Virtru Private Keystore (for Virtru Solutions): Reference - Firewall

To minimize exposure and maximize security for the Virtru Private Keystore (for Virtru Solutions) appliance Virtru will only send traffic to the Virtru Private Keystore from specific IP addresses.

Traffic Requirements

Inbound to the Virtru Private Keystore from Virtru SaaS for normal decrypt operations:

• TCP
  
  • 52.14.8.108
  • 18.216.244.36
  • 13.59.117.136
  • 3.18.99.98
  • 3.131.32.254
  • 18.119.73.143
    NEW IPS!
  • 34.173.130.111
  • 34.168.88.167
• Port
  • Defined by client
  • Default 443

Inbound to the Virtru Private Keystore from Virtru IPs for setup, testing, and health monitoring:

• TCP
• • 3.12.127.107
  • 3.12.127.228
  • 52.15.183.190
• Port
  • Defined by client
  • Default 443

Remote access to the server for SSH (for configuration and setup)

• TCP
  • <Your Company IPs>
• Port
  • Default 22

Port Configuration

All traffic from Virtru to your infrastructure will arrive on port 443. If using a different destination port, apply an internal translation on your edge firewall to direct incoming traffic from port 443 to your specified <defined port> for the VPK server.

To update the port for the VPK container, modify the run.sh script’s -p flag:

• Original: -p 443:9000
• Updated: -p <defined port>:9000

Replace <defined port> with the desired port number.

Example docker run command for the Virtru container:

docker run \
  --name Virtru_CKS \
  --interactive --tty --detach \
  --env-file /var/virtru/cks/env/cks.env \
  -v /var/virtru/cks/keys/:/app/keys \
  -v /var/virtru/cks/ssl/:/app/ssl \
  -p <defined port>:9000 \
  --restart unless-stopped \
  containers.virtru.com/cks:<latestCKSVersion>