Firewall
For security reasons, the ESB3024 Installer does not automatically configure the local firewall to allow incoming traffic. It is the responsibility of the operations person to ensure that the system is protected from external access by placing it behind a suitable firewall solution. The following table describes the set of ports required for operation of the router.
| Application | Port | Protocol | Direction | Source | Description |
|---|---|---|---|---|---|
| Prometheus Alert Manager | 9093 | TCP | IN | internal | Monitoring Services |
| Confd | 5000 | TCP | IN | internal | Configuration Services |
| Router | 80 | TCP | IN | public | Incoming HTTP Requests |
| Router | 443 | TCP | IN | public | Incoming HTTPS Requests |
| Router | 5001 | TCP | IN | localhost | Access to router’s REST API |
| Router | 8000 | TCP | IN | localhost | Internal monitoring port |
| EDNS-Proxy | 8888 | TCP | IN | localhost | Proxy EDNS Requests |
| Grafana | 3000 | TCP | IN | internal | Monitoring Services |
| Grafana-Loki | 3100 | TCP | IN | internal | Log monitoring daemon |
| Prometheus | 9090 | TCP | IN | internal | Monitoring Service |
The “Direction” column represents the direction in which the connection is established.
IN- The connection is originated from an outside serverOUT- The connection is established from the host to an external server.
Once a connection is established through the firewall, bidirectional traffic must be allowed using the established connection.
For the “Source” column, the following terms are used.
internal- Any host or network which is allowed to monitor or operate the system.public- Any host or subnet that can access the router. This includes any customer network that will be making routing requests.localhost- Access can be limited to local connections only.any- All traffic from any source or to any destination.
Additional Ports
Convoy bridge integration
The optional convoy-bridge service needs the ability to access the Convoy MariaDB service, which by default runs on port 3306 on all of the Convoy Management servers. To allow this integration to run, port 3306/tcp must be allowed from the router to the configured Convoy Management node.