Red Hat SummitChapter 6. Network ports and protocols
Red Hat Ansible Automation Platform uses several ports to communicate with its services. These ports must be open and available for incoming connections to the Red Hat Ansible Automation Platform server in order for it to work.
6.1. Network ports and protocols diagram
The following architectural diagrams are example of a fully deployed Ansible Automation Platform with all possible components.
In some of the following use cases, hop nodes are used instead of a direct link from an execution node. Hop nodes are an option for connecting control and execution nodes. Hop nodes use minimal CPU and memory, so vertically scaling hop nodes does not impact system capacity.
RPM based installations
The following diagram shows client initiated connections between Ansible Automation Platform components. Direct connections shown in the diagram between the Client and automation hub, Event-Driven Ansible, and automation controller only apply when systems are upgraded from Red Hat Ansible Automation Platform 2.4 to Red Hat Ansible Automation Platform 2.6. This provides backward compatibility.
Ansible Automation Platform Client initiated network ports and protocols
The following diagram shows internally initiated connections between Ansible Automation Platform components for new installs Red Hat Ansible Automation Platform 2.6.
Ansible Automation Platform Internally initiated network ports and protocols
Container-based installations
The following diagram shows connections between Ansible Automation Platform components for a container-based installation Red Hat Ansible Automation Platform 2.6.
Containerized Ansible Automation Platform network ports and protocols
6.2. Network ports and protocols table
The following table indicates the destination port and the direction of network traffic:
- The following default destination ports and installer inventory listed are configurable. If you choose to configure them to suit your environment, you might experience a change in behavior.
- Port 443 is the industry standard for HTTPS. Port 80 is not mandatory, but is included for environments that might want to have an unsecure connection.
For RPM-based installations
-
Use Port 80 if you set any of
nginx_disable_https,automationhub_disable_httpsorautomationedacontroller_disable_httpstotrue. See Security-relevant variables in the installation inventory
For container-based installations
-
Use Port 80 if you set any of
controller_nginx_disable_https,hub_nginx_disable_httpsoreda_nginx_disable_httpstotrue. See Security-relevant variables in the installation inventory
The following table shows container-based installation ports and inventory variables in bold text.
Network ports and protocols
| Destination | Port | Source | Protocol | Service | Required for | Installer Inventory Variable |
|---|---|---|---|---|---|---|
| Automation hub | 22 | Installer node | TCP | SSH | Management (Install, Configure, Upgrade) | ansible_port |
| Automation hub | 80/443 | Installer node | TCP | HTTP/HTTPS | Enables installer node to push the execution environment image to automation hub when using the bundle installer. | ansible_port |
| Automation hub | 80/443 | Automation controller | TCP | HTTP/HTTPS | Pull collections | |
| Automation hub | 80/443 | Event-Driven Ansible node | TCP | HTTP/HTTPS | Pull container decision environments | |
| Automation hub | 80/443 | Execution node | TCP | HTTP/HTTPS | Allows execution nodes to pull the execution environment image from automation hub | |
| Automation hub | 80/443 | Gateway load balancer/Ingress node | TCP | HTTP/HTTPS | Accessing the component directly from platform gateway | automationgateway_main_url gateway_main_url |
| Automation hub | 443 8444 | Platform gateway | TCP | HTTPS | Link between platform gateway and Ansible Automation Platform components | |
| Automation hub | 6379 | Event-Driven Ansible | TCP | Redis | Event processing | |
| Automation controller | 22 | Installer node | TCP | SSH | Management (Install, Configure, Upgrade) | ansible_port |
| Automation controller | 80/443 | Event-Driven Ansible | TCP | HTTP/HTTPS | Launch automation controller jobs | |
| Automation controller | 80/443 80/8443 | Platform gateway | TCP | HTTP/HTTPS | Link between platform gateway and Ansible Automation Platform components | |
| Automation controller | 80/443 | Gateway load balancer/Ingress node | TCP | HTTP/HTTPS | Accessing the component directly from Platform gateway | |
| Automation controller | 27199 | Execution node | TCP | Receptor | Used for Mesh peering and communication. See Defining automation mesh node types. | receptor_listener_port peers receptor_port receptor_peers |
| Event-Driven Ansible | 22 | Installer node | TCP | SSH | Management (Install, Configure, Upgrade) | ansible_port |
| Event-Driven Ansible | 80/443 80/8445 | Platform gateway | TCP | HTTP/HTTPS | Link between platform gateway and Ansible Automation Platform components | |
| Event-Driven Ansible | 80/443 | Gateway load balancer/Ingress node | TCP | HTTP/HTTPS | Accessing the component directly from platform gateway | automationgateway_main_url gateway_main_url |
| Event-Driven Ansible | 80/443 8443 | Platform gateway | TCP | HTTPS | Receiving event stream traffic | |
| Execution node | 22 | Installer node | TCP | SSH | Management (Install, Configure, Upgrade) | ansible_port |
| Execution node | 443 | Gateway load balancer/Ingress node | TCP | HTTPS | automationgateway_main_url gateway_main_url | |
| Execution node | 27199 | Automation controller | TCP | Receptor | Used for Mesh peering and communication. See Defining automation mesh node types. | receptor_listener_port peers receptor_port receptor_peers |
| Execution node | 27199 | OpenShift Container Platform | TCP | Receptor | ||
| Hop node | 22 | Installer node | TCP | SSH | Management (Install, Configure, Upgrade) | ansible_port |
| Hop node | 27199 | Automation controller | TCP | Receptor | ENABLE connections from hop nodes to Receptor port if relayed through hop nodes. See Defining automation mesh node types. | receptor_listener_port peers receptor_port receptor_peers |
| Hop node | 27199 | Execution node | TCP | Receptor | Used for Mesh peering and communication. See Defining automation mesh node types. | receptor_listener_port peers receptor_port receptor_peers |
| Hybrid node | 22 | Installer node | TCP | SSH | Management (Install, Configure, Upgrade) |
|
| Hybrid node | 27199 | Automation controller | TCP | Receptor | ENABLE connections from automation controller to Receptor port if relayed through non-hop connected nodes. See Defining automation mesh node types. | receptor_listener_port peers receptor_port receptor_peers |
| PostgreSQL database | 22 | Installer node | TCP | SSH | Management (Install, Configure, Upgrade) |
|
| PostgreSQL database | 5432 | Automation controller | TCP | PostgreSQL | Required only if the internal database is used with another component. Otherwise, this port should not be open. | automationcontroller_pg_port controller_pg_port |
| PostgreSQL database | 5432 | Event-Driven Ansible | TCP | PostgreSQL | Required only if the internal database is used with another component. Otherwise, this port should not be open. | automationedacontroller_pg_port eda_pg_port |
| PostgreSQL | 5432 | Automation hub | TCP | PostgreSQL | Required only if the internal database is used with another component. Otherwise, this port should not be open | automationhub_pg_port hub_pg_port |
| OpenShift Container Platform (RPM only) | 6443 | Automation controller | TCP | HTTP/HTTPS | Only required when using container groups to run jobs. | Hostname of OpenShift API server |
| Redis node | 6379 | Automation controller | TCP | Redis | Job launching | |
| Redis node | 6379 | Event-Driven Ansible | TCP | Redis | Job launching | |
| Redis node | 6379 | Automation hub | TCP | Redis | Job launching | |
| Redis node | 6379 | Platform gateway | TCP | Redis | Data storage and retrieval | |
| Redis node | 16379 | Redis node | TCP | Redis | Redis cluster bus port for a resilient Redis configuration | |
| Mesh ingress | 443 | Execution node | Receptor | HTTPS | If using mesh ingress, ensure that outbound HTTPS (port 443) is allowed from the execution nodes to the OpenShift route URL. | |
| Platform gateway | 80/443 80/8444 | Automation hub | TCP | HTTPS | Link between platform gateway and Ansible Automation Platform components | |
| Platform gateway | 8443 | Platform gateway | TCP | HTTPS | nginx |
- Hybrid nodes act as a combination of control and execution nodes, and therefore Hybrid nodes share the connections of both.
-
If
receptor_listener_portis defined, the machine also requires an available open port on which to establish inbound TCP connections, for example, 27199.
6.3. Network ports and protocols firewalls
The following tables provide information about configuring firewalls for Red Hat Ansible Automation Platform components.
Red Hat Lightspeed for Red Hat Ansible Automation Platform
| URL | Required for |
|---|---|
| General account services, subscriptions | |
| Insights data upload | |
| Inventory upload and Cloud Connector connection | |
| Access to Insights dashboard |
Automation Hub
| URL | Required for |
|---|---|
| General account services, subscriptions | |
| Indexing execution environments | |
| TCP | |
| https://automation-hub-prd.s3.amazonaws.com, https://automation-hub-prd.s3.us-east-2.amazonaws.com | Firewall access |
| Ansible Community curated Ansible content | |
| https://ansible-galaxy-ng.s3.dualstack.us-east-1.amazonaws.com | Dual Stack IPv6 endpoint for Community curated Ansible content repository |
| Access to container images provided by Red Hat and partners | |
| Red Hat and partner curated Ansible Collections |
Execution Environments (EE)
| URL | Required for |
|---|---|
| Access to container images provided by Red Hat and partners | |
|
| Access to container images provided by Red Hat and partners |
|
| Access to container images provided by Red Hat and partners |
|
| Access to container images provided by Red Hat and partners |
|
| Access to container images provided by Red Hat and partners |
As of April 1st, 2025, quay.io is adding three additional endpoints. As a result, customers must adjust allow/block lists within their firewall systems lists to include the following endpoints:
-
cdn04.quay.io -
cdn05.quay.io -
cdn06.quay.io
To avoid problems pulling container images, customers must allow outbound TCP connections (ports 80 and 443) to the following hostnames:
-
cdn.quay.io -
cdn01.quay.io -
cdn02.quay.io -
cdn03.quay.io -
cdn04.quay.io -
cdn05.quay.io -
cdn06.quay.io
This change should be made to any firewall configuration that specifically enables outbound connections to registry.redhat.io or registry.access.redhat.com.
Use the hostnames instead of IP addresses when configuring firewall rules.
After making this change, you can continue to pull images from registry.redhat.io or registry.access.redhat.com. You do not require a quay.io login, or need to interact with the quay.io registry directly in any way to continue pulling Red Hat container images.
For more information, see Firewall changes for container image pulls 2024/2025.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}