Inbound traffic

edit

When there are multiple hosts for each role, the inbound networking and ports can be represented by the following diagram:

ECE networking and ports

Inbound traffic from any source

edit
Number Host role Inbound ports *Purpose*

All

22

Installation and troubleshooting SSH access only (TCP)

2

Coordinator

12300/12343, 12400/12443

Admin API access (HTTP/HTTPS)

3

Proxy

9200/9243, 9300/9343

Elasticsearch (transport client/transport client with TLS/SSL), also required by load balancers

7

Coordinator

12400/12443

Cloud UI console to API (HTTP/HTTPS)

Inbound traffic from internal components of ECE

edit

In addition to the following list, you should open 12898-12908 and 13898-13908 on the director host for Zookeeper leader and election activity.

Number Host role Inbound ports *Purpose*

1

Director

2112

ZooKeeper ensemble discovery/joining (TCP)

4

Director

12191-12201

Client forwarder to ZooKeeper, one port per director (TLS tunnels)

5

Allocator

19000-19999

Elasticsearch node to node (Node Transport 6.x+/TLS 6.x+)

6

Allocator

18000-18999/20000-20999

Proxy to Elasticsearch/Kibana/APM Server instance (HTTPS/Transport Client 6.x+/TLS 6.x+)

7

Coordinator

22191-22195

Connections to initial coordinator from allocators and proxies, one port per coordinator, up to five (TCP)

8

Allocator

9244

Kibana to the services forwarder (HTTP)

9

Proxy

9200/9243, 9300/9343

Kibana and Elasticsearch (HTTP via TLS tunnel)

10

Allocator

18000-18999

Constructor to Elasticsearch cluster (HTTPS)

11

Allocator

18000-18999/20000-20999

Elasticsearch (HTTPS/Transport Client TLS)

12

Allocator

21000-21999

APM Server (Instance Monitoring)

If you have IP filtering set up for your deployment, make sure to create rule sets the IP addresses that you need. All other inbound traffic will be blocked. Internal deployment traffic between Kibana instances, APM Servers, and the Elasticsearch clusters is automatically allowed.