Endpoints🔗
Information about endpoints that Apheris Gateways communicate with.
The connection to all endpoints is via TLS / HTTPS (TCP port 443).
Note
All Apheris Gateways only require egress communication, they never allow ingress in any form!
Orchestrator Endpoints🔗
The following endpoints must be accessible to the Apheris Gateway pods at runtime to ensure proper communication with our Compute Orchestrator.
| Name | URL | Description |
|---|---|---|
| Auth0 | apheris-ai-prod.eu.auth0.com |
Apheris authentication endpoint |
| Backend API | api.<subdomain>.apheris.net |
Apheris backend endpoint (used by computations, CLI and Apheris website) |
| NVFlare | *.nv.<subdomain>.apheris.net |
Apheris NVFlare endpoints (used by NVFlare clients) |
| Orchestrator | orchestrator.<subdomain>.apheris.net |
Apheris Orchestrator endpoint (used by the Gateway agent) |
| Quay | quay.io |
Apheris Container Registry |
Gateway Installer🔗
Our Gateway Installer downloads and deploys several components at installation time.
It needs to be able to reach the Orchestrator Endpoints above at runtime and, in addition, the following domains (egress only) at installation time:
| Name | URLs | Description |
|---|---|---|
| AWS ECR | public.ecr.aws |
Open Policy Agent Gatekeeper |
| AWS S3 | amazonaws.com |
Public tutorial datasets |
| Cilium | cilium.io |
Cilium Helm chart |
| DockerHub | cloudfront.net, docker.com, docker.io |
Docker Hub |
| GitHub | github.com, github.io, githubusercontent.com |
GitHub |
| Helm | helm.sh |
Helm binary |
| k3s | k3s.io |
K3s installer |
AWS EKS Gateways🔗
For Gateways deployed with the Apheris EKS reference setup, in addition to the Orchestrator Endpoints above, the following endpoints must be accessible to different components of the EKS cluster and Kubernetes services at various points in time:
| Name | URL | Description |
|---|---|---|
| Cloudwatch | logs.<region>.amazonaws.com |
In case EKS audit logs are enabled |
| EC2 | ec2.<region>.amazonaws.com |
So Kubernetes nodes can join the cluster |
| ECR | api.ecr.<region>.amazonaws.com |
Access to private ECR images |
| Private ECR (EKS specific) | <account>.dkr.ecr.<region>.amazonaws.com |
EKS images (CNI, CoreDNS, EBS, Kube-Proxy) |
| Public ECR | public.ecr.aws |
Karpenter |
| S3 | <bucket>.s3.<region>.amazonaws.com |
Access to S3 objects (data) |
| SSM | ssm.<region>.amazonaws.com |
Required by Karpenter autoscaler |
| STS | sts.<region>.amazonaws.com |
IAM roles assumed by Kubernetes service accounts |
The AWS endpoints are public and should be reachable using a NAT Gateway from private subnets.
However, such AWS endpoints can be reached internally by enabling VPC Endpoints for each of above services. The Apheris reference setup creates VPC Endpoints for S3 and ECR by default.