Celona Access Points, Cloud core and Celona Orchestrator must communicate over the existing enterprise LAN/WAN infrastructure to enable zero-touch provisioning and cloud-based management of the Private Wireless network. For seamless Day 0 & Day N operations of the Celona Private Wireless network, enterprise firewalls must be configured to allow specific discovery, management, provisioning, and troubleshooting functions.
Please refer to the following tables for detailed firewall configurations to allow communication between Celona AP, Cloud core, and Orchestrator.
4.1 Access Point & Internet
Allow outbound access from Celona Access Points to the following Celona Cloud endpoints:
Note: Both port 500 (IKE) and 4500 (NAT-T) UDP must be open for each Aerflex Cloud region used in the deployment. Open only the region(s) applicable to your geography.
Allow outbound access from Celona Access Points to the following Celona Cloud endpoints:
URL | IP Address | Port | Protocol | Direction | Purpose |
54.176.31.199 | 443 | TCP | Edge → Cloud | Celona Orchestrator — Discovery, configuration & reporting | |
54.177.198.17 | 443 | TCP | Edge → Cloud | Diagnostics and troubleshooting | |
35.190.147.229 | 500 | UDP | AP → Aerflex Cloud (US East) | IKE tunnel setup | |
35.190.147.229 | 4500 | UDP | AP → Aerflex Cloud (US East) | IPSec NAT traversal | |
34.106.171.201 | 500 | UDP | AP → Aerflex Cloud (US West) | IKE tunnel setup | |
34.106.171.201 | 4500 | UDP | AP → Aerflex Cloud (US West) | IPSec NAT traversal | |
34.175.36.148 | 500 | UDP | AP → Aerflex Cloud (Europe) | IKE tunnel setup | |
34.175.36.148 | 4500 | UDP | AP → Aerflex Cloud (Europe) | IPSec NAT traversal |
Note: Both port 500 (IKE) and 4500 (NAT-T) UDP must be open for each Aerflex Cloud region used in the deployment. Open only the region(s) applicable to your geography.
4.2 Access Point & Enterprise Network
Allow the following access between Celona Access Points and the enterprise network:
URL / IP Address | Port | Protocol | Direction | Purpose |
NTP server IP address | 123 | UDP | AP → Enterprise | Time synchronization. Configured via DHCP Option 42. |
DNS server IP address | 53 | UDP | AP → Enterprise | DNS resolution for Celona Cloud services. Configured via DHCP. |
PTP server IP address | 319 | UDP | AP ↔ Enterprise | PTP (Precision Time Protocol) time synchronization |
PTP server IP address | 320 | UDP | AP ↔ Enterprise | PTP time synchronization |
Not applicable | N/A | ICMP | AP ↔ Enterprise | Basic network troubleshooting |
4.3 End-Device and Internet for eSIM Provisioning
Allow outbound access from end-devices to the cloud hosting eSIM profiles:
URL / IP Address | Port | Protocol | Direction | Purpose |
443 | TCP | Device → Internet | SMDP+ server that hosts eSIM profiles. Devices connect to this server to download their eSIM profile. |
4.4 AP Internal Subnet Restrictions
Do not use the following subnets in the enterprise network. They are reserved for the Aerflex dataplane and will cause routing conflicts if overlapping subnets exist on the LAN:
192.168.111.0/24
192.168.112.0/24
192.168.113.0/24
192.168.169.0/24
172.213.0.0/16
Subnet conflict warning: If any of these subnets overlap with existing enterprise subnets, contact Celona support before proceeding with the deployment.
Direction Key
Edge → Cloud: Outbound from Access Point to Celona Cloud
AP → Enterprise: Outbound from Access Point to enterprise network
AP ↔ Enterprise: Bidirectional between Access Point and enterprise network
Device → Internet: Outbound from 5G user device to internet