Network Security Groups
During deployment, we deploy a network security group on the VM level that includes the required inbound and outbound connections:
| Component | Management/Data NIC | Port (TCP) | Protocol | Notes |
|---|---|---|---|---|
| API Service | Management | 443 | HTTPS | API and lbcli |
| etcd Peer Port | Data | 2380 | TCP/IP | For etcd cluster peering |
| Lightbox Exporter | Management | 8090 | HTTP | Statistics and monitoring |
| Data Path | Data | 8009 | TCP/IP | NVMe/TCP data access |
| Discovery Service | Data | 4420 | TCP/IP | NVMe/TCP discovery access |
| Replicator Port | Data | 22226 | TCP/IP | Other nodes connect for replication to the node via this port. |
| SSH Connectivity | Management | 22 | SSH | Should be limited to specific origin ports. |
SSH connectivity is not mandatory and is required only if you use the lbcli on the storage VMs.
To add SSH port access to the NSG in the cluster's managed resource group:
- Click the created NSG in the managed resource group (for more, see the Managed Application section).
- Click the network security group.
- Click the inbound security rules.
- Click Add and add the SSH rules. You can also limit it for specific origin addresses.
- Click Add. You should now see it in the list of rules.
If you have a network security group or firewall rules set up on the Vnet/subnet, you will need to make sure that the following ports are open.
| Component | Management/Data NIC | Port (TCP) | Protocol | Notes |
|---|---|---|---|---|
| API Service | Management | 443 | HTTPS | API and lbcli |
| Statistics Exporter | Management | 8090 | HTTP | Statistics and monitoring |
| Data Path | Data | 4420,8009 | TCP/IP | NVMe client access |
| Outbound Internet | Azure API | 443 | HTTPS | Required outbound rule to the internet or to service tag AzureCloud. |
| SSH Connectivity | Management | 22 | SSH | Should be limited to specific origin ports. |
SSH connectivity is not mandatory and is required only if you use the lbcli on the storage VMs.
Was this page helpful?