To use git
deployments, all brainz instances require access towards the configured Git URLs. To
use ACME
certificate handling, one or more agents require access towards the CA servers.
Protocol | Destination Port | Source | Destination | Notes |
---|---|---|---|---|
HTTP/HTTPS |
8002 |
vcli | api-gw | can use a proxy server for login (e.g.HTTP\_PROXY=127.0.0.1:8081 vcli login http://localhost:8002 -u test ) |
TCP/TLS |
4222 |
api-gw | nats | |
HTTP/HTTPS |
8080 |
gui | api-gw | |
TCP/TLS |
4222 |
brainz | nats | |
TCP/TLS |
5432 |
brainz | postgresql | |
TCP/TLS |
4222 |
agent | nats | |
HTTP/HTTPS |
80 / 443 |
agent | varnish | Agent requires access to the 80/443 port for Varnish for invalidation |
TCP/UDP |
6082 |
agent | varnish | Varnish administration interface |
TCP/TLS |
4222 |
router | nats | |
HTTP/HTTPS |
80 / 443 |
router | varnish | health checks |
HTTP |
81 |
powerdns | router | |
UDP |
53 by default |
powerdns | * |
PowerDNS listens by default on port 53 but can be different if there is some port mapping in front. |
TCP/TLS |
5222 |
nats | clustering | It’s recommended to give each component access to at least 2 NATS servers in a clustered setup. All the other nats-servers are spread via gossip protocol to them. But having at least two configured per component will avoid a single point of failure. |
Optional Ports | ||||
HTTP |
* |
* |
nats | NATS monitoring port (-m <port> ) |
HTTP |
8092 |
* |
router | Management port for the router. Domain health checks, prometheus statistics etc. Ref: Management Interface |
HTTPS |
443 |
agent | CA | For ACME managed certificates, it is necessary that at least one agent can contact the Certificate Authority on port 443. |
Note: All ports are configurable |