seqeralabs · gavinelder · Apr 22, 2025 · May 6, 2025 · May 21, 2025 · May 21, 2025
diff --git a/platform-cloud/cloud-sidebar.json b/platform-cloud/cloud-sidebar.json
@@ -82,7 +82,8 @@
             "label": "Advanced options",
             "items":[
               "enterprise/advanced-topics/manual-aws-batch-setup",
-              "enterprise/advanced-topics/manual-azure-batch-setup"
+              "enterprise/advanced-topics/manual-azure-batch-setup",
+              "enterprise/advanced-topics/firewall-configuration"
             ]
           }
           ]

diff --git a/platform-cloud/docs/enterprise/advanced-topics/firewall-configuration.md b/platform-cloud/docs/enterprise/advanced-topics/firewall-configuration.md
@@ -0,0 +1,71 @@
+---
+title: "Firewall configuration"
+description: Configure your firewall to allow Seqera Cloud access
+date: "12 Apr 2023"
+tags: [firewall, configuration]
+---
+
+Seqera Platform Cloud ([cloud.seqera.io](https://cloud.seqera.io)) may need to connect to resources within your network, e.g., your storage server. To do so, your firewall must be configured to allow certain IPs to reach your resources.
+
+A dynamic list of IPs is kept up-to-date at https://meta.seqera.io.
-A dynamic list of IPs is kept up-to-date at https://meta.seqera.io.
+A dynamic list of IPs is kept up-to-date at https://meta.seqera.io/v3.
-A dynamic list of IPs is kept up-to-date at https://meta.seqera.io.
+A dynamic list of IPs is kept up-to-date at https://meta.seqera.io/v3.
+
+This endpoint returns a JSON object that can be parsed to dynamically adapt your firewall, e.g., in Python with the `requests` package:
+
+```python
+$ python3
+>>> import requests
+>>> requests.get("https://meta.seqera.io").json()
+{
+  "egress": [
+    "18.169.21.18/32",
+    "18.135.7.45/32",
+    "18.171.4.252/32"
+  ],
+  "ingress": [
+    "35.179.197.5/32",
+    "3.11.38.17/32",
+    "18.175.79.222/32"
+  ]
+}
-$ python3
->>> import requests
->>> requests.get("https://meta.seqera.io").json()
-{
-  "egress": [
-    "18.169.21.18/32",
-    "18.135.7.45/32",
-    "18.171.4.252/32"
-  ],
-  "ingress": [
-    "35.179.197.5/32",
-    "3.11.38.17/32",
-    "18.175.79.222/32"
-  ]
-}
+$ python3
+>>> import requests
+>>> requests.get("https://meta.seqera.io").json()
-$ python3
->>> import requests
->>> requests.get("https://meta.seqera.io").json()
-{
-  "egress": [
-    "18.169.21.18/32",
-    "18.135.7.45/32",
-    "18.171.4.252/32"
-  ],
-  "ingress": [
-    "35.179.197.5/32",
-    "3.11.38.17/32",
-    "18.175.79.222/32"
-  ]
-}
+$ python3
+>>> import requests
+>>> requests.get("https://meta.seqera.io").json()
+```
+
+### DNS allowlist
+
+In order for you to access resources such as Fusion tarballs, `nf-xpack` files, Wave cloud containers and other services provided by Seqera, you'll need to add `*.seqera.io.cdn.cloudflare.net` to the allowlist in your network firewall. If DNS wildcards aren't supported by your firewall, you can use the following:
+
+- `cloud.seqera.io`
+- `api.cloud.seqera.io`
+- `user-data.cloud.seqera.io`
+- `tower.nf`
+- `api.tower.nf`
+- `connect.cloud.seqera.io` and its subdomains `*.connect.cloud.seqera.io`
+- `hub.seqera.io`
+- `intern.seqera.io`
+- `wave.seqera.io`
+- `community.wave.seqera.io`
+- `cerbero.seqera.io`
+- `public.cr.seqera.io`
+- `auth.cr.seqera.io`
+- `cr.seqera.io`
+- `licenses.seqera.io`
+- `api.multiqc.info`
+- `fusionfs.seqera.io`
+- `nf-xpack.seqera.io`
+- `community-cr-prod.seqera.io`
+- `fusionfs.seqera.io`
+- `nf-xpack.seqera.io`
+- `public-cr-prod.seqera.io`
+- `wave-cache-prod-cloudflare.seqera.io`
+- `fusionfs.seqera.io.cdn.cloudflare.net`
+- `nf-xpack.seqera.io.cdn.cloudflare.net`
+- `community-cr-prod.seqera.io.cdn.cloudflare.net`
+- `fusionfs.seqera.io.cdn.cloudflare.net`
+- `nf-xpack.seqera.io.cdn.cloudflare.net`
+- `public-cr-prod.seqera.io.cdn.cloudflare.net`
+- `wave-cache-prod-cloudflare.seqera.io.cdn.cloudflare.net`
+
+If you choose to filter by specific DNS records, please note that new services may be added in the future.
+
+:::note
+If your allowlist is based on IP addresses, allow all of the following IP addresses: https://www.cloudflare.com/ips/.
+:::
diff --git a/...m-enterprise_versioned_docs/version-25.1/enterprise/configuration/networking.md b/...m-enterprise_versioned_docs/version-25.1/enterprise/configuration/networking.md
@@ -5,6 +5,37 @@ date: "21 Apr 2023"
 tags: [networking, configuration]
 ---
 
+To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed within and external to your environment. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment. 
-To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed within and external to your environment. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment. 
+To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed on your firewall. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment. 
-To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed within and external to your environment. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment. 
+To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed on your firewall. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment. 
+
+## Firewall configuration
+
+Your Seqera Enterprise must be allowed to communicate with licences.seqera.io on port 443. The IP addresses for this service are:
+- 35.179.197.5/32
+- 18.175.79.222/32
+- 3.11.38.17/32
+
+### Fusion and other Enterprise plugins
+
+[Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in licence checking built-in. As such, you must also allow network traffic from the your Seqera compute environment executing Nextflow jobs. 
-[Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in licence checking built-in. As such, you must also allow network traffic from the your Seqera compute environment executing Nextflow jobs. 
+[Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in license checking. As such, you must also allow network traffic from your Seqera compute environment executing Nextflow jobs. 
-[Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in licence checking built-in. As such, you must also allow network traffic from the your Seqera compute environment executing Nextflow jobs. 
+[Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in license checking. As such, you must also allow network traffic from your Seqera compute environment executing Nextflow jobs. 
+
+### Studios
+
+See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs, and internal subdomains of your Platform instance host domain, that must be allowed for ingress and egress traffic. 
-See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs, and internal subdomains of your Platform instance host domain, that must be allowed for ingress and egress traffic. 
+See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs and internal subdomains of your Platform instance host domain, which must be allowed for ingress and egress traffic. 
-See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs, and internal subdomains of your Platform instance host domain, that must be allowed for ingress and egress traffic. 
+See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs and internal subdomains of your Platform instance host domain, which must be allowed for ingress and egress traffic. 
+
+### Wave
+
+To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must to ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this requires additional configuration to lock down, but is generally allowed by default.
-To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must to ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this requires additional configuration to lock down, but is generally allowed by default.
+To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this is generally permitted by default; you may contact your network administrators to verify whether additional firewall rules have been defined.
-To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must to ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this requires additional configuration to lock down, but is generally allowed by default.
+To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this is generally permitted by default; you may contact your network administrators to verify whether additional firewall rules have been defined.
+
+Ensure your Enterprise instance can communicate with the following Seqera-hosted Wave service IP addresses on port 443:
+
+- 18.135.7.45/32
+- 18.169.21.18/32
+- 18.171.4.252/32
+
+### Restricting outbound traffic
+
+To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on Github artifacts, and any code hosting solutions or third party dependancies you require, such as Github, Gitlab, or Artifactory.
-To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on Github artifacts, and any code hosting solutions or third party dependancies you require, such as Github, Gitlab, or Artifactory.
+To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on GitHub artifacts, and any code hosting solutions or third-party dependencies you require, such as GitHub, GitLab, or Artifactory.
-To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on Github artifacts, and any code hosting solutions or third party dependancies you require, such as Github, Gitlab, or Artifactory.
+To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on GitHub artifacts, and any code hosting solutions or third-party dependencies you require, such as GitHub, GitLab, or Artifactory.
+
 ## HTTP proxy environment variables
 
 :::caution