While this guide focuses on Ethernet and firewall setup, it also includes key details about the cloud services used by the Cloud Connector. This information is relevant even in environments using cellular connections or minimal firewall controls and can help address common IT and security-related concerns.

To maintain a secure setup, it’s recommended to control traffic between the Cloud Connector and the Internet using a firewall.

For proper functionality, the Cloud Connector requires HTTPS communication to be enabled for both inbound and outbound traffic. This allows secure data transmission between the Cloud Connector and the cloud.

For 2nd Gen models, the local DHCP server handles DNS and NTP. If the network does not advertise an NTP server, the following external time servers are used: time1.google.com, time2.google.com, time3.google.com, and time4.google.com (UDP port 123).

The following endpoints must be accessible via HTTPS (TCP 443):
•    ccon-manager.prod.ncco-cloud.com
•    est.prod.ncco-cloud.com
•    mender.prod.ncco-cloud.com
•    mender-artifacts.prod.ncco-cloud.com

This applies to:
•    Cloud Connector US 4G
•    Cloud Connector EU 4G
•    Cloud Connector EU 3G/2G
•    Cloud Connector EU (Ethernet only)
•    Cloud Connector US (Ethernet only)
These models also use the local DHCP server for DNS and NTP. If no NTP server is present, they default to: 0.resinio.pool.ntp.org, 1.resinio.pool.ntp.org, 2.resinio.pool.ntp.org, 3.resinio.pool.ntp.org (UDP port 123).

• sds-receiver-grpc.prod.ncco-cloud.com
• ccon-manager.prod.ncco-cloud.com
• est.prod.ncco-cloud.com
• vpn.balena-cloud.com
• api.balena-cloud.com
• delta.balena-cloud.com
• delta-data.balena-cloud.com
• registry2.balena-cloud.com
• registry-data.balena-cloud.com
• registry.hub.docker.com
• production.cloudflare.docker.com
• registry.docker.io
• auth.docker.io
• 0.resinio.pool.ntp.org – NTP
• 1.resinio.pool.ntp.org – NTP
• 2.resinio.pool.ntp.org – NTP
• 3.resinio.pool.ntp.org – NTP

•    *.disruptive-technologies.com (TCP 443)
•    *.pool.ntp.org (NTP)
•    *.balena-cloud.com (TCP 443)
•    *.docker.com (TCP 443)
•    *.docker.io (TCP 443)

Ongoing Security Updates
Cloud Connectors receive regular over-the-air security updates to address vulnerabilities and maintain a secure operating environment.

Layered Security
We recommend using a layered approach to security. Even with automatic updates, additional precautions such as controlled firewall access and network segmentation further enhance protection.

Zero-Trust Network Placement
The Cloud Connector does not initiate communication with devices or services on the local network. We recommend placing it in a separate VLAN or network segment, treating it as a guest device. All traffic should pass through the same firewall policies as any other external device.

• SSH Access:
  The Cloud Connector (2nd Gen) listens on TCP port 22 for internal diagnostics. This port does not need to be open to external networks.
• Network Protocols:
  Supports IPv4, IPv6, and DHCP.
• MAC Address Identification:
  The MAC address can be located via the Cloud Connector dashboard in the NCCO Task Manager platform or retrieved through the API via the Ethernet Status Event.