# Firewall Requirements

This document provides the information of the domain-names and protocol/ports that are used\
by Cloudbrink components. For a seamless rollout and functionality of Cloudbrink, these firewall\
requirements should be taken care by the customers.

### BrinkAgent

BrinkAgent communicates with Brink SaaS (control plane) and with Brink FAST Edges (datapath) and requires\
below firewall settings.

| Source              | Destination      | Protocols | Ports | Domain-Names                                                                                              |
| ------------------- | ---------------- | --------- | ----- | --------------------------------------------------------------------------------------------------------- |
| BrinkAgent Endpoint | Brink SaaS       | TLS       | 443   | <p>admin.cloudbrink.com<br>wren.cloudbrink.com<br>wrenrobin.cloudbrink.com<br>releases.cloudbrink.com</p> |
| BrinkAgent Endpoint | Brink Fast Edges | UDP       | 9993  | -NA                                                                                                       |

**Note-1:** BrinkAgent is supported on Windows, Mac, Ubuntu, Chromebook, iOS and Andriod\
**Note-2:** If any other solutions on the endpoint that performs TLS inspection (ex: SWG, Proxy) are deployed,\
then Cloudbrink traffic must be added to the exception list of these solutions.

### Brink Connector

Brink Connector is deployed inside the customer’s premises (physical or cloud datacenters) to provide end-to-end secure access to private applications. Brink Connector uses Software Defined-Perimeter compliant\
connectivity model where only outbound connections are used to communicate with BrinkSaaS (control\
place) and Brink FAST Edges (datapath).

| Source          | Destination      | Protocols | Ports      | Domain-Names                                                                      |
| --------------- | ---------------- | --------- | ---------- | --------------------------------------------------------------------------------- |
| Brink Connector | Brink SaaS       | TLS       | 443        | <p>wren.cloudbrink.com<br>wrenrobin.cloudbrink.com<br>releases.cloudbrink.com</p> |
| Brink Connector | Brink SaaS       | TCP       | 9090       | -NA                                                                               |
| Brink Connector | Brink FAST Edges | UDP       | 9993, 9994 | -NA                                                                               |
| Brink Connector | Public DNS       | DNS       | 53         | -NA                                                                               |

**Note:** If BrinkConnector is deployed behind a NAT device on the datacenter, the BrinkConnector\
instance internal IP address must be used during the ISO file generation step. The NAT IP address\
must not be used as BrinkConnector IP during the ISO file generation step.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudbrink.com/configuration/firewall-requirements.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.