-
Language:
English
-
Language:
English
5.2. Network Access
The components of an OpenShift Enterprise deployment require network access to connect with one another. The deployment methods described in this guide set up a basic
iptables firewall configuration by default to enable network access. If your environment requires a custom or external firewall solution, the configuration must accommodate the port requirements of OpenShift Enterprise.
5.2.1. Custom and External Firewalls
If you use a custom firewall configuration, consult the following table for details on the ports to which OpenShift Enterprise components require access. The table includes all ports with external interfaces or connections between hosts. It does not include the loopback interface. Some ports are optional depending on your OpenShift Enterprise configuration and usage.
Application developers and application users require access to ports marked
public in the Direction column. Ensure the firewall exposes these ports publicly.
Further details on configuring an external firewall solution for use with OpenShift Enterprise are beyond the scope of this guide. Consult your network administrator for more information.
Table 5.1. Required Ports for OpenShift Enterprise
| Host | Port | Protocol | Direction | Use |
|---|---|---|---|---|
| All | 22 | TCP | Inbound internal network | Remote administration. |
| All | 53 | TCP/UDP | Outbound to nameserver | Name resolution. |
| Broker | 22 | TCP | Outbound to node hosts | rsync access to gears for moving gears between nodes. |
| Broker | 80 | TCP | Inbound public traffic |
HTTP access. HTTP requests to port 80 are redirected to HTTPS on port 443.
|
| Broker | 443 | TCP | Inbound public traffic |
HTTPS access to the broker REST API by
rhc and Eclipse integration. HTTPS access to the Management Console.
|
| Broker | 27017 | TCP | Outbound to datastore host. | Optional if the same host has both the broker and datastore components. |
| Broker | 61613 | TCP | Outbound to ActiveMQ hosts |
ActiveMQ connections to communicate with node hosts.
|
| Node | 22 | TCP | Inbound public traffic |
Developers running
git push to their gears. Developer remote administration on their gears.
|
| Node | 80 | TCP | Inbound public traffic | HTTP requests to applications hosted on OpenShift Enterprise. |
| Node | 443 | TCP | Inbound public traffic | HTTPS requests to applications hosted on OpenShift Enterprise. |
| Node | 8000 | TCP | Inbound public traffic |
WebSocket connections to applications hosted on OpenShift Enterprise. Optional if you are not using WebSockets.
|
| Node | 8443 | TCP | Inbound public traffic |
Secure WebSocket connections to applications hosted on OpenShift Enterprise. Optional if you are not using secure WebSockets.
|
| Node | 2303 - 2308 [a] | TCP | Inbound public traffic |
Gear access through the SNI proxy. Optional if you are not using the SNI proxy.
|
| Node | 443 | TCP | Outbound to broker hosts | REST API calls to broker hosts. |
| Node | 35531 - 65535 [b] | TCP | Inbound public traffic |
Gear access through the
port-proxy service. Optional unless applications need to expose external ports in addition to the front-end proxies.
|
| Node | 35531 - 65535 [b] | TCP | Inbound/outbound with other node hosts |
Communications between cartridges running on separate gears.
|
| Node | 61613 | TCP | Outbound to ActiveMQ hosts | ActiveMQ connections to communicate with broker hosts. |
| ActiveMQ | 61613 | TCP | Inbound from broker and node hosts | Broker and node host connections to ActiveMQ. |
| ActiveMQ | 61616 | TCP | Inbound/outbound with other ActiveMQ brokers |
Communications between ActiveMQ hosts. Optional if no redundant ActiveMQ hosts exist.
|
| Datastore | 27017 | TCP | Inbound from broker hosts |
Broker host connections to MongoDB. Optional if the same host has both the broker and datastore components.
|
| Datastore | 27017 | TCP | Inbound/outbound with other MongoDB hosts |
Replication between datastore hosts. Optional if no redundant datastore hosts exist.
|
| Nameserver | 53 | TCP/UDP | Inbound from broker hosts | Publishing DNS updates. |
| Nameserver | 53 | TCP/UDP | Inbound public traffic | Name resolution for applications hosted on OpenShift Enterprise. |
| Nameserver | 53 | TCP/UDP | Outbound public traffic |
DNS forwarding. Optional unless the nameserver is recursively forwarding requests to other nameservers.
|
[a]
Note: The size and location of these SNI port range are configurable.
[b]
Note: If the value of PROXY_BEGIN in the /etc/openshift/node.conf file changes from 35531, adjust this port range accordingly.
| ||||
