Data Center Locations

The Coinbase Derivatives trading platform currently operates out of two locations: Chicago, Illinois and Secaucus, New Jersey. Production: Equinix CH4 Data Center
Address: 350 E Cermak, Chicago, Illinois, 60616 DR/Integration: Equinix NY5 Data Center
Address: 800 Secaucus Road, Secaucus, New Jersey, 07094 Internet connectivity is hosted via AWS.

Environments

Coinbase Derivatives operates the following environments:
  • Production
  • Disaster Recovery (DR)
  • Integration (Production Parallel / UAT environment)

Connectivity Protocols

TypeProtocolIntegration Internet ConnectionProduction Internet ConnectionLinks
Order EntryFIX 4.4AvailableAvailableFIX Order Entry
Market DataFIX 4.4AvailableAvailableFIX Market Data
Order EntrySBEAvailableCross Connect OnlySBE Order Entry
Market DataUDPCross Connect OnlyCross Connect OnlyUDP Market Data
Drop CopyFIX 4.4AvailableAvailableFIX Drop Copy
REST GatewayHTTPSAvailableAvailableREST API
See the Runbook for information on the FIX API gateways.

Coinbase Derivatives Points of Presence

EnvironmentPhysical LocationTypes of Connectivity available
ProductionEquinix CH4Cross Connect, AWS PrivateLink, Internet.
Disaster RecoveryEquinix NY5Cross Connect, AWS PrivateLink, Internet.
IntegrationEquinix NY5Cross Connect, AWS PrivateLink, Internet.

Connectivity via Cross Connect

Coinbase Derivatives Exchange (CDE) participants can establish cross-connects in the facilities detailed under CDE Locations.
Multicast connection using the BGP routing protocol with PIM

How to Connect

  1. Contact the CDE team about establishing a private co-located fiber connection.
    The CDE team will: a. Issue a letter of authorization (LOA) allowing you, the participant, to connect into CDE equipment.
    Redundant Connections Each fiber connects to physical equipment that is completely redundant from the other connections.
    b. Assign 2 IP address per side:
    • 1 address range for BGP peering.
    • 1 address range for connecting to CDE that is advertised by the participant.
    c. Assign a private ASN for BGP peering. Participants can use a public ASN as long as it is owned by them.
  2. Configure BGP with all parameters provided by CDE.
  3. Optionally, configure PIM and RP addresses to receive multicast market data. RP Addresses for each connection are provided by CDE.

Connectivity via Internet

Clients may connect to select Coinbase Derivatives APIs via the internet. This solution is recommended for testing or non-latency sensitive systems. Please note that Coinbase Derivatives only accepts SSL/TLS1 encrypted connections for internet-based connections. See IP Addressing section for target host names. Clients are encouraged to whitelist both Production and DR public addresses on their firewalls.

SSL/TLS Details

  • Preferred: TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
  • Accepted: TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
  • Accepted: TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
  • Accepted: TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
  • Accepted: TLSv1.2 128 bits AES128-GCM-SHA256
  • Accepted: TLSv1.2 128 bits AES128-SHA256
  • Accepted: TLSv1.2 256 bits AES256-GCM-SHA384
  • Accepted: TLSv1.2 256 bits AES256-SHA256
Clients may connect to Coinbase Derivatives Exchange via AWS PrivateLink. This allows for some of the benefits of private connectivity without having to cross connect directly in the datacenter. Private connectivity via AWS PrivateLink offers reduced latency and a more stable connection when compared to the Public Internet. It should be noted that for the lowest latency and most stable connection possible, Colocation Cross Connects are still recommended. Each PrivateLink has multiple availability zones and regions that are supported. However, for the most optimal results using the primary region and availability zone is recommended.
To configure PrivateLink, send your AWS Account ID to derivatives@coinbase.com so that it may be authorized. Once authorized, you’ll see the service name in your console.
These endpoints support the following services:
  • FIX Marketdata
  • FIX Orders
  • FIX Drop Copy
  • SBE Orders (Integration)
These endpoints do not currently support private DNS functionality.
Refer to the service names and supported availability zones below for each environment:

Production Connectivity

  • PrivateLink offering in AWS Region US-EAST-2 and US-EAST-1
  • Service Name: com.amazonaws.vpce.us-east-2.vpce-svc-01bf36c2a63eaf006
  • Availability Zones supported:
    • az1 (Recommended)
    • az2 (Recommended)
    • az3

Disaster Recovery Connectivity

  • PrivateLink offering in AWS Region US-EAST-1 and US-EAST-2
  • Service Name: com.amazonaws.vpce.us-east-1.vpce-svc-0051aaaf1479eae00
  • Availability Zones supported:
    • az2 (Recommended)
    • az4
    • az6

Integration Connectivity

  • PrivateLink offering in AWS Region US-EAST-1 and US-EAST-2
  • Service Name: com.amazonaws.vpce.us-east-1.vpce-svc-0766c510bc2c236a8
  • Availability Zones supported:
    • az1
    • az4 (Recommended)
    • az6 (Recommended)
These endpoints support the following services:
  • REST API
These endpoints support private DNS functionality. Refer to the environment details below for the exact DNS names.
Refer to the service names and supported availability zones below for each environment:

Production Connectivity

  • PrivateLink offering in AWS Region US-EAST-2 and US-EAST-1
  • Service Name: com.amazonaws.vpce.us-east-2.vpce-svc-0c5e0f74520c6fc4e
  • Availability Zones supported:
    • az1 (Recommended)
    • az2 (Recommended)
    • az3
  • DNS Name: api.exchange.fairx.net

Disaster Recovery Connectivity

  • PrivateLink offering in AWS Region US-EAST-1 and US-EAST-2
  • Service Name: com.amazonaws.vpce.us-east-1.vpce-svc-00581f836e5178638
  • Availability Zones supported:
    • az2 (Recommended)
    • az4
    • az6
  • DNS Name: api.exchange-dr.fairx.net

Integration Connectivity

  • PrivateLink offering in AWS Region US-EAST-1 and US-EAST-2
  • Service Name: com.amazonaws.vpce.us-east-1.vpce-svc-0ca0bc38a677c27a2
  • Availability Zones supported:
    • az1
    • az4 (Recommended)
    • az6 (Recommended)
  • DNS Name: api.integration.fairx.net
To provision a PrivateLink to Coinbase Derivatives Exchange using the AWS Console, follow these steps:
  1. Navigate to VPC > Endpoints
  2. Click ‘Create Endpoint’
  3. Select ‘Endpoint Services that use NLBs and GWLBs’ under Type
    • Enter the PrivateLink service name provided by Coinbase Derivatives (see above for service names) into Service Name field.
    • If using cross region connectivity check ‘Enable Cross Region Endpoint’ and select the region of the endpoint.
  4. Choose your VPC, subnets, and security groups
    • Select the VPC you want to use, then choose the appropriate subnets and security groups for your environment.
  5. Enable Private DNS (optional)
  • If you want to use private DNS records added to your VPC, check the ‘Enable DNS name’ (see above for service support).
  1. Review and create the endpoint
    • Review your selections and click “Create endpoint” to finish.
After provisioning, test connectivity to the endpoint and ensure your security group rules allow traffic to the required ports and protocols.

Networks

Cross Connect Unicast Networks

EnvironmentA Feed SubnetB Feed Subnet
Production208.52.130.0/27208.52.130.32/27
Disaster Recovery208.52.130.64/27208.52.130.96/27
Integration208.52.130.128/27208.52.130.160/27

Cross Connect Multicast Networks

EnvironmentA Feed SubnetB Feed Subnet
Production233.246.250.0/27233.246.250.32/27
Disaster Recovery233.246.250.64/27233.246.250.96/27
Integration233.246.250.128/27233.246.250.160/27

Cross Connect Multicast RPs

EnvironmentA Feed RPB Feed RP
Production208.52.130.16208.52.130.48
Disaster Recovery208.52.130.80208.52.130.112
Integration208.52.130.144208.52.130.176

IP Addressing

Production

Unicast (TCP)

ServiceA FeedB FeedInternet Host NamePort
SBE Order208.52.130.17208.52.130.49N/A6210
FIX Market Data208.52.130.18208.52.130.50fix-marketdata.exchange.fairx.net6120
FIX Order208.52.130.20208.52.130.52fix-orders.exchange.fairx.net6110
FIX Drop Copy208.52.130.23208.52.130.55fix-drop-copy.exchange.fairx.net6130

Unicast (UDP)

ServiceA FeedB FeedPort
SBE Market Data Retransmit Equity208.52.130.19208.52.130.516220
SBE Market Data Retransmit Non-Equity208.52.130.19208.52.130.516221

Multicast

ServiceA FeedB FeedPort
SBE Market Data Incremental Equity233.246.250.17233.246.250.396222
SBE Market Data Snapshot Equity233.246.250.18233.246.250.406224
SBE Market Data Incremental Non-Equity233.246.250.19233.246.250.416223
SBE Market Data Snapshot Non-Equity233.246.250.20233.246.250.426225

Disaster Recovery

Unicast (TCP)

ServiceA FeedB FeedInternet Host NamePort
SBE Order208.52.130.81208.52.130.113N/A6210
FIX Market Data208.52.130.82208.52.130.114fix-marketdata.exchange-dr.fairx.net6120
FIX Order208.52.130.84208.52.130.116fix-orders.exchange-dr.fairx.net6110
FIX Drop Copy208.52.130.87208.52.130.119fix-drop-copy.exchange-dr.fairx.net6130

Unicast (UDP)

ServiceA FeedB FeedPort
SBE Market Data Retransmit Equity208.52.130.83208.52.130.1156220
SBE Market Data Retransmit Non-Equity208.52.130.83208.52.130.1156221

Multicast

ServiceA FeedB FeedPort
SBE Market Data Incremental Equity233.246.250.81233.246.250.1036222
SBE Market Data Snapshot Equity233.246.250.82233.246.250.1046224
SBE Market Data Incremental Non-Equity233.246.250.83233.246.250.1056223
SBE Market Data Snapshot Non-Equity233.246.250.84233.246.250.1066225

Integration

Unicast (TCP)

ServiceA FeedB FeedInternet Host NamePort
SBE Order208.52.130.135208.52.130.167sbe-orders.integration.fairx.net5210
FIX Market Data208.52.130.136208.52.130.168fix-marketdata.integration.fairx.net5120
FIX Order208.52.130.138208.52.130.170fix-orders.integration.fairx.net5110
FIX Drop CopyN/AN/Afix-drop-copy.integration.fairx.net6130

Unicast (UDP)

ServiceA FeedB FeedPort
SBE Market Data Retransmit Equity208.52.130.137208.52.130.1695220
SBE Market Data Retransmit Non-Equity208.52.130.137208.52.130.1695221

Multicast

ServiceA FeedB FeedPort
SBE Market Data Incremental Equity233.246.250.135233.246.250.1675222
SBE Market Data Snapshot Equity233.246.250.136233.246.250.1685224
SBE Market Data Incremental Non-Equity233.246.250.137233.246.250.1695223
SBE Market Data Snapshot Non-Equity233.246.250.138233.246.250.1705225
When connecting over the internet or AWS PrivateLink, participants can target a specific feed (A or B) by adjusting the port number:
  • Aggregate: The port listed in the tables refers to the aggregate port, which will load balance traffic across all available feeds.
  • A Feed: Use the aggregate(base) port +1
  • B Feed: Use the aggregate(base) port +2
For example, if the aggregate port is 6110:
  • Use 6111 to target the A Feed directly.
  • Use 6112 to target the B Feed directly.
This allows participants to explicitly select which feed to connect to when required.
The following services are not currently supported for this functionality.
Integration: SBE Order
Disaster Recovery: FIX Drop Copy

UDP Multicast Market Data Channel IDs

Product GroupChannel ID
Equities0xaf31
Non Equities0xaf32