Network Requirements
If your environment uses a restrictive firewall or proxy, you need to allowlist the Portal SaaS domains and their associated IP ranges so that agents and users can connect.
Domains
All communication with Portal SaaS uses HTTPS (port 443).
| Domain | Purpose |
|---|---|
portal.waratek.com | Portal web UI |
agent-api-2.waratek.com | Agent API endpoint |
agent-api-2-2.waratek.com through agent-api-2-10.waratek.com | Additional agent API endpoints used for TLS routing |
Each agent is assigned one of the agent-api-2* subdomains. Because the specific subdomain can vary, all of them should be allowlisted:
agent-api-2.waratek.comagent-api-2-2.waratek.comagent-api-2-3.waratek.comagent-api-2-4.waratek.comagent-api-2-5.waratek.comagent-api-2-6.waratek.comagent-api-2-7.waratek.comagent-api-2-8.waratek.comagent-api-2-9.waratek.comagent-api-2-10.waratek.com
IP Ranges
All Portal SaaS domains are served through AWS CloudFront. Because CloudFront IP ranges are dynamic and change over time, there is no fixed list of IPs to allowlist.
AWS publishes its current IP ranges at:
https://ip-ranges.amazonaws.com/ip-ranges.json
To extract the CloudFront ranges, filter the JSON for entries where "service" is "CLOUDFRONT". The file contains both IPv4 ranges (in the prefixes array, field ip_prefix) and IPv6 ranges (in the ipv6_prefixes array, field ipv6_prefix).
For example, using jq:
curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq '.prefixes[] | select(.service == "CLOUDFRONT") | .ip_prefix'
Since these ranges can change, AWS provides an SNS topic you can subscribe to for automatic notifications when the IP ranges are updated. See the AWS IP address ranges documentation for details.