Search
varnish-controller7    installation    mapped-ports
Varnish Controller 7 Changelog Version 7 Known Issues Upgrading Previous Versions Versioning License Features System Overview Demo Concepts Agent Router RoutingRules Git Tag Files Domain Certificates Roles VCLGroup ACME API Logs Private/Shared Config/ConfigSets Authentication System Admin Regular Users Identity Provider Sessions Examples Authorization Organization Account Permission Examples CLI CLI Examples CLI Manual User Interface API API examples Invalidations Integrations Varnish Statistics Installation Quickstart NATS PostgreSQL Brainz API-GW Agents Routers Containers Identity Provider VCLI Graphical User Interface Mapped Ports Routing Plugins gRPC Examples Deploying VCL files Change a VCL file Purging multiple paths Banning paths Using Labels Certificates HTTP Routing Routing Decisions Private Agents Debugging Multiple Regions OIDC - Microsoft Entra (Azure AD) Drain Traffic Config/ConfigSet Organizations

Mapped Ports

To use git deployments, all brainz instances require access towards the configured Git URLs. To use ACME certificate handling, one or more agents require access towards the CA servers.

Protocol Destination Port Source Destination Notes
HTTP/HTTPS 8002 vcli api-gw can use a proxy server for login (e.g.HTTP\_PROXY=127.0.0.1:8081 vcli login http://localhost:8002 -u test)
TCP/TLS 4222 api-gw nats
HTTP/HTTPS 8080 gui api-gw
TCP/TLS 4222 brainz nats
TCP/TLS 5432 brainz postgresql
TCP/TLS 4222 agent nats
HTTP/HTTPS 80 / 443 agent varnish Agent requires access to the 80/443 port for Varnish for invalidation
TCP/UDP 6082 agent varnish Varnish administration interface
TCP/TLS 4222 router nats
HTTP/HTTPS 80 / 443 router varnish health checks
HTTP 81 powerdns router
UDP 53 by default powerdns * PowerDNS listens by default on port 53 but can be different if there is some port mapping in front.
TCP/TLS 5222 nats clustering It’s recommended to give each component access to at least 2 NATS servers in a clustered setup. All the other nats-servers are spread via gossip protocol to them. But having at least two configured per component will avoid a single point of failure.
Optional Ports
HTTP * * nats NATS monitoring port (-m <port>)
HTTP 8092 * router Management port for the router. Domain health checks, prometheus statistics etc. Ref: Management Interface
HTTPS 443 agent CA For ACME managed certificates, it is necessary that at least one agent can contact the Certificate Authority on port 443.
Note: All ports are configurable
Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
Packages
Docker
News
Varnish Controller 7.0.0
Varnish Enterprise vulnerability in MSE4 when handling range requests
HTTP/1 client-side desync vulnerability
Varnish Controller 6.6.8
Container images updated to Debian bookworm
News archive
Cookie Settings Privacy Policy Contact Us Press Branding
®Varnish Software, Wallingatan 12, 111 60 Stockholm, Organization nr. 556805-6203