Skip to main content
Configure your firewall and network security groups to allow outbound connections to these endpoints for Ona to function properly.
Proxy support: Enterprise runners support HTTP proxy configuration. Add .internal, 169.254.0.0/16, app.gitpod.io, and .amazonaws.com to NO_PROXY. See proxy configuration.

Ona services

Management plane

  • https://app.gitpod.io
  • https://app.ona.com

VS Code

Server downloads and extension marketplace:
  • https://update.code.visualstudio.com/api/commits/stable/server-linux-x64-web
  • https://update.code.visualstudio.com/api/commits/stable/server-linux-arm64-web
  • https://update.code.visualstudio.com/commit:*/server-linux-x64/stable
  • https://update.code.visualstudio.com/commit:*/server-linux-arm64/stable
  • https://*.vscode-unpkg.net
  • https://marketplace.visualstudio.com
  • https://*.gallerycdn.vsassets.io
  • https://*.prss.microsoft.com
  • https://*.vscode-gitpod-cdn.com (required for VS Code Web functionality)
  • https://vscode.gitpod.io (required for VS Code Web functionality)

JetBrains

IDE downloads and services:
  • https://www.jetbrains.com
  • https://download.jetbrains.com
  • https://download-cf.jetbrains.com
  • https://download-cdn.jetbrains.com
  • https://data.services.jetbrains.com
  • https://plugins.jetbrains.com
  • https://downloads.marketplace.jetbrains.com
  • https://account.jetbrains.com
See also: JetBrains network requirements

Release artifacts

Updates, CLI binaries, and agent components:
  • https://releases.gitpod.io/ec2/stable/manifest.json
  • https://releases.gitpod.io/ec2/stable/supervisor-amd64.xz
  • https://releases.gitpod.io/ec2/stable/gitpod-ec2-runner.json
  • https://releases.gitpod.io/ec2/stable/gitpod-ec2-runner-enterprise.json
  • https://releases.gitpod.io/ec2/stable/gitpod-ec2-multi-org-runner.json
  • https://releases.gitpod.io/cli/stable/manifest.json
  • https://releases.gitpod.io/cli/stable/gitpod-linux-amd64
  • https://releases.gitpod.io/cli/stable/gitpod-linux-amd64.exe
  • https://releases.gitpod.io/cli/stable/gitpod-linux-amd64.sha256
  • https://releases.gitpod.io/cli/stable/gitpod-linux-arm64
  • https://releases.gitpod.io/cli/stable/gitpod-linux-arm64.sha256
  • https://releases.gitpod.io/vscode/releases/*/vscode-remote.vsix
  • https://releases.gitpod.io/vscode/releases/*/vscode-agent-amd64
  • https://releases.gitpod.io/vscode/releases/*/vscode-agent-arm64
  • https://releases.gitpod.io/jetbrains/releases/*/jetbrains-agent-amd64
  • https://releases.gitpod.io/jetbrains/releases/*/jetbrains-agent-arm64

Container registries

Default Dev Container image:
  • https://mcr.microsoft.com/devcontainers/base:ubuntu-24.04
AWS Private ECR (runner images): Runner images are pulled from private ECR. This requires access to three AWS endpoints (replace <region> with your AWS region):
  • https://api.ecr.<region>.amazonaws.com - ECR API
  • https://<account-id>.dkr.ecr.<region>.amazonaws.com - Docker registry protocol
  • https://s3.<region>.amazonaws.com - Image layer storage
For private network deployments, see VPC Endpoints to configure PrivateLink access to these services.

Your infrastructure

SCM and SSO providers

Configure access to your providers:
  • GitHub, GitLab, Bitbucket URLs
  • SSO provider URLs (Okta, Azure AD, etc.)

Optional services

Prometheus remote write

  • Your metrics endpoint URL (HTTPS 443)

Additional container registries

Common registries:
  • https://index.docker.io
  • https://registry-1.docker.io
  • https://auth.docker.io
  • https://ghcr.io
  • Your private registry URLs (HTTPS 443)

AWS services

Replace <region> with your AWS region and <account-id> with your AWS account ID.

Instance metadata

  • Endpoint: 169.254.169.254
  • Protocol: HTTP (80)

Regional APIs

  • https://ec2.<region>.amazonaws.com
  • https://<account-id>.dkr.ecr.<region>.amazonaws.com
  • https://s3.<region>.amazonaws.com
  • https://ssm.<region>.amazonaws.com
  • https://sts.<region>.amazonaws.com
  • https://dynamodb.<region>.amazonaws.com
  • https://cloudformation.<region>.amazonaws.com
  • https://secretsmanager.<region>.amazonaws.com
  • https://logs.<region>.amazonaws.com
  • https://acm.<region>.amazonaws.com
  • https://ecs.<region>.amazonaws.com
  • https://ecs-agent.<region>.amazonaws.com
  • https://ecs-telemetry.<region>.amazonaws.com
  • https://ssmmessages.<region>.amazonaws.com
  • https://ec2messages.<region>.amazonaws.com
  • https://elasticloadbalancing.<region>.amazonaws.com

AMI requirements

If your AWS Organization restricts AMI access, ensure your account can launch from these AMIs:

Required AMIs

AMI NameOwner Account IDOwnerPurpose
bottlerocket-aws-ecs-1-x86_64149721548608AmazonRunner service
gitpod/images/gitpod-next/ec2-runner-ami-*995913728426OnaDevelopment environments

Allowlisting by owner account ID

Allow by Owner Account ID rather than specific AMI ID. This ensures automatic access to new versions and security patches. Configure your AWS Organization’s AMI access policies to:
  1. Allow Owner Account IDs from the table above
  2. Include both Amazon (149721548608) and Ona (995913728426) accounts
  3. Test that your deployment account can launch from these AMIs

Test AMI access

# List available AMIs from required accounts (replace us-east-1 with your region)
aws ec2 describe-images --region us-east-1 --owners 149721548608 --filters "Name=name,Values=bottlerocket-aws-ecs-1-*"
aws ec2 describe-images --region us-east-1 --owners 995913728426 --filters "Name=name,Values=gitpod/images/gitpod-next/ec2-runner-ami-*"
If you encounter AMI access issues, contact your AWS administrator to update AMI access policies.

SSH domain aliases

Ona uses aliases like <workspace-id>.gitpod.remote and <workspace-id>.gitpod.environment for SSH connectivity. These are SSH configuration aliases (not internet domains) that map to EC2 instance IP addresses:
  • The Ona CLI automatically updates your SSH config with actual instance IPs
  • Provides clean identifiers instead of complex AWS hostnames like ec2-18-184-202-80.region.compute.amazonaws.com
  • When you connect via SSH or VS Code, your SSH client resolves the alias to the actual IP