Required Ports for Deployment

This documentation lists the ports in use by the Apcera platform as well as ports that would typically be in use by other processes when deployed.

All Machines

All machines within an Apcera cluster will be listening on the following ports:

  • 22 - SSH
  • 7778 - Orchestrator Agent
  • 8089 - Splunk Forwarder (optional, if the cluster is instrumenting Splunk)
  • 10050 - Zabbix Agent

Individual Cluster Processes

This section lists the ports we require for Apcera processes in the cluster.

NATS

  • 4222 - NATS client port
  • 4242 - NATS cluster port
  • 8222 - NATS http/debug port

Auth Server

  • 5678 - HTTP API port
  • Randomly chosen port is used for debugging

API Server

  • 8790 - HTTP API port
  • Randomly chosen port is used for debugging

Cluster Monitor

  • 6768 - HTTP API port
  • Randomly chosen port is used for debugging.

Metrics Manager

  • 6767 - HTTP API port
  • Randomly chosen port is used for debugging.

Package Manager

  • 8989 - HTTP API port
  • Randomly chosen port is used for debugging

Instance Manager

  • 8686 - HTTP API port
  • 4789/udp - For vXLan virtual networks, GRE otherwise
  • Randomly chosen port is used for debugging

HTTP Router/Nginx

The nginx router will listen on different ports, depending on the cluster configuration and infrastructure deployed to.

On AWS, the routers lie behind an Elastic Load Balancer, which will receive traffic on 80/443 typically and forward it to the routers on 8080/8181.

  • 8080 - Standard HTTP port
  • 8181 - HTTPS port
  • 8282 - Nginx status port, only queryable by localhost

On other clusters, it will often use the following ports:

  • 80 - Standard HTTP port
  • 443 - HTTPS port
  • 6104 - Outside of AWS, Riak is used for package persistence, and the router proxies requests to Riak
  • 8282 - Nginx status port, only queryable by localhost

IP Manager

  • 8787 - HTTP API port
  • Randomly chosen port is used for debugging

Job Manager

Job Manager will listen on two randomly chosen ports. One is for an HTTP API which is automatically bound, however the Job Manager doesn't have any handlers associated with it (no endpoints). The other is the standard component debug handler.

Cluster Monitor

Cluster Monitor will listen on two randomly chosen ports. One is for an HTTP API which is automatically bound, however the Cluster Monitor doesn't have any handlers associated with it (no endpoints). The other is the standard component debug handler.

Health Manager

Health Manager will listen on two randomly chosen ports. One is for an HTTP API which is automatically bound, however the Health Manager doesn't have any handlers associated with it (no endpoints). The other is the standard component debug handler.

Metrics Manager

Metrics Manager will listen on two randomly chosen ports. One is for an HTTP API which is automatically bound, however the Metrics Manager doesn't have any handlers associated with it (no endpoints). The other is the standard component debug handler.

Events Server

The Events Server uses port 8585 for the /healthz endpoint.

TCP Router

TCP Router will listen on two randomly chosen ports. One is for an HTTP API which is automatically bound, however the TCP Router doesn't have any handlers associated with it (no endpoints). The other is the standard component debug handler.

Cluster monitoring and management

  • Orchestrator
  • Zabbix-server
    • If IPsec is enabled, we make us use of Zabbix traps, which are inbound 10051/tcp to the Zabbix server.
  • splunk-server

NFS Singleton

We open ports the following ports for the NFS singleton server: 32765, 32766, 32767, and 32768.

Container Processes

Several pieces of Apcera run as containers inside of a cluster. They listen on ports, however they are in their own network namespace to avoid collisions with the host, and are not directly accessible from outside by the same port.

  • 5602 - Semantic Pipeline Update Port

File Server (NFS non-HA)

If you deploy a file server (NFS non-HA) it will open these ports to the other servers within the subnet.

  • 111 - NFS (rpcbind)
  • 2049 - NFS

File Server Cluster (NFS HA)

If you deploy a file server cluster (NFS HA) it will open these ports to the other servers within the subnet.

  • 49152 - GlusterFS

IPsec Server

If you enable IPsec, all components must have the following ports open:

  • 500/udp
  • 4500/udp

In addition, you must have the ESP(50) protocol and AH(51) protocol open.

Dependent Services

Apcera leverages a number of third party applications for things like databases. The following is a list of ports used by non-Apcera owned processes:

  • 22 - SSH
  • 111 - NFS (rpcbind)
  • 2003 - Graphite's carbon process
  • 2004 - Graphite's carbon process
  • 2049 - NFS
  • 5432 - PostgreSQL
  • 6100-6106 Riak
    • 6100 Riak PB (ProtoBuf?) (default: 8087)
    • 6101 Riak HTTP (default: 8098)
    • 6102 Riak HTTPS (default: 9098)
    • 6103 Riak Cluster Manager (default: 9085)
    • 6107 Riak CS (default: 8080)
    • 6105 Riak Stanchion (default: 8085)
    • 6106 Riak CS Control (default: 8000)
  • 6379 - Redis
  • 7002 - Graphite's carbon process
  • 8082 - Nginx, which proxies requests to graphite
  • 8089 - Splunk Forwarder (optional, if the cluster is instrumenting Splunk)
  • 8126 - statsd
  • 10050 - Zabbix monitoring agent
  • 11211 - Memcached, used by graphite
  • 49152 - GlusterFS

Aggregated List

This is the aggregated list of ports that would typically be in use at the host level and seen when doing a port scan.

  • 22 - SSH
  • 80 - Apcera HTTP Router (non-AWS)
  • 111 - NFS (rpcbind)
  • 443 - Apcera HTTP Router (non-AWS)
  • 2003 - Graphite's carbon process
  • 2004 - Graphite's carbon process
  • 2049 - NFS
  • 32765, 32766, 32767, and 32768 - NFS singleton server
  • 4222 - NATS client port
  • 4242 - NATS cluster port
  • 5432 - PostgreSQL
  • 5678 - Apcera Auth Server
  • 6100-6106 Riak
    • 6100 Riak PB (ProtoBuf?) (default: 8087)
    • 6101 Riak HTTP (default: 8098)
    • 6102 Riak HTTPS (default: 9098)
    • 6103 Riak Cluster Manager (default: 9085)
    • 6104 - Apcera HTTP Router (when Riak is used)\
    • 6107 Riak CS (default: 8080)
    • 6105 Riak Stanchion (default: 8085)
    • 6106 Riak CS Control (default: 8000)
  • 6379 - Redis
  • 7002 - Graphite's carbon process
  • 8080 - Apcera HTTP Router (AWS)
  • 8082 - Nginx, which proxies requests to graphite
  • 8089 - Splunk Forwarder (optional, if the cluster is instrumenting Splunk)
  • 8126 - statsd
  • 8181 - Apcera HTTP Router (AWS)
  • 8222 - NATS http/debug port
  • 8282 - Apcera HTTP Router
  • 8686 - Apcera Instance Manager
  • 8787 - Apcera IP Manager
  • 8790 - Apcera API Server
  • 8989 - Apcera Package Manager
  • 10050 - Zabbix monitoring agent
  • 11211 - Memcached, used by graphite
  • 49152 - GlusterFS