Firewall

Firewall Configuration

For security reasons, the ESB3024 Installer does not automatically configure the local firewall to allow incoming traffic. It is the responsibility of the operations person to ensure that the system is protected from external access by placing it behind a suitable firewall solution. The following table describes the set of ports required for operation of the router.

ApplicationPortProtocolDirectionSourceDescription
Prometheus Alert Manager9093TCPINinternalMonitoring Services
Confd5000TCPINinternalConfiguration Services
Router80TCPINpublicIncoming HTTP Requests
Router443TCPINpublicIncoming HTTPS Requests
Router5001TCPINlocalhostAccess to router’s REST API
Router8000TCPINlocalhostInternal monitoring port
EDNS-Proxy8888TCPINlocalhostProxy EDNS Requests
Grafana3000TCPINinternalMonitoring Services
Grafana-Loki3100TCPINinternalLog monitoring daemon
Prometheus9090TCPINinternalMonitoring Service

The “Direction” column represents the direction in which the connection is established.

  • IN - The connection is originated from an outside server
  • OUT - The connection is established from the host to an external server.

Once a connection is established through the firewall, bidirectional traffic must be allowed using the established connection.

For the “Source” column, the following terms are used.

  • internal - Any host or network which is allowed to monitor or operate the system.
  • public - Any host or subnet that can access the router. This includes any customer network that will be making routing requests.
  • localhost - Access can be limited to local connections only.
  • any - All traffic from any source or to any destination.

Additional Ports

Convoy bridge integration

The optional convoy-bridge service needs the ability to access the Convoy MariaDB service, which by default runs on port 3306 on all of the Convoy Management servers. To allow this integration to run, port 3306/tcp must be allowed from the router to the configured Convoy Management node.