Phil, shouldn't it be easy to update the firewalls rules for the all the servers managed by RightScale automatically anytime RightScale adds or removes the servers? RightScale platform knows the IP addresses of the servers added or removed to the internal RightScale server pool and also has all the information to connect to all the managed servers to update the firewall rules. You guys already have the scale and infrastructure to run operational scripts for all servers under RightScale management. Why auto-scaling of Rightscale instances can’t be configured to automatically update the firewalls rules on all servers managed by RightScale? Other option is to limit access to the port to a predefined large enough range of Elastic IP pool for RightScale servers in the RightScale primary and DR site. Looks like we need to configure the firewall to allow transportation of RightAgent related packages. Without proper management of firewall rules from what you are describing it appear that for the RightAgent to work the communication port used by the RightAgent should be open for traffic in the firewall to be accessible from any IP address in the world!