Yes, its connected on cloud. In firewall we do not allow 'everything' through. We specify what ports and destinations the AP is allowed to connect too through firewall. I can specify in firewall a DNS entry and it will resolve the IPs dynamically into list even as they change. I was specifying just these two entries and allowing on TCP/443.
All devices worked fine. Lots of APs and SMs for months now. I do now have a CBRS AP that will lose connection to SAS after about a week. Does not seem to lose connection to cnMaestro Cloud though. Rebooting that AP resolves it. I found this entry in DNS cache.
I just added it to my list and then the CBRS AP reconnected to SAS immediately without reboot. I will need to wait a week or so to see if that fixes it. Anything else I need allow in firewall?