Communication requirements

Traffic and communication requirements of Cast AI.

This guide explains the network requirements for Cast AI components to communicate with our services.

Required endpoints

Core services

All Cast AI components must be able to reach these endpoints:

US region

api.cast.ai:443
grpc.cast.ai:443 (Pod pinner only)
kvisor.prod-master.cast.ai:443 (Kvisor security agent)

EU region

api.eu.cast.ai:443
grpc.eu.cast.ai:443 (Pod pinner only)
kvisor.prod-eu.cast.ai:443 (Kvisor security agent)

Supporting services

Cast AI also requires access to these endpoints:

Container registry: us-docker.pkg.dev/castai-hub:443
Helm charts:
- castai.github.io:443
- objects.githubusercontent.com:443
Node binaries: storage.googleapis.com/castai-node-components/
Node logs: storage.googleapis.com/castai-node-logs-sender/

Port requirements

Webhook ports

Some Cast AI components operate as admission webhooks and require the Kubernetes API server to reach them on specific ports:

Workload Autoscaler: Port 9443. For guidance on troubleshooting Workload Autoscaler connectivity, see Workload Autoscaler Troubleshooting.

For webhook functionality to work properly, these ports must be accessible from the Kubernetes control plane to the Cast AI pods.

Node startup logs upload

During node initialization, Cast AI uploads startup logs to assist with troubleshooting and cluster setup. This process uses a scoped-down, temporary API key with the following characteristics:

Scope: The API key provides read-only access and is restricted to log ingestion only
Lifecycle: A unique key is generated per node and is automatically deleted when the node is terminated
Usage: Used for up to 1 hour after the initialization AddNode operation to send logs to storage.googleapis.com/castai-node-logs-sender/
Expiration: The API key automatically expires 1 hour after creation (node add operation initiation)
Security: The API key is not reused across nodes and does not grant access to other API functionalities

The API key appears in EC2 User Data during node startup, but it cannot be used in any other way or for any other purpose.

Network configuration

IP allowlisting

If DNS allowlisting is not possible in your network infrastructure (firewall, NAT, Security Group, etc.), you can allowlist these IPs:

104.16.81.56
104.16.82.56

Cast AI components call these IP addresses to deliver information to the Cast AI SaaS.

Proxy configuration

To use Cast AI components behind a proxy, add these environment variables to your deployments:

env:
- name: HTTP_PROXY
  value: "http://<proxy-address>:<port>"
- name: HTTPS_PROXY
  value: "https://<proxy-address>:<port>"
- name: NO_PROXY
  value: "localhost,<pod-cidr>,<svc-cidr>,*.cluster.local,googleapis.com,metadata.google.internal"

Example manifest for the castai-agent deployment on a GKE cluster:

containers:
- env:
  - name: API_URL
    value: api.cast.ai
  - name: PROVIDER
    value: gke
  - name: MONITOR_METADATA
    value: /agent-metadata/metadata
  - name: PPROF_PORT
    value: "6060"
  - name: HTTP_PROXY
    value: "http://<proxy-address>:<port>"
  - name: HTTPS_PROXY
    value: "https://<proxy-address>:<port>"
  - name: NO_PROXY
    value: "localhost,<pod-cidr>,<svc-cidr>,*.cluster.local,googleapis.com,metadata.google.internal"
  envFrom:
  - secretRef:
      name: castai-agent
  image: us-docker.pkg.dev/castai-hub/library/agent:v0.48.1

📘
Note
Configure NO_PROXY to match your environment to prevent internal Kubernetes traffic from being sent to the external proxy.

GKE with Istio requirements

When using Istio on GKE, configure your cluster with:

Port 15017 in firewall_inbound_ports
add_master_webhook_firewall_rules set to true

Example Terraform configuration:

add_master_webhook_firewall_rules = true
firewall_inbound_ports            = ["15017"]

Updated 26 days ago