Network and Port Requirements for Anypoint Runtime Fabric
Anypoint Runtime Fabric requires specific network and port configuration for installation and operation.
Bandwidth Requirements
A high bandwidth network is required, with a minimum of 1 GBps connectivity between each node operating Anypoint Runtime Fabric, and minimum of 100 MBps for outbound connectivity to the Internet.
| Cross-regional deployments of Anypoint Runtime Fabric are not supported. Network latency between each node can cause problems with cluster health. |
Required Port Settings
The following sections list the TCP and UDP network port requirements for Anypoint Runtime Fabric.
Ports Used During Installation
The following table lists the ports that must be accessible on all nodes. These ports are used for internal communication between nodes during Anypoint Runtime Fabric installation. After completing the installation, you can safely disable these ports.
| Port | Protocol | Description |
|---|---|---|
4242 |
TCP |
Bandwidth checker |
61008-61010 |
TCP |
Used during installation |
61022-61024 |
TCP |
Installer agent ports |
Network TCP and UDP Ports
The following table lists all ports that must be open, along with the respective protocols used and the request origin and destination:
| Port | Layer 4 Protocol | Layer 5 Protocol | Source | Destination | Description |
|---|---|---|---|---|---|
123 |
UDP |
NTP |
All nodes |
Internet |
Clock synchronization via Network Time Protocol |
443 |
TCP |
HTTPS |
Internet |
Controller nodes |
Allow inbound requests to Mules |
443 |
TCP |
AMQP over WebSockets |
Controller nodes |
Internet |
Anypoint Platform management services |
443 |
TCP |
HTTPS |
All nodes |
Internet |
API Manager policy updates, API Analytics Ingestion, and Resource retrieval (application files, container images). |
5044 |
TCP |
Lumberjack |
All nodes |
Internet |
Anypoint Monitoring, Anypoint Visualizer |
53 |
TCP |
DNS |
localhost |
localhost |
Internal cluster DNS |
2379, 2380, 4001, 7001 |
TCP |
HTTPS |
All nodes |
Controller nodes |
etcd server communications |
3008 - 3012 |
TCP |
HTTPS / gRPC |
All nodes |
All nodes |
Anypoint Runtime Fabric internal services |
3022 - 3025 |
TCP |
SSH |
All nodes |
All nodes |
Internal SSH control services |
3080 |
TCP |
HTTPS |
All nodes |
Controller nodes |
Anypoint Runtime Fabric internal Ops Center |
5000 |
TCP |
HTTPS |
All nodes |
Controller nodes |
Internal container registry |
6060 |
TCP |
HTTPS / gRPC |
All nodes |
All nodes |
Anypoint Runtime Fabric internal services |
6443, 8080 |
TCP |
HTTPS / HTTP |
All nodes |
Controller nodes |
Kubernetes API server |
7373 |
TCP |
RPC |
localhost |
localhost |
Serf RPC for peer-to-peer connectivity |
7496 |
TCP |
HTTPS |
All nodes |
All nodes |
Serf (health checking agent) / Peer-to-peer connectivity |
7575 |
TCP |
gRPC |
All nodes |
All nodes |
Cluster status API |
10248-10250 |
TCP |
HTTPS |
All nodes |
All nodes |
Kubernetes components |
10255 |
TCP |
HTTPS |
All nodes |
All nodes |
Kubernetes components |
30000-32767 |
TCP |
Application-specific |
All nodes |
All nodes |
Internal services port range used to route requests to applications |
32009 |
TCP |
HTTPS |
Internal network |
Controller nodes |
Anypoint Runtime Fabric Ops Center |
32009 |
TCP |
HTTPS |
Controller nodes |
All nodes |
Ops Center internal API |
53 |
UDP |
DNS |
localhost |
localhost |
Internal cluster DNS |
7496 |
UDP |
HTTPs |
All nodes |
All nodes |
Serf (health checking agent) / Peer-to-peer connectivity |
8472 |
UDP |
VXLAN |
All nodes |
All nodes |
Overlay network |
30000-32767 |
UDP |
Application-specific |
All nodes |
All nodes |
Internal services port range used to route requests to applications |
Port IPs and Hostnames to Add to the Allowlist
In your network configuration, you must add the hostnames and ports of Anypoint Platform components and services to allowlists to enable Anypoint Runtime Fabric to communicate with them. This is also required to download dependencies during installation and upgrades.
The following table lists the ports and hostnames to add to your allowlists to allow communication between Anypoint Runtime Fabric and Anypoint Platform.
Because the following endpoints use mutual TLS authentication to establish the connection, you must configure SSL passthrough to allow the following certificate:
-
US control plane
-
transport-layer.prod.cloudhub.io -
configuration-resolver.prod.cloudhub.io
-
-
EU control plane
-
transport-layer.prod-eu.msap.io -
configuration-resolver.prod-eu.msap.io
-
| Port | Protocol | Hostnames | Description |
|---|---|---|---|
443 |
AMQP over WebSockets |
US control plane: |
Runtime Fabric message broker for interaction with the control plane. |
EU control plane: |
Runtime Fabric message broker for interaction with the control plane. |
||
5044 |
TCP (Lumberjack) |
US control plane: |
Anypoint Monitoring agent for Runtime Fabric. |
EU control plane: |
Anypoint Monitoring agent for Runtime Fabric. |
||
443 |
HTTPS |
|
Anypoint Platform for pulling assets. |
443 |
HTTPS |
|
Kubernetes base charts repository. |
443 |
HTTPS |
|
Kubernetes base charts repository. |
443 |
HTTPS |
US control plane: |
Runtime Fabric version repository. The Runtime Fabric installation uses software from this repository during installation and upgrades. |
EU control plane: |
Runtime Fabric version repository. The Runtime Fabric installation uses software from this repository during installation and upgrades. |
||
443 |
HTTPS |
US control plane: |
Anypoint Exchange for application assets. |
EU control plane: |
Anypoint Exchange for application assets. |
||
443 |
HTTPS |
US control plane: |
Runtime Fabric Docker repository. |
EU control plane: |
Runtime Fabric Docker repository. |
||
443 |
HTTPS |
US control plane: |
Runtime Fabric Docker repository. |
EU control plane: |
Runtime Fabric Docker repository. |
||
443 |
HTTPS |
US control plane: |
Runtime Fabric Docker repository. |
EU control plane: |
Runtime Fabric Docker repository. |
||
443 |
HTTPS |
US control plane: |
Runtime Fabric Docker image delivery. |
EU control plane: |
Runtime Fabric Docker image delivery. |
||
443 |
HTTPS |
US control plane: |
Runtime Fabric Docker repository. |
EU control plane: |
Runtime Fabric Docker repository. |
||
443 |
HTTPS |
US control plane: |
Anypoint Configuration Resolver. |
EU control plane: |
Anypoint Configuration Resolver. |
Required Network Settings
In addition to the previous port requirements, the following network settings are required to operate Anypoint Runtime Fabric:
-
A subnet with enough IP addresses allotable to add additional VMs to Anypoint Runtime Fabric.
-
Shell/SSH access to each VM used to install Anypoint Runtime Fabric.
-
Static private IPv4 addresses assigned to each VM, which persist between restarts.
-
Kernel IP forwarding to enable internal Kubernetes load balancing. IPv4 forwarding is enabled on each VM during installation.
-
Bridge-netfilter to enable the host Linux kernel to translate packets to and from hosted containers. This kernel module is enabled on each VM during installation.
-
Access to an SMTP server to manage e-mail alerts triggered by Anypoint Runtime Fabric.
-
An external load balancer to balance external requests to the internal load balancer running on each controller VM.
-
Your environment’s HTTP proxy configuration if outgoing requests to the Internet must route through a proxy.
-
A SOCKS5 proxy for Anypoint Monitoring and Visualizer support if outgoing requests to the Internet must route through a proxy.