nutanix-frame.com resolving to private IP address within VPC/VNET

  • tcp/443 (HTTPS, Secure WebSocket)

Note

Items with the ▴ symbol identify communication paths that traverse the public-private network boundary.

Frame Account on Public Cloud with Private Networking Topology

../_images/public_private.png

Public Cloud with Private Networking and SGA

Private Networking with SGA enables users to access virtualized applications/desktops from the Internet using a single public IP address. Virtualized applications/desktops must communicate to the Internet through the organization’s network. With Private Networking and SGA, there is no direct Internet access to/from workload VMs.

Source to Destination

Source IP Address

Destination FQDN(s)

Protocol: Port

▴ Workload Cloud Connector Appliance (WCCA) to Frame Platform

Public IP address (NAT from private IP address), as seen by Frame Platform

  • frame.nutanix.com

  • cpanel-backend-prod.frame.nutanix.com

  • gateway-external-api-prod.frame.nutanix.com

  • ccc-bridge-external-prod.frame.nutanix.com

  • ccc-prod.frame.nutanix.com

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS, Secure WebSocket)

WCCA to Workload VMs (Sandbox VM, Production VMs)

Private IP address within VPC/VNET

  • Private IP addresses within VPC/VNET

  • tcp/8112 (HTTPS)

▴ Workload VMs to Frame Platform

Public IP address (NAT from private IP address), from perspective of Frame Platform

  • gateway-external-api-prod.frame.nutanix.com

  • img.console.nutanix.com

  • prod-kds-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • prod-sup-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • downloads.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ End user to Frame Platform

Public IP address (NAT from private IP address if end user in private network), from perspective of Frame Platform

  • console.nutanix.com

  • img.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ End user to SGA

Public IP address

  • Customer-defined SGA FQDN

  • tcp/443 (HTTPS, Secure WebSocket)

SGA to Workload VM

Private IP address

  • Private IP address within VPC/VNET

  • tcp/443 (HTTPS, Secure WebSocket)

Note

Items with the ▴ symbol identify communication paths that traverse the public-private network boundary.

Frame Account on Public Cloud with Private Networking and SGA Topology

../_images/public_private_sga.png

Frame on AHV

AHV using Private Networking without SGA

Private Networking requires users to access virtualized applications/desktops from within the organization’s network. Virtualized applications/desktops must communicate to the Internet through the organization’s network. With Private Networking, there is no direct Internet access to/from workload VMs.

CCA 3.0 GA

Source to Destination

Source IP Address

Destination FQDN(s)

Protocol: Port

▴ Cloud Connector Appliance (CCA) to Frame Platform and Workload Cloud Connector Appliance (WCCA) to Frame Platform

Public IP address (NAT from private IP address), as seen by Frame Platform

  • console.nutanix.com

  • cpanel-backend.console.nutanix.com

  • gateway-external-api.console.nutanix.com

  • cch.console.nutanix.com

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS, Secure WebSocket)

▴ Prism Central to Frame Platform

Private IP address

  • downloads.frame.nutanix.com

  • tcp/443 (HTTPS)

WCCA to Workload VMs (Sandbox VM, Production VMs)

Private IP address within VLAN

  • Private IP addresses within VLAN

  • tcp/8112 (HTTPS)

CCA to Prism Central

Private IP address or static private IP address

  • Prism Central IP address

  • tcp/443 (HTTPS)

  • tcp/9440 (HTTPS)

CCA to Prism Element (on node where profile and personal disks are used)

Private IP address

  • Prism Element IP address

  • tcp/443 (HTTPS)

  • tcp/9440 (HTTPS)

▴ Workload VMs to Frame Platform

Public IP address (NAT from private IP address), from perspective of Frame Platform

  • gateway-external-api.console.nutanix.com

  • img.frame.nutanix.com

  • img.console.nutanix.com

  • prod-kds-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • prod-sup-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • downloads.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ End user to Frame Platform

Public IP address (NAT from private IP address if end user in private network), from perspective of Frame Platform

  • console.nutanix.com

  • img.console.nutanix.com

  • login.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ Streaming Gateway Appliance (SGA) to Frame Platform

Public IP address (NAT from private IP address), as seen by Frame Platform

  • cpanel-backend.console.nutanix.com

  • gateway-external-api.console.nutanix.com

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

End user to Workload VM

Private IP address

  • *.nutanixframe.com or *.nutanix-frame.com resolving to private IP address within VLAN

  • tcp/443 (HTTPS, Secure WebSocket)

CCA 2.X GA and CCA 3.0 Release Candidates

Source to Destination

Source IP Address

Destination FQDN(s)

Protocol: Port

▴ Cloud Connector Appliance (CCA) to Frame Platform and Workload Cloud Connector Appliance (WCCA) to Frame Platform

Public IP address (NAT from private IP address), as seen by Frame Platform

  • frame.nutanix.com

  • cpanel-backend-prod.frame.nutanix.com

  • gateway-external-api-prod.frame.nutanix.com

  • ccc-prod.frame.nutanix.com

  • ccc-bridge-external-prod.frame.nutanix.com (for CCA 2.X)

  • cch.frame.nutanix.com (for CCA 3.0 RC)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS, Secure WebSocket)

  • tcp/443 (HTTPS, Secure WebSocket)

Prism Central to Frame Platform

Private IP address

  • prod-cca-5683567dcbd60804cb34.s3.amazonaws.com

  • tcp/443 (HTTPS)

WCCA to Workload VMs (Sandbox VM, Production VMs)

Private IP address within VLAN

  • Private IP addresses within VLAN

  • tcp/8112 (HTTPS)

CCA to Prism Central

Private IP address or static private IP address

  • Prism Central IP address

  • tcp/443 (HTTPS)

  • tcp/9440 (HTTPS)

CCA to Prism Element (on node where profile and personal disks are used)

Private IP address

  • Prism Element IP address

  • tcp/443 (HTTPS)

  • tcp/9440 (HTTPS)

▴ Workload VMs to Frame Platform

Public IP address (NAT from private IP address), from perspective of Frame Platform

  • gateway-external-api-prod.frame.nutanix.com

  • img.frame.nutanix.com

  • prod-kds-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • prod-sup-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • downloads.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ End user to Frame Platform

Public IP address (NAT from private IP address if end user in private network), from perspective of Frame Platform

  • frame.nutanix.com

  • img.frame.nutanix.com

  • cpanel-backend-prod.frame.nutanix.com

  • prod-cpa-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • terminal-prod.frame.nutanix.com

  • login.frame.nutanix.com (for Frame IdP, if used)

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

End user to Workload VM

Private IP address

  • *.nutanixframe.com or *.nutanix-frame.com resolving to private IP address within VLAN

  • tcp/443 (HTTPS, Secure WebSocket)

Note

Items with the ▴ symbol identify communication paths that traverse the public-private network boundary.

Frame Account on AHV without SGA Networking Topology

../_images/ahvnosgatopology.png

AHV using Private Networking with SGA

Private Networking with SGA enables users to access virtualized applications/desktops from the Internet using a single public IP address. Virtualized applications/desktops must communicate to the Internet through the organization’s network. With Private Networking and SGA, there is no direct Internet access to/from workload VMs.

CCA 3.0 GA

Source to Destination

Source IP Address

Destination FQDN(s)

Protocol: Port

▴ Cloud Connector Appliance (CCA) to Frame Platform and Workload Cloud Connector Appliance (WCCA) to Frame Platform

Public IP address (NAT from private IP address), as seen by Frame Platform

  • console.nutanix.com

  • cpanel-backend.console.nutanix.com

  • gateway-external-api.console.nutanix.com

  • cch.console.nutanix.com

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS, Secure WebSocket)

▴ Prism Central to Frame Platform

Private IP address

  • downloads.frame.nutanix.com

  • tcp/443 (HTTPS)

WCCA to Workload VMs (Sandbox VM, Production VMs)

Private IP address within VLAN

  • Private IP addresses within VLAN

  • tcp/8112 (HTTPS)

CCA to Prism Central

Private IP address or static private IP address

  • Prism Central IP address

  • tcp/443 (HTTPS)

  • tcp/9440 (HTTPS)

CCA to Prism Element (on node where profile and personal disks are used)

Private IP address

  • Prism Element IP address

  • tcp/443 (HTTPS)

  • tcp/9440 (HTTPS)

▴ Workload VMs to Frame Platform

Public IP address (NAT from private IP address), from perspective of Frame Platform

  • gateway-external-api.console.nutanix.com

  • img.frame.nutanix.com

  • img.console.nutanix.com

  • prod-kds-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • prod-sup-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • downloads.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ End user to Frame Platform

Public IP address (NAT from private IP address if end user in private network), from perspective of Frame Platform

  • console.nutanix.com

  • img.console.nutanix.com

  • login.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ Streaming Gateway Appliance (SGA) to Frame Platform

Public IP address (NAT from private IP address), as seen by Frame Platform

  • cpanel-backend.console.nutanix.com

  • gateway-external-api.console.nutanix.com

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

▴ End user to SGA

Public IP address

  • Customer-defined SGA FQDN

  • tcp/443 (HTTPS, Secure WebSocket)

SGA to Workload VM

Private IP address

  • Dynamic private IP addresses within VPC/VNET

  • tcp/443 (HTTPS, Secure WebSocket)

CCA 2.X GA and CCA 3.0 Release Candidates

Source to Destination

Source IP Address

Destination FQDN(s)

Protocol: Port

▴ Cloud Connector Appliance (CCA) to Frame Platform and Workload Cloud Connector Appliance (WCCA) to Frame Platform

Public IP address (NAT from private IP address), as seen by Frame Platform

  • frame.nutanix.com

  • cpanel-backend-prod.frame.nutanix.com

  • gateway-external-api-prod.frame.nutanix.com

  • ccc-prod.frame.nutanix.com

  • ccc-bridge-external-prod.frame.nutanix.com (for CCA 2.X)

  • cch.frame.nutanix.com (for CCA 3.0 RC)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS, Secure WebSocket)

  • tcp/443 (HTTPS, Secure WebSocket)

Prism Central to Frame Platform

Private IP address

  • prod-cca-5683567dcbd60804cb34.s3.amazonaws.com

  • tcp/443 (HTTPS)

WCCA to Workload VMs (Sandbox VM, Production VMs)

Private IP address within VLAN

  • Private IP addresses within VLAN

  • tcp/8112 (HTTPS)

CCA to Prism Central

Private IP address or static private IP address

  • Prism Central IP address

  • tcp/443 (HTTPS)

  • tcp/9440 (HTTPS)

CCA to Prism Element (on node where profile and personal disks are used)

Private IP address

  • Prism Element IP address

  • tcp/443 (HTTPS)

  • tcp/9440 (HTTPS)

▴ Workload VMs to Frame Platform

Public IP address (NAT from private IP address), from perspective of Frame Platform

  • gateway-external-api-prod.frame.nutanix.com

  • img.frame.nutanix.com

  • prod-kds-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • prod-sup-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • downloads.console.nutanix.com

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ End user to Frame Platform

Public IP address (NAT from private IP address if end user in private network), from perspective of Frame Platform

  • frame.nutanix.com

  • img.frame.nutanix.com

  • cpanel-backend-prod.frame.nutanix.com

  • prod-cpa-5683567dcbd60804cb34.s3.us-east-1.amazonaws.com

  • terminal-prod.frame.nutanix.com

  • login.frame.nutanix.com (for Frame IdP, if used)

  • logs-01.loggly.com (for event logging)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/443 (HTTPS)

  • tcp/6514 (TLS)

▴ End user to SGA

Public IP address

  • Customer-defined SGA FQDN

  • tcp/443 (HTTPS, Secure WebSocket)

SGA to Workload VM

Private IP address

  • Private IP address within VPC/VNET

  • tcp/443 (HTTPS, Secure WebSocket)

Note

Items with the ▴ symbol identify communication paths that traverse the public-private network boundary.

Frame Account on AHV with SGA Networking Topology

../_images/ahvwithsgatopology.png