> ## Documentation Index
> Fetch the complete documentation index at: https://ona.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS access requirements

Configure your firewall and network security groups to allow outbound connections to these endpoints for Ona to function properly.

<Note>
  **Proxy support**: Enterprise runners support HTTP proxy configuration. Add `.internal`, `169.254.0.0/16`, `app.gitpod.io`, and `.amazonaws.com` to NO\_PROXY. See [proxy configuration](/ona/runners/aws/setup#proxy-configuration-optional).
</Note>

## Ona services

### Management plane

* `https://app.gitpod.io`
* `https://app.ona.com`

## VS Code

Server downloads and extension marketplace:

* `https://update.code.visualstudio.com/api/commits/stable/server-linux-x64-web`
* `https://update.code.visualstudio.com/api/commits/stable/server-linux-arm64-web`
* `https://update.code.visualstudio.com/commit:*/server-linux-x64/stable`
* `https://update.code.visualstudio.com/commit:*/server-linux-arm64/stable`
* `https://*.vscode-unpkg.net`
* `https://marketplace.visualstudio.com`
* `https://*.gallerycdn.vsassets.io`
* `https://*.prss.microsoft.com`
* `https://*.vscode-gitpod-cdn.com` (required for VS Code Web functionality)
* `https://vscode.gitpod.io` (required for VS Code Web functionality)

## JetBrains

IDE downloads and services:

* `https://www.jetbrains.com`
* `https://download.jetbrains.com`
* `https://download-cf.jetbrains.com`
* `https://download-cdn.jetbrains.com`
* `https://data.services.jetbrains.com`
* `https://plugins.jetbrains.com`
* `https://downloads.marketplace.jetbrains.com`
* `https://account.jetbrains.com`

See also: [JetBrains network requirements](/ona/editors/jetbrains#network-access-requirements)

## Release artifacts

Updates, CLI binaries, and agent components are served from `app.gitpod.io/releases/*` (same domain as the control plane):

* `https://app.gitpod.io/releases/ec2/stable/manifest.json`
* `https://app.gitpod.io/releases/ec2/stable/supervisor-amd64.xz`
* `https://app.gitpod.io/releases/ec2/stable/gitpod-ec2-runner.json`
* `https://app.gitpod.io/releases/ec2/stable/gitpod-ec2-runner-enterprise.json`
* `https://app.gitpod.io/releases/ec2/stable/gitpod-ec2-multi-org-runner.json`
* `https://app.gitpod.io/releases/cli/stable/manifest.json`
* `https://app.gitpod.io/releases/cli/stable/gitpod-linux-amd64`
* `https://app.gitpod.io/releases/cli/stable/gitpod-linux-amd64.exe`
* `https://app.gitpod.io/releases/cli/stable/gitpod-linux-amd64.sha256`
* `https://app.gitpod.io/releases/cli/stable/gitpod-linux-arm64`
* `https://app.gitpod.io/releases/cli/stable/gitpod-linux-arm64.sha256`
* `https://app.gitpod.io/releases/vscode/releases/*/vscode-remote.vsix`
* `https://app.gitpod.io/releases/vscode/releases/*/vscode-agent-amd64`
* `https://app.gitpod.io/releases/vscode/releases/*/vscode-agent-arm64`
* `https://app.gitpod.io/releases/jetbrains/releases/*/jetbrains-agent-amd64`
* `https://app.gitpod.io/releases/jetbrains/releases/*/jetbrains-agent-arm64`

## Container registries

**Default Dev Container image:**

* `https://mcr.microsoft.com/devcontainers/base:2.0.4-noble`

**AWS Private ECR (runner images):**

Runner images are pulled from private ECR. This requires access to three AWS endpoints (replace `<region>` with your AWS region):

* `https://api.ecr.<region>.amazonaws.com` - ECR API
* `https://<account-id>.dkr.ecr.<region>.amazonaws.com` - Docker registry protocol
* `https://s3.<region>.amazonaws.com` - Image layer storage

For private network deployments, see [Networking](/ona/runners/aws/networking#vpc-endpoints-reference) to configure PrivateLink access to these services.

## Your infrastructure

### Runner proxy domain

The runner must be able to reach its own configured domain over HTTPS. It periodically verifies DNS resolution and TLS connectivity by requesting `https://<your-runner-domain>/_health`. Blocking this egress causes the runner to report degraded status.

* `https://<your-runner-domain>` (the domain you configured during setup)

### SCM and SSO providers

Configure access to your providers:

* GitHub, GitLab, Bitbucket URLs
* SSO provider URLs (Okta, Azure AD, etc.)

## Optional services

### Prometheus remote write

* Your metrics endpoint URL (HTTPS 443)

### Additional container registries

**Common registries:**

* `https://index.docker.io`
* `https://registry-1.docker.io`
* `https://auth.docker.io`
* `https://ghcr.io`
* Your private registry URLs (HTTPS 443)

## AWS services

Replace `<region>` with your AWS region and `<account-id>` with your AWS account ID.

### Instance metadata

* **Endpoint**: `169.254.169.254`
* **Protocol**: HTTP (80)

### Regional APIs

* `https://ec2.<region>.amazonaws.com`
* `https://<account-id>.dkr.ecr.<region>.amazonaws.com`
* `https://s3.<region>.amazonaws.com`
* `https://ssm.<region>.amazonaws.com`
* `https://sts.<region>.amazonaws.com`
* `https://dynamodb.<region>.amazonaws.com`
* `https://cloudformation.<region>.amazonaws.com`
* `https://secretsmanager.<region>.amazonaws.com`
* `https://logs.<region>.amazonaws.com`
* `https://acm.<region>.amazonaws.com`
* `https://ecs.<region>.amazonaws.com`
* `https://ecs-agent.<region>.amazonaws.com`
* `https://ecs-telemetry.<region>.amazonaws.com`
* `https://ssmmessages.<region>.amazonaws.com`
* `https://ec2messages.<region>.amazonaws.com`
* `https://elasticloadbalancing.<region>.amazonaws.com`

## AMI requirements

If your AWS Organization restricts AMI access, ensure your account can launch from these AMIs:

### Required AMIs

| AMI Name                                     | Owner Account ID | Owner | Purpose                  |
| -------------------------------------------- | ---------------- | ----- | ------------------------ |
| `gitpod/images/gitpod-next/ec2-runner-ami-*` | `995913728426`   | Ona   | Development environments |

### Allowlisting by owner account ID

Allow by **Owner Account ID** rather than specific AMI ID. This ensures automatic access to new versions and security patches.

Configure your AWS Organization's AMI access policies to:

1. Allow Owner Account ID `995913728426` (Ona)
2. Test that your deployment account can launch from these AMIs

### Test AMI access

```bash theme={null}
# List available AMIs from Ona's account (replace us-east-1 with your region)
aws ec2 describe-images --region us-east-1 --owners 995913728426 --filters "Name=name,Values=gitpod/images/gitpod-next/ec2-runner-ami-*"
```

If you encounter AMI access issues, contact your AWS administrator to update AMI access policies.

## SSH domain aliases

Ona uses aliases like `<environment-id>.gitpod.remote`, `<environment-id>.gitpod.environment`, and `<environment-id>.ona.environment` for SSH connectivity.

These are SSH configuration aliases (not internet domains) that map to EC2 instance IP addresses:

* The Ona CLI automatically updates your SSH config with actual instance IPs
* Provides clean identifiers instead of complex AWS hostnames like `ec2-18-184-202-80.region.compute.amazonaws.com`
* When you connect via SSH or VS Code, your SSH client resolves the alias to the actual IP