To ensure seamless communication with Virtru endpoints and Google services, configure the following firewall rules to your server:
CSE Firewall Access Diagram (with CKS) - describes communication flows where a customer-hosted CKS server is involved for encryption key management.
CSE Firewall Access Diagram (without CKS) - details direct communication with Virtru and Google endpoints.
By configuring the firewall rules, you ensure that the CSE operates efficiently with Virtru services, Google APIs, and (if applicable) a customer-hosted CKS server.
Inbound Rules
-
Port 443 (Required)
- Purpose: Accepts traffic from end-user devices accessing Drive.
- Source: End-user desktops (not Google services).
-
Port 22 (Optional)
- Purpose: Enables SSH access for server management.
Note: Google requires inbound traffic to the CSE server to be open for the above reasons.
Outbound Rules
-
Port 443 (Required)
-
Purpose: Enables communication with the following endpoints:
-
Virtru Services:
- Container image downloads:
containers.virtru.com/cse:<tag>
- ACM endpoints:
api.virtru.com/acm
api.virtru.com/accounts
- Container image downloads:
-
Google APIs:
googleapis.com
-
Identity Provider (IDP):
- e.g.,
accounts.google.com
for Google IDP.
- e.g.,
-
Optional - Customer-Hosted CKS:
- e.g.,
cks.customer.com
- e.g.,
-
Virtru Services:
-
Purpose: Enables communication with the following endpoints:
All traffic from Virtru to your server will arrive and depart on port 443. By configuring these rules, you ensure the CSE server operates smoothly with required endpoints and services.