Skip to main content
This page provides detailed information about network connections and port requirements between Apinizer platform components. A port matrix is provided for Inbound, Outbound, and Internal traffic flows.

Network Traffic Categories

Inbound Traffic

From External World
  • From Internet to Load Balancer
  • From Clients to API Gateway

Outbound Traffic

To External World
  • To Backend APIs
  • To External Services
  • To Internet

Internal Traffic

Between Components
  • Manager ↔ Worker
  • Worker ↔ Database
  • Worker ↔ Cache

Port Matrix - Detailed Table

Inbound Traffic (Internet → Apinizer)

SourceDestinationPortProtocolDescriptionRequired
InternetLoad Balancer443HTTPSAPI access (Production)Required
InternetLoad Balancer80HTTPHTTP → HTTPS redirectRequired
InternetLoad Balancer22SSHManagement access (recommended via VPN)Optional

Outbound Traffic (Apinizer → Internet)

SourceDestinationPortProtocolDescriptionRequired
WorkerBackend API443HTTPSBackend API callsRequired
WorkerBackend API80HTTPHTTP Backend API callsOptional
WorkerExternal Services443HTTPSExternal service integrationsOptional
ManagerExternal Services443HTTPSMonitoring, webhooksOptional
ManagerSMTP Server25/587SMTPEmail sendingOptional
ManagerDNS Server53UDP/TCPDNS queriesRequired

Internal Traffic (Between Components)

Manager ↔ Worker

SourceDestinationPortProtocolDescriptionDirection
ManagerWorker8080HTTPDeployment operationsManager → Worker
ManagerWorker8080HTTPHealth checkManager → Worker
WorkerManager8080HTTPConfiguration retrievalWorker → Manager
WorkerManager8080HTTPStatus reportingWorker → Manager

Worker ↔ Database (MongoDB)

SourceDestinationPortProtocolDescriptionDirection
WorkerMongoDB27017TCPData read/writeWorker → MongoDB
ManagerMongoDB27017TCPConfiguration managementManager → MongoDB
MongoDBMongoDB27017TCPReplica set communicationMongoDB ↔ MongoDB

Worker ↔ Elasticsearch

SourceDestinationPortProtocolDescriptionDirection
WorkerElasticsearch9200HTTPLog sendingWorker → Elasticsearch
ManagerElasticsearch9200HTTPAnalytics queriesManager → Elasticsearch
ElasticsearchElasticsearch9300TCPCluster communicationElasticsearch ↔ Elasticsearch

Worker ↔ Cache (Hazelcast)

SourceDestinationPortProtocolDescriptionDirection
WorkerCache5701TCPCache accessWorker → Cache
ManagerCache5701TCPCache managementManager → Cache
CacheCache5701TCPCluster communicationCache ↔ Cache

Kubernetes Communication

SourceDestinationPortProtocolDescriptionDirection
KubeletAPI Server6443HTTPSAPI accessKubelet → API Server
Kube-proxyAPI Server6443HTTPSAPI accessKube-proxy → API Server
PodPodDynamicTCP/UDPPod-to-Pod communicationPod ↔ Pod

Network Topology Based Port Requirements

DMZ Zone Ports

Worker Nodes:
  • 443/80: Client access (from Load Balancer)
  • 8080: Deployment operations from Manager
  • 5701: Cache cluster access (from LAN)
  • 27017: MongoDB access (from LAN)
  • 9200: Elasticsearch access (from LAN)
Load Balancer:
  • 443/80: Internet access
  • 8080: Traffic routing to Workers

LAN Zone Ports

Manager Module:
  • 8080: Web Manager and Management API
  • 27017: MongoDB access
  • 9200: Elasticsearch access
  • 5701: Cache access
MongoDB:
  • 27017: Database access (from Worker and Manager)
Elasticsearch:
  • 9200: HTTP API (from Worker and Manager)
  • 9300: Transport protocol (intra-cluster)
Cache (Hazelcast):
  • 5701: Cache access (from Worker and Manager)

Firewall Rules Summary

DMZ Firewall Rules

Inbound: 
Internet → Load Balancer: 443, 80
VPN → Load Balancer: 22 (optional)
Outbound: 
Load Balancer → Worker: 8080
Worker → Manager: 8080
Worker → MongoDB: 27017
Worker → Elasticsearch: 9200
Worker → Cache: 5701
Worker → Backend API: 443, 80

LAN Firewall Rules

Inbound: 
DMZ → Manager: 8080
DMZ → MongoDB: 27017
DMZ → Elasticsearch: 9200
DMZ → Cache: 5701
VPN → Manager: 22, 8080
Outbound: 
Manager → Worker: 8080
Manager → MongoDB: 27017
Manager → Elasticsearch: 9200
Manager → Cache: 5701
Manager → External Services: 443, 25, 587

Port Requirements - Component Based

Worker Node Ports

  • 443: HTTPS API access
  • 80: HTTP API access (for redirect)
  • 8080: Management API (from Manager)
  • 443/80: Backend API calls (outbound)
  • 27017: MongoDB access (outbound)
  • 9200: Elasticsearch log sending (outbound)
  • 5701: Cache access (outbound)
  • 8080: Communication with Manager (bidirectional)
  • Dynamic: Kubernetes service discovery

Manager Node Ports

  • 8080: Web Manager UI
  • 8080: Management API
  • 27017: MongoDB access (outbound)
  • 9200: Elasticsearch access (outbound)
  • 5701: Cache access (outbound)
  • 443: External API calls (webhook, monitoring)
  • 25/587: SMTP (email sending)
  • 53: DNS queries

Network Security Best Practices

Security Rules:
  1. Never expose MongoDB and Elasticsearch ports to the Internet
  2. Never expose Manager port (8080) to the Internet
  3. Always use TLS/SSL (in production)
  4. Always configure firewall rules with least privilege principle
  5. Always implement network segmentation (DMZ/LAN)

Port Opening Checklist

  • Only necessary ports are opened
  • DMZ and LAN separation is implemented
  • Firewall rules are configured with least privilege principle
  • TLS/SSL certificates are configured
  • Network segmentation is implemented
  • Port scanning tests are performed
  • Monitoring and alerting are configured

Traffic Flow Diagram

Internet

   ▼ (443/80)
┌──────────────┐
│Load Balancer │
└──────┬───────┘
       │ (8080)

┌──────────────┐
│ Worker Node  │
└──────┬───────┘

       ├───► (27017) MongoDB
       ├───► (9200) Elasticsearch
       ├───► (5701) Cache
       ├───► (8080) Manager
       └───► (443) Backend API
Important: This port matrix is valid for standard installations. Port numbers may vary for custom configurations and custom port usage. Network security audit must be performed for production environments.