Area: Deployment Issues
Sub-Area: Network Security & Firewall Configuration
Issue
Organizations with strict outbound network controls need to know which domains, ports, and IP ranges to allowlist in order to connect to DataHub Cloud. This information is typically required by network security teams before onboarding or when troubleshooting connectivity blocks. The requirements vary depending on which ingestion method is used — UI Ingestion, Remote Executor, or CLI Ingestion — and optionally whether AWS PrivateLink is configured.
You Might Be Asking
- What domains do I need to allowlist to access DataHub Cloud?
- What ports does DataHub Cloud use?
- Does DataHub Cloud publish static CIDR blocks or egress IP ranges?
- What are the network requirements for the Remote Executor?
- Can I use AWS PrivateLink to avoid public internet traffic to DataHub Cloud?
Solution
The network requirements for DataHub Cloud depend on which ingestion method your organization uses. Review each option below and apply the configuration that matches your deployment pattern.
-
All Access Modes — Minimum Requirement
Regardless of ingestion method, all DataHub Cloud services are accessed over HTTPS. Allowlist the following domain on port 443:
Domain: *.acryl.io Port: 443 (HTTPS/TLS, outbound)This covers your DataHub Cloud instance UI, GMS API, and related Acryl-hosted endpoints.
-
Option A: Remote Executor (Recommended for Strict Security Environments)
The Remote Executor runs inside your own network and makes only outbound HTTPS connections — no inbound ports need to be opened on your firewall. This is the recommended pattern for organizations with strict network security requirements because it eliminates the need to obtain Acryl's egress IP ranges.
Allowlist the following endpoints, all on port 443 outbound:
# DataHub Cloud GMS API https://<your-instance>.acryl.io/* # AWS SQS (task dispatch for the Remote Executor) https://sqs.*.amazonaws.com/* # Helm chart repository (for Kubernetes deployments) https://executor-helm.acryl.io # Remote Executor container image registry # (AWS ECR or docker.datahub.com — confirm with your Acryl contact) 795586375822.dkr.ecr.us-west-2.amazonaws.com # Python connector dependencies # (PyPI or your internal package mirror) https://pypi.orgSummary for this mode:
Port required: 443 (outbound only) Inbound ports: None required Acryl CIDR blocks: Not required -
Option B: UI Ingestion
In UI Ingestion mode, Acryl's infrastructure reaches into your environment to connect to your data sources. This means your firewall or data source security groups must allow inbound connections from Acryl's egress IP addresses.
Important: Acryl's egress IP ranges (NAT gateway IPs) are deployment-specific and are not published publicly. You must request these directly from DataHub Support or your Acryl customer success contact, specifying that you need "DataHub Cloud egress IP ranges for UI Ingestion."
Action: Contact DataHub Support to request egress IP ranges specific to your DataHub Cloud deployment region. -
Option C: CLI Ingestion
When running the DataHub CLI from your own infrastructure (e.g., Airflow, cron jobs, CI/CD pipelines, or a VM), the network requirements are the same as the Remote Executor — only outbound port 443 to
*.acryl.iois needed. No special CIDR blocks from Acryl are required.Domain: *.acryl.io Port: 443 (HTTPS/TLS, outbound) -
Option D: AWS PrivateLink (Optional — Fully Private Connectivity)
If your organization requires a fully private network connection between your AWS VPC and DataHub Cloud with no traffic over the public internet, DataHub Cloud supports AWS PrivateLink. Setup requires coordination with your Acryl integrations contact and involves the following steps:
- Configure a VPC Security Group with ports 80 and 443 (TCP) open with the appropriate inbound CIDR source.
- Provide your AWS account ARN to your Acryl integrations contact.
- Acryl creates a VPC Endpoint Service on their side.
- You create a VPC Endpoint in your AWS account pointing to the Acryl-provided service.
# VPC Security Group inbound rules required for PrivateLink Port 80 (TCP) — inbound, from appropriate CIDR source Port 443 (TCP) — inbound, from appropriate CIDR source -
Inbound IP Allowlisting for DataHub Cloud UI/API Access
If your organization wants to restrict which IP addresses can access your DataHub Cloud instance (e.g., limit access to your corporate VPN or office IP ranges), this is configured at the load balancer level by Acryl — not by you directly. Submit your organization's allowed IP ranges to DataHub Support and they will configure the allowlist for your environment.
Note: Acryl does not recommend allowlisting load balancer IPs on your end, as these addresses can change over time.
Additional Notes
DataHub Cloud is a fully managed service — Acryl manages all underlying infrastructure, networking, and security configuration. Customers do not directly manage CIDR blocks, ports, or firewall rules on the DataHub Cloud side. Egress IP ranges for UI Ingestion are not published publicly and must be requested per deployment; if avoiding this requirement is important for your security posture, the Remote Executor pattern is strongly recommended. AWS PrivateLink is an established, supported option for organizations that require fully private connectivity and should be scoped with your Acryl integrations contact during onboarding.
Related Documentation
- DataHub Cloud Overview
- Setting Up the Remote Ingestion Executor
- AWS PrivateLink Setup for DataHub Cloud
- Ingestion Security Comparison
Tags: network, allowlist, firewall, CIDR, port-443, acryl.io, remote-executor, privatelink, ingestion, deployment