Network Connection Matrix

This page provides detailed information about network connections and port requirements between Apinizer platform components. A port matrix is provided for Inbound, Outbound, and Internal traffic flows.

Network Traffic Categories

Inbound Traffic

From External World

• From Internet to Load Balancer
• From Clients to API Gateway

Outbound Traffic

To External World

• To Backend APIs
• To External Services
• To Internet

Internal Traffic

Between Components

• Manager ↔ Worker
• Worker ↔ Database
• Worker ↔ Cache

Port Matrix - Detailed Table

Inbound Traffic (Internet → Apinizer)

Source	Destination	Port	Protocol	Description	Required
Internet	Load Balancer	443	HTTPS	API access (Production)	Required
Internet	Load Balancer	80	HTTP	HTTP → HTTPS redirect	Required
Internet	Load Balancer	22	SSH	Management access (recommended via VPN)	Optional

Outbound Traffic (Apinizer → Internet)

Source	Destination	Port	Protocol	Description	Required
Worker	Backend API	443	HTTPS	Backend API calls	Required
Worker	Backend API	80	HTTP	HTTP Backend API calls	Optional
Worker	External Services	443	HTTPS	External service integrations	Optional
Manager	External Services	443	HTTPS	Monitoring, webhooks	Optional
Manager	SMTP Server	25/587	SMTP	Email sending	Optional
Manager	DNS Server	53	UDP/TCP	DNS queries	Required

Internal Traffic (Between Components)

Manager ↔ Worker

Source	Destination	Port	Protocol	Description	Direction
Manager	Worker	8080	HTTP	Deployment operations	Manager → Worker
Manager	Worker	8080	HTTP	Health check	Manager → Worker
Worker	Manager	8080	HTTP	Configuration retrieval	Worker → Manager
Worker	Manager	8080	HTTP	Status reporting	Worker → Manager

Worker ↔ Database (MongoDB)

Source	Destination	Port	Protocol	Description	Direction
Worker	MongoDB	25080	TCP	Data read/write	Worker → MongoDB
Manager	MongoDB	25080	TCP	Configuration management	Manager → MongoDB
MongoDB	MongoDB	25080	TCP	Replica set communication	MongoDB ↔ MongoDB

Worker ↔ Elasticsearch

Source	Destination	Port	Protocol	Description	Direction
Worker	Elasticsearch	9200	HTTP	Log sending	Worker → Elasticsearch
Manager	Elasticsearch	9200	HTTP	Analytics queries	Manager → Elasticsearch
Elasticsearch	Elasticsearch	9300	TCP	Cluster communication	Elasticsearch ↔ Elasticsearch

Worker ↔ Cache (Hazelcast)

Source	Destination	Port	Protocol	Description	Direction
Worker	Cache	5701	TCP	Cache access	Worker → Cache
Manager	Cache	5701	TCP	Cache management	Manager → Cache
Cache	Cache	5701	TCP	Cluster communication	Cache ↔ Cache

Kubernetes Communication

Source	Destination	Port	Protocol	Description	Direction
Kubelet	API Server	6443	HTTPS	API access	Kubelet → API Server
Kube-proxy	API Server	6443	HTTPS	API access	Kube-proxy → API Server
Pod	Pod	Dynamic	TCP/UDP	Pod-to-Pod communication	Pod ↔ Pod

Network Topology Based Port Requirements

DMZ Zone Ports

Worker Nodes:

• 443/80: Client access (from Load Balancer)
• 8080: Deployment operations from Manager
• 5701: Cache cluster access (from LAN)
• 25080: MongoDB access (from LAN)
• 9200: Elasticsearch access (from LAN)

Load Balancer:

• 443/80: Internet access
• 8080: Traffic routing to Workers

LAN Zone Ports

Manager Module:

• 8080: Web Manager and Management API
• 25080: MongoDB access
• 9200: Elasticsearch access
• 5701: Cache access

MongoDB:

• 25080: Database access (from Worker and Manager)

Elasticsearch:

• 9200: HTTP API (from Worker and Manager)
• 9300: Transport protocol (intra-cluster)

Cache (Hazelcast):

• 5701: Cache access (from Worker and Manager)

Firewall Rules Summary

DMZ Firewall Rules

Inbound:

Internet → Load Balancer: 443, 80
VPN → Load Balancer: 22 (optional)

Outbound:

Load Balancer → Worker: 8080
Worker → Manager: 8080
Worker → MongoDB: 25080
Worker → Elasticsearch: 9200
Worker → Cache: 5701
Worker → Backend API: 443, 80

LAN Firewall Rules

Inbound:

DMZ → Manager: 8080
DMZ → MongoDB: 25080
DMZ → Elasticsearch: 9200
DMZ → Cache: 5701
VPN → Manager: 22, 8080

Outbound:

Manager → Worker: 8080
Manager → MongoDB: 25080
Manager → Elasticsearch: 9200
Manager → Cache: 5701
Manager → External Services: 443, 25, 587

Port Requirements - Component Based

Worker Node Ports

Client-Facing Ports

• 443: HTTPS API access
• 80: HTTP API access (for redirect)
• 8080: Management API (from Manager)

Backend Communication Ports

• 443/80: Backend API calls (outbound)
• 25080: MongoDB access (outbound)
• 9200: Elasticsearch log sending (outbound)
• 5701: Cache access (outbound)

Internal Ports

• 8080: Communication with Manager (bidirectional)
• Dynamic: Kubernetes service discovery

Manager Node Ports

Web Interface Ports

• 8080: Web Manager UI
• 8080: Management API

Database Ports

• 25080: MongoDB access (outbound)
• 9200: Elasticsearch access (outbound)
• 5701: Cache access (outbound)

External Service Ports

• 443: External API calls (webhook, monitoring)
• 25/587: SMTP (email sending)
• 53: DNS queries

Network Security Best Practices

uyarı

Security Rules:

1. Never expose MongoDB and Elasticsearch ports to the Internet
2. Never expose Manager port (8080) to the Internet
3. Always use TLS/SSL (in production)
4. Always configure firewall rules with least privilege principle
5. Always implement network segmentation (DMZ/LAN)

Port Opening Checklist

• Only necessary ports are opened
• DMZ and LAN separation is implemented
• Firewall rules are configured with least privilege principle
• TLS/SSL certificates are configured
• Network segmentation is implemented
• Port scanning tests are performed
• Monitoring and alerting are configured

Traffic Flow Diagram

Internet
   │
   ▼ (443/80)
┌──────────────┐
│Load Balancer │
└──────┬───────┘
       │ (8080)
       ▼
┌──────────────┐
│ Worker Node  │
└──────┬───────┘
       │
       ├───► (25080) MongoDB
       ├───► (9200) Elasticsearch
       ├───► (5701) Cache
       ├───► (8080) Manager
       └───► (443) Backend API

not

Important: This port matrix is valid for standard installations. Port numbers may vary for custom configurations and custom port usage. Network security audit must be performed for production environments.