Connectivity Requirements
Configure your firewall and network security groups to allow outbound connections to these endpoints for Gitpod to function properly.
Gitpod Services
Management Plane
Controls Runner and Environment orchestration by communicating with Gitpod’s control plane.
https://app.gitpod.io
Gateway API Server
Provides secure connectivity between your runners and Gitpod services through encrypted tunnels. Not required for Enterprise runners.
HTTPS (Port 8443):
https://us01.gitpod.dev:8443https://*.us01.gitpod.dev:8443
UDP (Port 4242):
35.171.240.3213.216.138.2444.223.157.1354.163.142.3935.171.31.215
VS Code
Required for VS Code IDE functionality including server downloads and extension marketplace access.
https://update.code.visualstudio.com/api/commits/stable/server-linux-x64-webhttps://update.code.visualstudio.com/api/commits/stable/server-linux-arm64-webhttps://update.code.visualstudio.com/commit:*/server-linux-x64/stablehttps://update.code.visualstudio.com/commit:*/server-linux-arm64/stablehttps://*.vscode-unpkg.nethttps://marketplace.visualstudio.comhttps://*.gallerycdn.vsassets.io
JetBrains
Required for JetBrains IDE functionality including IDE downloads and services.
https://download.jetbrains.comhttps://download-cf.jetbrains.comhttps://download-cdn.jetbrains.comhttps://data.services.jetbrains.com
Release Artifacts
Downloads Gitpod updates, CLI binaries, and agent components necessary for Runner and Environment operation.
https://releases.gitpod.io/ec2/stable/manifest.jsonhttps://releases.gitpod.io/ec2/stable/supervisor-amd64.xzhttps://releases.gitpod.io/ec2/stable/gitpod-ec2-runner.jsonhttps://releases.gitpod.io/ec2/stable/gitpod-ec2-runner-enterprise.jsonhttps://releases.gitpod.io/ec2/stable/gitpod-ec2-multi-org-runner.jsonhttps://releases.gitpod.io/cli/stable/manifest.jsonhttps://releases.gitpod.io/cli/stable/gitpod-linux-amd64https://releases.gitpod.io/cli/stable/gitpod-linux-amd64.exehttps://releases.gitpod.io/cli/stable/gitpod-linux-amd64.sha256https://releases.gitpod.io/cli/stable/gitpod-linux-arm64https://releases.gitpod.io/cli/stable/gitpod-linux-arm64.sha256https://releases.gitpod.io/vscode/releases/*/vscode-remote.vsixhttps://releases.gitpod.io/vscode/releases/*/vscode-agent-amd64https://releases.gitpod.io/vscode/releases/*/vscode-agent-arm64https://releases.gitpod.io/jetbrains/releases/*/jetbrains-agent-amd64https://releases.gitpod.io/jetbrains/releases/*/jetbrains-agent-arm64
Container Registries
Downloads container images used by development environments and Runner infrastructure.
Gitpod default devcontainer image:
https://mcr.microsoft.com/devcontainers/base:ubuntu-24.04
AWS Public ECR (Runner images):
https://public.ecr.aws
Your Infrastructure
SCM and SSO Providers
Access to your source code repositories and authentication providers for user login and code access.
Configure access to your specific providers (complete HTTPS URLs):
- GitHub, GitLab, Bitbucket URLs
- SSO provider URLs (Okta, Azure AD, etc.)
Optional Services
Prometheus Remote Write
Optional metrics collection endpoint for monitoring Runner and Environment performance.
- Your metrics endpoint URL (HTTPS 443)
Additional Container Registries
Optional access to custom container registries for pulling private or organization-specific images.
Common registries (allow those you use):
https://index.docker.iohttps://registry-1.docker.iohttps://auth.docker.iohttps://ghcr.io- Your private registry URLs (HTTPS 443)
AWS Services
Replace <region> with your AWS region and <account-id> with your AWS Account ID.
Instance Metadata
EC2 instance configuration and metadata required for AWS service integration.
- Endpoint:
169.254.169.254 - Protocol: HTTP (80)
Regional APIs
AWS service communication for EC2 management, container registry access, and other AWS operations.
https://ec2.<region>.amazonaws.comhttps://<account-id>.dkr.ecr.<region>.amazonaws.comhttps://s3.<region>.amazonaws.comhttps://ssm.<region>.amazonaws.comhttps://sts.<region>.amazonaws.comhttps://dynamodb.<region>.amazonaws.comhttps://cloudformation.<region>.amazonaws.comhttps://secretsmanager.<region>.amazonaws.comhttps://logs.<region>.amazonaws.com(optional)https://elasticloadbalancing.<region>.amazonaws.com(Enterprise runners only)https://acm.<region>.amazonaws.com(Enterprise runners only)
AMI Requirements
Both Standard and Enterprise AWS runners require access to specific AMIs. If your AWS Organization restricts AMI access, ensure your AWS account can launch EC2 instances from these AMIs.
Required AMIs
| AMI Name | Owner Account ID | Owner | Purpose |
|---|---|---|---|
bottlerocket-aws-ecs-1-x86_64 | 149721548608 | Amazon | Runner service |
gitpod/images/gitpod-next/ec2-runner-ami-* | 995913728426 | Gitpod | Development environments |
Allowlisting Recommendations
Gitpod updates AMIs regularly as part of our continuous security and feature updates. We recommend allowing access by Owner Account ID rather than specific AMI ID when implementing allowlisting policies.
Why Use Owner Account ID
- Automatic updates: New AMI versions are automatically accessible without policy updates
- Security: Ensures you always have access to the latest security patches
- Maintenance: Reduces administrative overhead of managing specific AMI IDs
Implementation
When configuring your AWS Organization’s AMI access policies:
- Allow by Owner Account ID: Use the Owner Account IDs from the table above
- Include both accounts: Both Amazon (
149721548608) and Gitpod (995913728426) accounts are required - Test access: Verify your Runner deployment account can launch instances from these AMIs
Testing AMI Access
To verify AMI access is working correctly:
- Test AMI access by attempting to launch a test instance from the required AMIs in your target region
- Check deployment logs during Runner setup for any AMI access errors
- Monitor CloudFormation events for AMI-related failures during stack deployment
If you encounter AMI access issues during Runner deployment, contact your AWS administrator to review and update your organization’s AMI access policies.