For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
      • User roles and permissions
      • System components
      • Helm chart configuration reference
      • Support
      • Version compatibility reference
      • Release and lifecycle policy
      • FAQ
      • Astro CLI command reference
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Networking
  • Do ports or services need to be configured when installing Astronomer Software? Do I need to provide an IP address?
  • Does Astronomer accept inbound connections? Do those connections have to be secured or is that something we need to configure?
  • Will Astronomer suffer any ill effects if it has to operate in a sandbox or behind a firewall?
  • Are there known external connections required to operate Astronomer? Are there specs on what expected inbound/outbound traffic patterns will look like?
  • Are there known domains which Astronomer connects to?
  • Docker
  • What are the components of the Astronomer platform, with their respective Docker image versions?
  • System-level access requirements
  • Does the platform need root access to the Kubernetes cluster?
  • How can we restrict the application from getting full access?
  • Are there separate credentials or accesses that Astronomer provisions?
  • Deployment
  • What scripts are used for deployment?
  • Authentication
  • How can we get multi-factor auth?
  • How can implement RBAC with this solution?
  • Continuous vulnerability assessment and remediation
  • If the platform is scanned by a vulnerability scanner, virus scanners, will there be any ill effects that we need to be aware of?
  • Malware defenses
  • How does Astronomer handle malformed or otherwise unexpected input?
  • User sessions
  • Does Astronomer allow for encrypted sessions?
  • Is there a session limitation?
  • How can we turn on SSL and use our own CA?
  • External monitoring
  • Does the platform produce event logs that we could consume in our monitoring systems?
  • Does Astronomer generate any email-based traffic/alerts?
  • Restricting access
  • Can we restrict the web UI to access from the internet?
  • Auditing
  • What level of auditing is natively available? What logs/audit artifacts are produced?
  • What kind of management is available for security logs?
  • How do we manage application and system logs?
  • Updating
  • How are security updates handled on Astronomer? How are users notified of a critical update?
  • How does patching work for this setup?
Reference

Astronomer Software FAQ

Edit this page
Built with

Networking

Do ports or services need to be configured when installing Astronomer Software? Do I need to provide an IP address?

Yes. You must provide an IP for the NAT gateway to access the Astronomer and Airflow user interfaces, and also to interact with the platform with the astro-cli tool. Reviewing our Terraform scripts and installation guides are helpful to better understand this requirement.

Does Astronomer accept inbound connections? Do those connections have to be secured or is that something we need to configure?

Yes. Inbound traffic routes through the NAT gateway. TLS is utilized throughout, and is configured automatically with our setup scripts.

Will Astronomer suffer any ill effects if it has to operate in a sandbox or behind a firewall?

Yes. The commander component would require a special build if operating in an air-gapped environment.

Are there known external connections required to operate Astronomer? Are there specs on what expected inbound/outbound traffic patterns will look like?

Yes. Connecting to your data and data systems require networking outside of the Kubernetes cluster that Airflow is running within. These connections can be made either through the public internet or through private networking that you have configured.

Are there known domains which Astronomer connects to?

Yes. Airflow deployments check for updates and security fixes to updates.astronomer.io. This feature is effectively disabled in air-gapped deployments.

Beyond that, the platform does not need to connect to outside domains for routine execution of the platform. External connections are only required by Airflow in the execution of specific workflows.

Docker

What are the components of the Astronomer platform, with their respective Docker image versions?

You can find a list of all components used by the platform in the Astronomer Platform - Docker images Google Sheet.

System-level access requirements

Does the platform need root access to the Kubernetes cluster?

No. Astronomer makes use of Kubernetes cluster-level features (including K8s RBAC) by design. These features include creating / deleting namespaces, daemonsets, roles, cluster-roles, service-accounts, resource-quotas, limit-ranges, etc. Additionally, Astronomer dynamically creates new airflow instances in separate namespaces, which protects data engineer users from noisy neighbors.

  • Roles
    • Houston
    • NGINX
    • Commander
    • Fluentd
    • Prometheus
    • Grafana
    • Kubestate

How can we restrict the application from getting full access?

Astronomer defines the required Roles or ClusterRoles. The default mode requires a ClusterRole that has access to create namespaces and other objects for new Airflow deployments.

Are there separate credentials or accesses that Astronomer provisions?

No. Review the Astronomer Helm chart repo to learn more about Astronomer Software default configurations.

Deployment

What scripts are used for deployment?

The default method for installing and upgrading Astronomer Software is using the Astronomer Helm chart located at https://helm.astronomer.io. See the Astronomer Software installation guide for comprehensive instructions showing how to set up a full installation and Upgrade Astronomer.

Authentication

How can we get multi-factor auth?

Astronomer provides an authentication front end with pre-built integrations for Google Auth, Okta, Auth0, and others.

How can implement RBAC with this solution?

Astronomer has built-in Airflow RBAC support.

Continuous vulnerability assessment and remediation

If the platform is scanned by a vulnerability scanner, virus scanners, will there be any ill effects that we need to be aware of?

No. Astronomer continuously scans all code and Docker images with vulnerability assessment software. Issues can occur when your software blocks critical pods from launching.

Malware defenses

How does Astronomer handle malformed or otherwise unexpected input?

The Astronomer and Airflow UIs sanitize and verify inputs according to modern standards.

User sessions

Does Astronomer allow for encrypted sessions?

Yes. The Transport Layer Security (TLS) encryption protocol is configured automatically with Astronomer setup scripts.

Is there a session limitation?

Yes. Sessions are terminated after 24 hours of inactivity for both Astronomer Software and CLI by default.

How can we turn on SSL and use our own CA?

Astronomer Software uses the Secure Sockets Layer (SSL) encryption protocol by default. During installation, you must provide either a wildcard certificate or a certificate for the following domains:

  • BASEDOMAIN
  • app.BASEDOMAIN
  • deployments.BASEDOMAIN
  • registry.BASEDOMAIN
  • houston.BASEDOMAIN
  • grafana.BASEDOMAIN
  • kibana.BASEDOMAIN
  • install.BASEDOMAIN
  • alertmanager.BASEDOMAIN
  • prometheus.BASEDOMAIN

External monitoring

Does the platform produce event logs that we could consume in our monitoring systems?

Yes. All logs are sent to ElasticSearch through FluentD by default. You can customize the FluentD configuration to send logs to other destinations, or route logs from Elasticsearch to your monitoring systems.

Does Astronomer generate any email-based traffic/alerts?

Yes. Airflow supports email alerting features for DAG failures, and Astronomer supports email alerting for infrastructure issues.

Restricting access

Can we restrict the web UI to access from the internet?

The platform API and web UI are served over a single highly available AWS load balancer. By using an internal load balancer, the entire platform will only be accessible in a private network.

Auditing

What level of auditing is natively available? What logs/audit artifacts are produced?

Logs from each Astronomer service are accessible to you through your cloud provider. Astronomer does not generate audit logs for the Astronomer platform.

What kind of management is available for security logs?

All platform components and Airflow deployment logs are retained within the platform’s logging stack for 15 days. This is useful for searching recent logs using the Kibana interface to ElasticSearch. For log backup to comply with policy, container stdout and stderr logs may also be collected in AWS CloudWatch and can be persisted according to your CloudWatch logs retention policy. For AWS API security and auditing, Astronomer recommends enabling AWS CloudTrail.

How do we manage application and system logs?

Astronomer’s Software offering has a robust logging structure sitting atop Airflow. See Kibana logging on Astronomer Software.

Updating

How are security updates handled on Astronomer? How are users notified of a critical update?

You can upgrade your Airflow Deployments separately from your platform upgrades. Astronomer recommends updating your Deployment’s Airflow versions and the platform frequently so that your organization is always using a supported version. See Astronomer Software and lifecycle policy.

How does patching work for this setup?

Kubernetes and node upgrades are typically managed by your organization. Platform version upgrades are performed with Helm and with the assistance of Astronomer support when required. See Upgrade Astronomer.