Docs

Communication requirements

Traffic and communication requirements of Cast AI.

Suggest Edits

This guide explains the network requirements for Cast AI components to communicate with our services.

Required endpoints

Core services

All Cast AI components must be able to reach these endpoints:

US region

  • api.cast.ai:443
  • grpc.cast.ai:443 (Pod pinner only)
  • kvisor.prod-master.cast.ai:443 (Kvisor security agent)

EU region

  • api.eu.cast.ai:443
  • grpc.eu.cast.ai:443 (Pod pinner only)
  • kvisor.prod-eu.cast.ai:443 (Kvisor security agent)

Supporting services

Cast AI also requires access to these endpoints:

  • Container registry: us-docker.pkg.dev/castai-hub:443
  • Helm charts:
    • castai.github.io:443
    • objects.githubusercontent.com:443
  • Node binaries: storage.googleapis.com/castai-node-components/
  • Node logs: storage.googleapis.com/castai-node-logs-sender/

Port requirements

Webhook ports

Some Cast AI components operate as admission webhooks and require the Kubernetes API server to reach them on specific ports:

These ports must be accessible from the Kubernetes control plane to the Cast AI pods for webhook functionality to work properly.

Network configuration

IP allowlisting

If DNS allowlisting is not possible in your network infrastructure (firewall, NAT, Security Group, etc.), you can allowlist these IPs:

104.16.81.56
104.16.82.56

Cast AI components call these IP addresses to deliver information to the Cast AI SaaS.

Proxy configuration

To use Cast AI components behind a proxy, add these environment variables to your deployments:

env:
- name: HTTP_PROXY
  value: "http://<proxy-address>:<port>"
- name: HTTPS_PROXY
  value: "https://<proxy-address>:<port>"
- name: NO_PROXY
  value: "localhost,<pod-cidr>,<svc-cidr>,*.cluster.local,googleapis.com,metadata.google.internal"

Example manifest for the castai-agent deployment on a GKE cluster:

containers:
- env:
  - name: API_URL
    value: api.cast.ai
  - name: PROVIDER
    value: gke
  - name: MONITOR_METADATA
    value: /agent-metadata/metadata
  - name: PPROF_PORT
    value: "6060"
  - name: HTTP_PROXY
    value: "http://<proxy-address>:<port>"
  - name: HTTPS_PROXY
    value: "https://<proxy-address>:<port>"
  - name: NO_PROXY
    value: "localhost,<pod-cidr>,<svc-cidr>,*.cluster.local,googleapis.com,metadata.google.internal"
  envFrom:
  - secretRef:
      name: castai-agent
  image: us-docker.pkg.dev/castai-hub/library/agent:v0.48.1

📘

Note

Configure NO_PROXY to match your environment to prevent internal Kubernetes traffic from being sent to the external proxy.

GKE with Istio requirements

When using Istio on GKE, configure your cluster with:

  • Port 15017 in firewall_inbound_ports
  • add_master_webhook_firewall_rules set to true
    Example Terraform configuration:
add_master_webhook_firewall_rules = true
firewall_inbound_ports            = ["15017"]

Updated 9 days ago