Allowlisting FQDNs rather than IP addresses¶
To ensure continuous connectivity to Venafi Cloud services, it is crucial to allowlist domain names instead of specific IP addresses. Venafi Cloud services leverage AWS cloud-first best practices, resulting in endpoints that maintain a static fully qualified domain name (FQDN) while having dynamically assigned IP addresses. These IP addresses are rotated by AWS and can change frequently.
Why allowlisting domains is important¶
Allowlisting specific IP addresses for Venafi Cloud services is not reliable due to the dynamic nature of IP assignment in the cloud. If you allowlist an IP address obtained via an nslookup
command for a Venafi Cloud domain, the connection will eventually fail when AWS rotates the IP addresses.
Instead, allowlist FQDNs to ensure continuous and reliable access to Venafi Cloud services.
By allowlisting FQDNs rather than static IP addresses, you'll ensure that your firewall rules remain effective even as the underlying IP addresses change.
VSatellite domains to allowlist¶
For a complete list of domains to allowlist, refer to the following topics:
WARNING!
Allowlisting IP addresses instead of domains for cloud services hosted in this manner will eventually result in a connection failure. It is not a question of if but when the failure occurs.
For any questions or further assistance, please contact Venafi Support.