SupportConsoleDevelopersStart a trialContact

5.2. Network Access

The components of an OpenShift Enterprise deployment require network access to connect with one another. The deployment methods described in this guide set up a basic iptables firewall configuration by default to enable network access. If your environment requires a custom or external firewall solution, the configuration must accommodate the port requirements of OpenShift Enterprise.

5.2.1. Custom and External Firewalls

If you use a custom firewall configuration, consult the following table for details on the ports to which OpenShift Enterprise components require access. The table includes all ports with external interfaces or connections between hosts. It does not include the loopback interface. Some ports are optional depending on your OpenShift Enterprise configuration and usage.
Application developers and application users require access to ports marked public in the Direction column. Ensure the firewall exposes these ports publicly.
Further details on configuring an external firewall solution for use with OpenShift Enterprise are beyond the scope of this guide. Consult your network administrator for more information.
Table 5.1. Required Ports for OpenShift Enterprise
Host Port Protocol Direction Use
All 22 TCP Inbound internal network Remote administration.
All 53 TCP/UDP Outbound to nameserver Name resolution.
Broker 22 TCP Outbound to node hosts rsync access to gears for moving gears between nodes.
Broker 80 TCP Inbound public traffic
HTTP access. HTTP requests to port 80 are redirected to HTTPS on port 443.
Broker 443 TCP Inbound public traffic
HTTPS access to the broker REST API by rhc and Eclipse integration. HTTPS access to the Management Console.
Broker 27017 TCP Outbound to datastore host. Optional if the same host has both the broker and datastore components.
Broker 61613 TCP Outbound to ActiveMQ hosts
ActiveMQ connections to communicate with node hosts.
Node 22 TCP Inbound public traffic
Developers running git push to their gears. Developer remote administration on their gears.
Node 80 TCP Inbound public traffic HTTP requests to applications hosted on OpenShift Enterprise.
Node 443 TCP Inbound public traffic HTTPS requests to applications hosted on OpenShift Enterprise.
Node 8000 TCP Inbound public traffic
WebSocket connections to applications hosted on OpenShift Enterprise. Optional if you are not using WebSockets.
Node 8443 TCP Inbound public traffic
Secure WebSocket connections to applications hosted on OpenShift Enterprise. Optional if you are not using secure WebSockets.
Node 2303 - 2308 [a] TCP Inbound public traffic
Gear access through the SNI proxy. Optional if you are not using the SNI proxy.
Node 443 TCP Outbound to broker hosts REST API calls to broker hosts.
Node 35531 - 65535 [b] TCP Inbound public traffic
Gear access through the port-proxy service. Optional unless applications need to expose external ports in addition to the front-end proxies.
Node 35531 - 65535 [b] TCP Inbound/outbound with other node hosts
Communications between cartridges running on separate gears.
Node 61613 TCP Outbound to ActiveMQ hosts ActiveMQ connections to communicate with broker hosts.
ActiveMQ 61613 TCP Inbound from broker and node hosts Broker and node host connections to ActiveMQ.
ActiveMQ 61616 TCP Inbound/outbound with other ActiveMQ brokers
Communications between ActiveMQ hosts. Optional if no redundant ActiveMQ hosts exist.
Datastore 27017 TCP Inbound from broker hosts
Broker host connections to MongoDB. Optional if the same host has both the broker and datastore components.
Datastore 27017 TCP Inbound/outbound with other MongoDB hosts
Replication between datastore hosts. Optional if no redundant datastore hosts exist.
Nameserver 53 TCP/UDP Inbound from broker hosts Publishing DNS updates.
Nameserver 53 TCP/UDP Inbound public traffic Name resolution for applications hosted on OpenShift Enterprise.
Nameserver 53 TCP/UDP Outbound public traffic
DNS forwarding. Optional unless the nameserver is recursively forwarding requests to other nameservers.
[a] Note: The size and location of these SNI port range are configurable.
[b] Note: If the value of PROXY_BEGIN in the /etc/openshift/node.conf file changes from 35531, adjust this port range accordingly.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.