Private Networking with SGA (AHV)

Customers using Nutanix AHV infrastructure can create a Frame account using Customer-managed networking, Private Networking with Streaming Gateway Appliance (SGA) so users can access the Frame workload VMs through the public IP address of the SGA VM. The Internet-accessible SGA VM serves as a reverse proxy for Frame sessions between the end users and their Frame workload VMs in the private network. The Frame workload VMs only have private IP addresses. Customers will also need to ensure these workload VMs, Cloud Connector Appliances (CCAs), and Streaming Gateway Appliances (SGAs) can communicate to the Frame control plane on the Internet.

If a customer requires an outbound proxy server for any communication to the Internet, the outbound proxy server must support both HTTPS and Secure WebSocket (WSS) in order for the Frame Guest Agent (FGA), CCAs, and SGAs to establish HTTPS and WSS connections to Frame Platform.

To ensure proper network communication to the Frame Platform there are two Backends available depending on which one should be used for the connection for services and VMs please refer to the corresponding networking requirements:
USE (located in the United states- Location AWS us-east-1Virginia)
DEU ( located in European Union - Location AWS eu-central-1 Frankfurt)

FRP8 Networking (SGA 4)

FRP8 is a udp-based protocol for all communication between the end user and the Frame workload VMs.

Nutanix AHV - Private Networking with SGA (FRP8)

The following table describes the required protocols and ports for Frame accounts using Private Networking with SGA 4 and FRP8.

Dizzion is in the process of migrating from *.nutanix.com to *.difr.com domain. For the
time being, the additional difr.com domains will need to be whitelisted in addition to the
existing nutanix.com domains. At a later time, once Dizzion has confirmed there is no
dependencies on the nutanix.com domains, we will send out a communication notifying
customers that all nutanix.com domains can be safely removed from your whitelist
configurations.

IMPORTANT: For IMG Domains, Customers can whitelist new IMG difr domains but
should NOT change SAML 2 configurations to use new difr.com domains. SAML 2
configurations should continue to use img.console.nutanix.com and
img.frame.nutanix.com until further direction from Dizzion

USE: Nutanix AHV - Private Networking with Streaming Gateway 4

Source to Destination	Source IP address	Destination FQDN(s)	Protocol/port
Cloud Connector Appliance (CCA) to Frame Platform	Public IP address	use.difr.com api.use.difr.com console.nutanix.com cpanel-backend.console.nutanix.com gateway-external-api.console.nutanix.com	tcp/443 (HTTPS)
Cloud Connector Appliance (CCA) to Frame Platform	Public IP address	hub.use.difr.com cch.console.nutanix.com	tcp/443 (HTTPS, WSS)
Prism Central to Frame Platform	Public IP address	downloads.difr.com downloads.console.nutanix.com	tcp/443 (HTTPS)
CCA to Prism Central	Private IP address	Prism Central IP address	tcp/443 (HTTPS)
Workload VMs to Frame Platform	Public IP address	api.use.difr.com hub.deu.difr.com logging.use.difr.com downloads.difr.com download.visualstudio.microsoft.com gateway-external-api-prod.frame.nutanix.com downloads.console.nutanix.com logging.console.nutanix.com cch.console.nutanix.com download.visualstudio.microsoft.com	tcp/443 (HTTPS)
Workload VMs to Frame Platform	Public IP address	hub.use.difr.com logging.use.difr.com api.use.difr.com cch.console.nutanix.com logging.console.nutanix.com messaging.console.nutanix.com	tcp/443 (HTTPS, WSS)
End user to Frame Platform	Public IP address	use.difr.com api.use.difr.com img.use.difr.com assets. use.difr.com login.use.difr.com logging.use.difr.com downloads.difr.com console.nutanix.com img.frame.nutanix.com img.console.nutanix.com cpanel-backend.console.nutanix.com terminal-prod.frame.nutanix.com logging.console.nutanix.com login.console.nutanix.com (for Frame IdP, if used)	tcp/443 (HTTPS)
End user to Frame Platform	Public IP address	api.use.difr.com messaging.console.nutanix.com	tcp/443 (HTTPS, WSS)
SGA VMs to Frame Platform	Public IP address	hub.use.difr.com cch.console.nutanix.com ntp.ubuntu.com api.snapcraft.io (Canonical Snapcraft)	tcp/443 (HTTPS, WSS)
End user to SGA VM	Public IP address	SGA VM-specific public IP address	udp/3478 and tcp/3478
SGA VM to End user	Public IP address	End user-specific public IP address	udp/49152–65535
SGA VM to Workload VM	Private IP address	Dynamic private IP address within VPC/VNET	udp/4503–4509
Workload VM to SGA VM	Private IP address	SGA VM-specific private IP address	udp/49152–65535

FRP8 Networking (SGA 4)

The following table lists the required protocols and ports for Frame accounts using Private Networking with SGA 4 and FRP8, specifically for organizations electing to use Dizzion's EU control plane.

DEU: Nutanix AHV - Private Networking with Streaming Gateway 4

Source to Destination	Source IP address	Destination FQDN(s)	Protocol/port
Cloud Connector Appliance (CCA) to Frame Platform	Public IP address	deu.difr.com api.deu.difr.com	tcp/443 (HTTPS)
Cloud Connector Appliance (CCA) to Frame Platform	Public IP address	hub.deu.difr.com	tcp/443 (HTTPS, WSS)
Prism Central to Frame Platform (not required starting with PC 2023.4)	Public IP address	downloads.difr.com	tcp/443 (HTTPS)
Workload VMs to Frame Platform	Public IP address	api.deu.difr.com hub.deu.difr.com logging.deu.difr.com downloads.difr.com download.visualstudio.microsoft.com	tcp/443 (HTTPS)
Workload VMs to Frame Platform	Public IP address	hub.deu.difr.com logging.deu.difr.com api.deu.difr.com	tcp/443 (HTTPS, WSS)
End user to Frame Platform	Public IP address	deu.difr.com api.deu.difr.com img. deu.difr.com assets. deu.difr.com login. deu.difr.com logging. deu.difr.com downloads.difr.com	tcp/443 (HTTPS)
End user to Frame Platform	Public IP address	api.deu.difr.com	tcp/443 (HTTPS, WSS)
SGA VMs to Frame Platform	Public IP address	hub.use.difr.com ntp.ubuntu.com api.snapcraft.io (Canonical Snapcraft)	tcp/443 (HTTPS, WSS)
End user to SGA VM	Public IP address	SGA VM-specific public IP address	udp/3478 and tcp/3478
SGA VM to End user	Public IP address	End user-specific public IP address	udp/49152–65535
SGA VM to Workload VM	Private IP address	Dynamic private IP address within VPC/VNET	udp/4503–4509
Workload VM to SGA VM	Private IP address	SGA VM-specific private IP address	udp/49152–65535

Hierarchy

Account Types

Deployment Planning

Operating Systems and Applications

Application Licensing

Microsoft Licensing Guide for Frame

Infrastructure

Cost Management

DaaS Supported Instance Types

Cloud Accounts

Bring Your Own

Amazon Web Services

Microsoft Azure

Google Cloud Platform

IBM Cloud

Nutanix AHV

Amazon Workspaces Core (WSC) Managed Instances (Early Access)

GCP Sole-Tenant Nodes - Windows 11 on GCP

Infrastructure

Cloud Accounts

Amazon Web Services (AWS) Workspaces Core

IBM Cloud VPC

Networking

Requirements

Public Networking (Public Cloud)

Private Networking (Public Cloud)

Private Networking with SGA (Public Cloud)

Private Networking (AHV)

Private Networking with SGA (AHV)

VPN Configurations

Streaming Gateway Appliance

SGA 4

SGA 4 Installation

SGA 4 Upgrade

SGA 4 Management

Operating System

Bring Your Own

Linux

Windows

Frame Agent Setup Tool (FAST)

BYO Images on Amazon Web Services

BYO Images on Microsoft Azure

BYO Images on Google Cloud Platform

BYO Images on IBM Cloud

BYO Images on Nutanix AHV

Available Roles

Identity Provider Integrations

Authentication

Basic Authentication

Authorization

Dizzion C3

General SAML2 Integration

Duo

Google Workspace

Microsoft Entra ID

ADFS

Okta

Mass User Creation

Secure Anonymous Tokens

Account Creation

Settings

Organizations

Support Authorization

Administration

Launchpads

Bring-Your-Own Workloads (Early Access)

Sandbox

Install and Onboard Apps

Publishing

Updates

Domain

Domain Controller Prep

AWS IAM Permissions

Azure DNS Configuration

Domain Join Setup

Frame Single Sign-On

Stale AD Object Cleanup

Linux with Windows AD LDAP

Nutanix AHV

Azure