Allowed Hosts & Ports
Sender machine
The sender machine needs outbound access to the following hosts on port 443 (HTTPS):
| Host | Purpose |
|---|---|
*.devtunnels.ms | Dev Tunnel relay — all tunnel traffic |
global.rel.tunnels.api.visualstudio.com | Dev Tunnels management API |
login.microsoftonline.com | Microsoft OAuth (Microsoft account login) |
login.live.com | Microsoft personal account login |
github.com | GitHub OAuth (GitHub account login) |
aka.ms | Microsoft shortlinks (DevTunnel CLI installer redirect) |
cdn.jsdelivr.net | Bootstrap 5, Bootstrap Icons, Alpine.js (sender web UI CDN) |
ℹ️ Info:
*.devtunnels.msis a wildcard — the tunnel URL is a unique subdomain generated per session (e.g.abc123.devtunnels.ms). Your firewall rule must allow all subdomains.
Receiver machine
The receiver machine needs outbound access to:
| Host | Purpose |
|---|---|
*.devtunnels.ms | Dev Tunnel relay — all requests to the sender are proxied through here |
cdn.jsdelivr.net | Bootstrap 5, Bootstrap Icons, Alpine.js (receiver web UI CDN) |
ℹ️ Info: The receiver does not need DevTunnels CLI installed, nor does it need to authenticate with Microsoft or GitHub. It only needs to reach the tunnel URL and load CDN assets.
Installation only
These hosts are only needed during tool installation (or DevTunnels CLI auto-install) and are not required at runtime:
| Host | Purpose |
|---|---|
api.nuget.org | Download Garrard.CloudShare.Sender and Garrard.CloudShare.Receiver packages |
aka.ms | Redirect for DevTunnels CLI installer script |
github.com | DevTunnels CLI GitHub releases download |
objects.githubusercontent.com | DevTunnels CLI binary download (GitHub CDN) |
CDN resources (exact URLs)
The following CDN resources are loaded by both UIs at runtime. If you need to allowlist specific paths rather than the full domain:
| Resource | URL |
|---|---|
| Bootstrap 5.3.3 CSS | https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css |
| Bootstrap 5.3.3 JS | https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js |
| Bootstrap Icons 1.11.3 | https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css |
| Alpine.js 3.x.x | https://cdn.jsdelivr.net/npm/alpinejs@3.x.x/dist/cdn.min.js |
All resources are loaded from cdn.jsdelivr.net over HTTPS.
Port summary
| Port | Protocol | Direction | Required by |
|---|---|---|---|
| 443 | HTTPS/TLS | Outbound | Both sender and receiver (all Dev Tunnel + CDN traffic) |
| 5000 | HTTP | Localhost only | Sender web UI (default, configurable with --port) |
| 5001 | HTTP | Localhost only | Receiver web UI (default, configurable with --port) |
No inbound ports need to be opened on either machine. Both tools only listen on localhost for the browser UI. All external connectivity is outbound-only through Dev Tunnels.
Air-gapped or restricted environments
If either machine cannot reach the CDN (cdn.jsdelivr.net), the web UI will load but will appear unstyled (no Bootstrap CSS or icons). The core functionality (sharing, receiving, hash verification) is unaffected — it is purely a visual degradation.
If the sender machine cannot reach *.devtunnels.ms or global.rel.tunnels.api.visualstudio.com, the tunnel cannot be created and the tool will not start. This is a hard requirement for the sender.
If the receiver machine cannot reach *.devtunnels.ms, it cannot connect to the sender and the tool will fail to start.
Checklist for restricted environments
- Sender outbound:
*.devtunnels.ms:443✅ required - Sender outbound:
global.rel.tunnels.api.visualstudio.com:443✅ required - Sender outbound:
login.microsoftonline.com:443orgithub.com:443✅ required (auth) - Sender outbound:
cdn.jsdelivr.net:443⚠️ optional (UI styling only) - Receiver outbound:
*.devtunnels.ms:443✅ required - Receiver outbound:
cdn.jsdelivr.net:443⚠️ optional (UI styling only)