Understanding which ports the hybrid runtime plane uses is important for enterprise implementations. This section describes the ports used for secure communications within the runtime plane as well as external ports used for communications with external services.
Internal connections
Communication between the runtime plane and management plane is secured with TLS 1-way and OAuth 2.0. Individual services use different protocols, depending on which service they are communicating with.
The following image shows the ports and communications channels within the hybrid runtime plane:
The following table describes the ports and communications channels within the hybrid runtime plane:
| Internal Connections | |||||
|---|---|---|---|---|---|
| Source | Destination | Protocol/Port(s) | Security Protocol | Description | |
| MART | Cassandra | TCP/9042 TCP/9142 |
mTLS | Sends data for persistence | |
| Apigee Connect | MART | TCP/8443 | TLS | Requests from the management plane go through Apigee Connect. Apigee Connect initiates the connection. | |
| OPTIONAL: MART Istio Ingress Only if not using Apigee Connect |
MART | TCP/8443 | TLS | Requests from the management plane go through the MART Istio Ingress | |
| Default Istio Ingress | Message Processor | TCP/8443 | TLS (Apigee-generated, self-signed cert) | Processes incoming API requests | |
| Message Processor | Cassandra | TCP/9042 TCP/9142 |
mTLS | Sends data for persistence | |
| Message Processor | fluentd (Analytics) | TCP/20001 | mTLS | Streams data to the data collection pod | |
| Cassandra | Cassandra | TCP/7001 | mTLS | Intra-node cluster communications. Note that you can also leave port 7000 open for firewall configuration as a backup option for potential troubleshooting. | |
| Prometheus | Cassandra | TCP/7070 (HTTPS) | TLS | Scrapes metrics data from various services | |
| MART | TCP/8843 (HTTPS) | TLS | |||
| Message Processor | TCP/8843 (HTTPS) | TLS | |||
| Synchronizer | TCP/8843 (HTTPS) | TLS | |||
| UDCA | TCP/7070 (HTTPS) | TLS | |||
External connections
To appropriately configure your network firewall, you should know the inbound and outbound ports used by hybrid to communicate with external services.
The following image shows the ports used for external communications with the hybrid runtime plane:
The following table describes the ports used for external communications with the hybrid runtime plane:
| External Connections | |||||
|---|---|---|---|---|---|
| Source | Destination | Protocol/Port(s) | Security Protocol | Description | |
| Inbound Connections (exposed externally) | |||||
| OPTIONAL: Apigee Services Only if not using Apigee Connect (recommended). See Two-way Connections below. |
MART Istio Ingress | TCP/443 | OAuth over TLS 1.2 | Hybrid API calls from the management plane | |
| Client Apps | Default Istio Ingress | TCP/* | None/OAuth over TLS 1.2 | API requests from external apps | |
| Outbound Connections | |||||
| Message Processor | Backend services | TCP/* UDP/* |
None/OAuth over TLS 1.2 | Sends requests to customer-defined hosts | |
| Synchronizer | Apigee Services | TCP/443 | OAuth over TLS 1.2 | Fetches configuration data; connects to apigee.googleapis.com |
|
| GCP | Connects to iamcredentials.googleapis.com for authorization |
||||
| UDCA (Analytics) | Apigee Services (UAP) | TCP/443 | OAuth over TLS 1.2 | Sends data to UAP in the management plane and to GCP; connects to
apigee.googleapis.com and storage.googleapis.com |
|
| Apigee Connect | Apigee Services | TCP/443 | TLS | Establishes the connection with the management plane; connects to
apigeeconnect.googleapis.com |
|
| Prometheus (Metrics) | GCP (Cloud Operations) | TCP/443 | TLS | Sends data to Cloud Operations in the management plane; connects to
monitoring.googleapis.com |
|
| fluentd (Logging) | GCP (Cloud Operations) | TCP/443 | TLS | Sends data to Cloud Operations in the management plane; connects to
logging.googleapis.com |
|
| MART | GCP | TCP/443 | OAuth over TLS 1.2 | Connects to iamcredentials.googleapis.com for authorization |
|
| * indicates that the port is configurable. Apigee recommends using 443. | |||||
| Two-way Connections | |||||
| Apigee Connect | Apigee Services | TCP/443 | TLS | Communicates management data between the managemennt plane and the Management API for
Runtime data (MART) in the runtime plane. Apigee Connect initiates the connection;
connects to apigeeconnect.googleapis.com |
|
You should not allow external connections for specific IP addresses associated with
*.googleapis.com. The IP addresses can change since the domain currently resolves to
multiple addresses.