Cloud Assistant Agent connects to several Alibaba Cloud endpoints to receive commands, access instance metadata, and download agent updates. In advanced security groups—where all outbound traffic is denied by default—you must add outbound rules to allow these connections. Basic security groups allow all outbound traffic by default and require no additional rules.
Connectivity principles
All required connections follow these rules:
All connections are outbound. Cloud Assistant Agent initiates connections to the cloud; no inbound rules are needed.
Cloud Assistant server and OSS connections use TCP/port 443.
Domain name resolution requires UDP/port 53.
Required endpoints
Cloud Assistant Agent requires access to the following endpoints:
| Endpoint | Port | Purpose | When required |
|---|---|---|---|
https://{region-id}.axt.aliyun.com | 443 | Cloud Assistant server — receives and dispatches commands | Always |
http://100.100.100.200 | 80 | MetaServer — provides instance metadata | Always |
https://aliyun-client-assist-{region-id}.oss-{region-id}-internal.aliyuncs.com | 443 | Object Storage Service (OSS) — stores the Cloud Assistant Agent installation package | Installation and updates only |
Replace {region-id} with the region ID of your ECS instance. For example, use cn-hangzhou for the China (Hangzhou) region.
Choose a configuration approach
| Approach | How it works | Use when |
|---|---|---|
| General | Allow outbound access to CIDR blocks that cover all Cloud Assistant endpoints | You want a simple, low-maintenance configuration |
| Fine-grained | Allow outbound access to specific IP addresses per region | You need strict, per-region network controls |
General configuration
Allow outbound access to the following URLs and ports. This covers Cloud Assistant endpoints across all regions.
| URL or port | Purpose |
|---|---|
| DNS/UDP port 53 | Domain name resolution |
https://100.100.0.0/16 port 443 | Cloud Assistant server (CIDR block: 100.100.0.0/16) |
https://100.0.0.0/8 port 443 | Cloud Assistant Agent installation package server (CIDR block: 100.0.0.0/8) |
For steps to add a rule, see Add a security group rule.
Fine-grained configuration
Allow outbound access to the specific IP addresses for each region where your instances run.
Example: China (Hangzhou)
| URL or port | Purpose |
|---|---|
| DNS/UDP port 53 | Domain name resolution |
https://100.100.45.106 port 443 | Cloud Assistant server in China (Hangzhou) |
https://100.118.28.50 port 443 | Cloud Assistant Agent installation package server in China (Hangzhou) |
For steps to add a rule, see Add a security group rule.
Cloud Assistant server endpoints by region
Use the following table to find the endpoint and IP address for each region.
For installation package server endpoints and IP address ranges, refer to the Internal endpoint for access over VPCs and VIP range columns in Access OSS using bucket domain names.
| Region | Region ID | Endpoint | IP address |
|---|---|---|---|
| China (Qingdao) | cn-qingdao | cn-qingdao.axt.aliyun.com | 100.100.15.4, 100.100.183.1 |
| China (Beijing) | cn-beijing | cn-beijing.axt.aliyun.com | 100.100.18.120 |
| China (Zhangjiakou) | cn-zhangjiakou | cn-zhangjiakou.axt.aliyun.com | 100.100.99.23, 100.100.202.194 |
| China (Hohhot) | cn-huhehaote | cn-huhehaote.axt.aliyun.com | 100.100.126.8, 100.100.59.86 |
| China (Ulanqab) | cn-wulanchabu | cn-wulanchabu.axt.aliyun.com | 100.100.0.3 |
| China (Hangzhou) | cn-hangzhou | cn-hangzhou.axt.aliyun.com | 100.100.45.106 |
| China (Shanghai) | cn-shanghai | cn-shanghai.axt.aliyun.com | 100.100.36.108, 100.100.159.7 |
| China (Nanjing - Local Region) | cn-nanjing | cn-nanjing.axt.aliyun.com | 100.100.0.1 |
| China (Fuzhou - Local Region) | cn-fuzhou | cn-fuzhou.axt.aliyun.com | 100.100.0.26 |
| China (Wuhan - Local Region) | cn-wuhan-lr | cn-wuhan-lr.axt.aliyun.com | 100.100.0.8 |
| China (Shenzhen) | cn-shenzhen | cn-shenzhen.axt.aliyun.com | 100.100.0.70 |
| China (Heyuan) | cn-heyuan | cn-heyuan.axt.aliyun.com | 100.100.0.5 |
| China (Guangzhou) | cn-guangzhou | cn-guangzhou.axt.aliyun.com | 100.100.0.4 |
| China (Chengdu) | cn-chengdu | cn-chengdu.axt.aliyun.com | 100.100.0.42 |
| China (Hong Kong) | cn-hongkong | cn-hongkong.axt.aliyun.com | 100.100.35.30, 100.100.98.28 |
| Singapore | ap-southeast-1 | ap-southeast-1.axt.aliyun.com | 100.100.30.60, 100.100.169.197 |
| Malaysia (Kuala Lumpur) | ap-southeast-3 | ap-southeast-3.axt.aliyun.com | 100.100.127.16, 100.100.62.2 |
| Indonesia (Jakarta) | ap-southeast-5 | ap-southeast-5.axt.aliyun.com | 100.100.80.165, 100.100.132.30 |
| Philippines (Manila) | ap-southeast-6 | ap-southeast-6.axt.aliyun.com | 100.100.0.15 |
| Thailand (Bangkok) | ap-southeast-7 | ap-southeast-7.axt.aliyun.com | 100.100.0.30 |
| Japan (Tokyo) | ap-northeast-1 | ap-northeast-1.axt.aliyun.com | 100.100.0.76 |
| South Korea (Seoul) | ap-northeast-2 | ap-northeast-2.axt.aliyun.com | 100.100.0.23 |
| US (Silicon Valley) | us-west-1 | us-west-1.axt.aliyun.com | 100.100.29.34, 100.100.1.3 |
| US (Virginia) | us-east-1 | us-east-1.axt.aliyun.com | 100.100.152.140, 100.100.147.87 |
| Germany (Frankfurt) | eu-central-1 | eu-central-1.axt.aliyun.com | 100.100.46.12, 100.100.53.26 |
| UK (London) | eu-west-1 | eu-west-1.axt.aliyun.com | 100.100.0.20 |
| UAE (Dubai) | me-east-1 | me-east-1.axt.aliyun.com | 100.100.43.7 |
| SAU (Riyadh - Partner Region) — operated by a partner | me-central-1 | me-central-1.axt.aliyun.com | 100.100.0.15 |
| China East 2 Finance | cn-shanghai-finance-1 | cn-shanghai-finance-1.axt.aliyun.com | 100.100.0.46 |
| China North 2 Finance (Preview) | cn-beijing-finance-1 | cn-beijing-finance-1.axt.aliyun.com | 100.100.0.165 |
| China South 1 Finance | cn-shenzhen-finance-1 | cn-shenzhen-finance-1.axt.aliyun.com | 100.103.0.140 |
| China North 2 Ali Gov 1 | cn-north-2-gov-1 | cn-north-2-gov-1.axt.aliyun.com | 100.100.0.67 |