Communication requirements

Traffic and communication requirements of CAST AI.

Network communication requirements

This guide explains the network requirements for Cast AI components to communicate with our services.

Required endpoints

Core services

All Cast AI components must be able to reach these endpoints:

US region

  • api.cast.ai:443
  • grpc.cast.ai:443 (Pod pinner only)
  • api-grpc.cast.ai:443 (Kvisor security agent)

EU region

  • api.eu.cast.ai:443
  • grpc.eu.cast.ai:443 (Pod pinner only)
  • api-grpc.eu.cast.ai:443 (Kvisor security agent)

Supporting services

Cast AI also requires access to these endpoints:

  • Container registry: us-docker.pkg.dev/castai-hub:443
  • Helm charts:
    • castai.github.io:443
    • objects.githubusercontent.com:443
  • Node binaries: storage.googleapis.com/castai-node-components/
  • Node logs: storage.googleapis.com/castai-node-logs-sender/

Network configuration

IP allowlisting

If DNS allowlisting is not possible in your network infrastructure (firewall, NAT, Security Group, etc.), you can allowlist these IPs:

104.16.81.56
104.16.82.56

Cast AI components call these IP addresses to deliver information to the Cast AI SaaS.

Proxy configuration

To use Cast AI components behind a proxy, add these environment variables to your deployments:

env:
- name: HTTP_PROXY
  value: "http://<proxy-address>:<port>"
- name: HTTPS_PROXY
  value: "https://<proxy-address>:<port>"
- name: NO_PROXY
  value: "localhost,<pod-cidr>,<svc-cidr>,*.cluster.local,googleapis.com,metadata.google.internal"

Example manifest for the castai-agent deployment on a GKE cluster:

containers:
- env:
  - name: API_URL
    value: api.cast.ai
  - name: PROVIDER
    value: gke
  - name: MONITOR_METADATA
    value: /agent-metadata/metadata
  - name: PPROF_PORT
    value: "6060"
  - name: HTTP_PROXY
    value: "http://<proxy-address>:<port>"
  - name: HTTPS_PROXY
    value: "https://<proxy-address>:<port>"
  - name: NO_PROXY
    value: "localhost,<pod-cidr>,<svc-cidr>,*.cluster.local,googleapis.com,metadata.google.internal"
  envFrom:
  - secretRef:
      name: castai-agent
  image: us-docker.pkg.dev/castai-hub/library/agent:v0.48.1

📘

Note

Configure NO_PROXY to match your environment to prevent internal Kubernetes traffic from being sent to the external proxy.

GKE with Istio requirements

When using Istio on GKE, configure your cluster with:

  • Port 15017 in firewall_inbound_ports
  • add_master_webhook_firewall_rules set to true

Example Terraform configuration:

add_master_webhook_firewall_rules = true
firewall_inbound_ports            = ["15017"]