Accessing external resources from the Satellite location

In general, the IBM Cloud Framework for Financial Services does not recommend connecting to hosts on the public internet nor accepting connections from the public internet. When it is necessary to do so, you need to use proper facilities, such as load balancers, public gateways, or proxy servers, that usually would be deployed outside of the Satellite location network.

However, deployment of Satellite hosts requires connection to certain external resources to enable the attachment and assignment processes for the hosts as well as ongoing operation of Satellite control plane and workload clusters. These connections need to be properly configured, monitored, and audited.

External resources for control plane hosts

Control plane hosts require the following non-HTTP connectivity:

Red Hat NTP service (unless configured with local or private NTP pool)
Control plane master connections (TCP ports 30000 - 32767)

The connectivity to the following endpoints must also be allowed, but can be potentially facilitated through an HTTP or HTTPS proxy for flow control and auditing:

Satellite Link tunnel server endpoint
IBM Cloud general APIs and Container services
IAM REST APIs
LaunchDarkly service
Object Storage for etcd backup
Attachment / assignment endpoint
Satellite Config and Link APIs
RHEL container registry
IBM Cloud Container Registry
IBM Cloud monitoring and log analysis

For more information, see host networking requirements.

External resources for workload hosts

Workload hosts require the following non-HTTP connectivity:

Red Hat NTP service (unless configured with local or private NTP pool)

The connectivity to the following endpoints must also be allowed, but can be potentially facilitated through an HTTP or HTTPS proxy for flow control and auditing:

IBM Cloud general APIs and Container services
IAM REST APIs
LaunchDarkly service
Attachment / assignment endpoint
Satellite Config and Link APIs
IBM Cloud Container Registry
RHEL container registry
IBM Cloud monitoring and log analysis

For more information, see more host networking requirements

The following IBM Cloud Framework for Financial Services controls are most related to this guidance. However, in addition to following the guidance here, do your own due diligence to ensure you meet the requirements.

Table 1. Related controls in IBM Cloud Framework for Financial Services
Family	Control
Access Control (AC)	AC-20 Use of External Information Systems
Security Assessment and Authorization (CA)	CA-3 System Interconnections
System and Communications Protection (SC)	SC-5 Denial of Service Protection SC-7 Boundary Protection SC-7(4) Boundary Protection \| External Telecommunications Services SC-7 (5) Boundary Protection \| Deny By Default - Allow By Exception SC-7 (10) Boundary Protection \| Prevent Exfiltration

Next steps

Completing operator actions through a bastion host

Accessing external resources from the Satellite location

External resources for control plane hosts

External resources for workload hosts

Related controls in IBM Cloud Framework for Financial Services

Next steps