List of required open ports
External/Application Ports
The following ports need to be accessible by clients wanting to access Fortanix-Data-Security-Manager (DSM).
Protocol | Inbound/ Outbound | Port Number | Load Balancer Use (Yes/No) | Purpose |
|---|---|---|---|---|
TCP | Inbound | 22 | No | SSH connection to Fortanix Data Security Manager server. |
TCP | Inbound | 443 | Yes | HTTPS – Used for WebUI and calling REST API. Applications will access the cluster URL on this port. Each individual node will also need this port open. |
TCP | Inbound | 4445 | Yes | HTTPS - Used for delivering static content in WebUI. |
TCP | Inbound | 5696 | Yes | Used by applications that use KMIP for interacting with Fortanix DSM. Applications will access cluster URL on this port. Each individual node will also need this port open. |
Intra-cluster ports
The following ports are needed for communication between different cluster nodes.
Protocol | Inbound/ Outbound | Port Number | Load Balancer Use (Yes/No) | Purpose |
|---|---|---|---|---|
IP |
|
| No | Protocol Number 112 (VRRP) – Cluster IP negotiation (keepalived) |
TCP | Both | 2379 | No | HTTP – etcd API (This port uses TLS after upgrade to 3.24) |
TCP | Both | 2380 | No | etcd intra-cluster communication |
TCP | Both | 2382 | No | etcd intra-cluster communication over TLS (This port needs to be open before upgrading to 3.24). |
TCP | Both | 6443 | No | HTTPS – Kubernetes API. |
TCP | Both | 10250 | No | Kubelet Port |
UDP | Both | 8472 | No | VXLAN – intra-cluster communication. |
Outbound Ports
The following outbound ports must be open for Fortanix DSM in case these external systems shall be accessible.
Protocol | Inbound/ Outbound | Port Number | Load Balancer Use (Yes/No) | Purpose |
|---|---|---|---|---|
TCP | Outbound | SMTP | No | If SMTP email is configured. |
TCP | Outbound | 443 | No | If email is configured using AWS SES. |
UDP | Outbound | 514 | No | if external Syslog is used with fluentd configuration for cluster POD logs. |
TCP | Outbound | 514 | No | if external logging is used to push Audit logs. |
TCP | Outbound | 514 | No | If external logging using Syslog TLS is configured. |
TCP | Outbound | 8089 | No | If external logging using Splunk is configured. |
TCP | Outbound | 443 | No | If external logging using Google stack driver is configured. |
TCP | Outbound | 636 | No | If SSO authentication with AD/LDAP is configured. |
TCP | Outbound | 443 | No | If external logging using OAuth is configured. |
TCP | Outbound | 443 | No | For connection to IAS proxy if attestation is enabled. |
UDP | Outbound | 123 | No | When external NTP is configured. |
TCP | Outbound | 80 | No | Used for Intel remote attestation when SGX is configured. For more details refer to the Fortanix DSM Attestation Guide. |
TCP | Outbound | 443 | No | Used for Intel remote attestation service when SGX is configured. For more details refer to the Fortanix DSM Attestation Guide. |
TCP | Outbound | 443 | No | Used for communication with GitHub repository for Fortanix DSM plugins. Refer to https://github.com/fortanix/sdkms-plugin-library |
TCP | Outbound | 53 | No | The DNS ports that are used to query and request information from the DNS servers. |
UDP | Outbound | 53 | No | The DNS ports that are used to query and request information from the DNS servers. |
Management Interface Ports
When the MGMT network port is connected to the network, the following ports must be open to use the Intelligent Platform Management Interface (IPMI):
Protocol | Inbound/ Outbound | Port Number | Load Balancer Use (Yes/No) | Purpose |
|---|---|---|---|---|
TCP | Inbound | 80 | No | Only applicable for FX2200 appliances - For IPMI WebUI. |
TCP | Inbound | 443 | No | Only applicable for FX2200 appliances - For IPMI WebUI via HTTPS if configured. |
UDP | Inbound | 623 | No | Only applicable for FX2200 appliances - For IPMI and SOL. |