Communication requirements
Traffic and communication requirements of CAST AI.
Network communication requirements
This guide explains the network requirements for Cast AI components to communicate with our services.
Required endpoints
Core services
All Cast AI components must be able to reach these endpoints:
US region
api.cast.ai:443
grpc.cast.ai:443
(Pod pinner only)api-grpc.cast.ai:443
(Kvisor security agent)
EU region
api.eu.cast.ai:443
grpc.eu.cast.ai:443
(Pod pinner only)api-grpc.eu.cast.ai:443
(Kvisor security agent)
Supporting services
Cast AI also requires access to these endpoints:
- Container registry:
us-docker.pkg.dev/castai-hub:443
- Helm charts:
castai.github.io:443
objects.githubusercontent.com:443
- Node binaries:
storage.googleapis.com/castai-node-components/
- Node logs:
storage.googleapis.com/castai-node-logs-sender/
Network configuration
IP allowlisting
If DNS allowlisting is not possible in your network infrastructure (firewall, NAT, Security Group, etc.), you can allowlist these IPs:
104.16.81.56
104.16.82.56
Cast AI components call these IP addresses to deliver information to the Cast AI SaaS.
Proxy configuration
To use Cast AI components behind a proxy, add these environment variables to your deployments:
env:
- name: HTTP_PROXY
value: "http://<proxy-address>:<port>"
- name: HTTPS_PROXY
value: "https://<proxy-address>:<port>"
- name: NO_PROXY
value: "localhost,<pod-cidr>,<svc-cidr>,*.cluster.local,googleapis.com,metadata.google.internal"
Example manifest for the castai-agent
deployment on a GKE cluster:
containers:
- env:
- name: API_URL
value: api.cast.ai
- name: PROVIDER
value: gke
- name: MONITOR_METADATA
value: /agent-metadata/metadata
- name: PPROF_PORT
value: "6060"
- name: HTTP_PROXY
value: "http://<proxy-address>:<port>"
- name: HTTPS_PROXY
value: "https://<proxy-address>:<port>"
- name: NO_PROXY
value: "localhost,<pod-cidr>,<svc-cidr>,*.cluster.local,googleapis.com,metadata.google.internal"
envFrom:
- secretRef:
name: castai-agent
image: us-docker.pkg.dev/castai-hub/library/agent:v0.48.1
Note
Configure
NO_PROXY
to match your environment to prevent internal Kubernetes traffic from being sent to the external proxy.
GKE with Istio requirements
When using Istio on GKE, configure your cluster with:
- Port
15017
infirewall_inbound_ports
add_master_webhook_firewall_rules
set totrue
Example Terraform configuration:
add_master_webhook_firewall_rules = true
firewall_inbound_ports = ["15017"]
Updated 2 months ago