Security and Firewall
Warning
We are currently working on making the setup and upgrade process to Automate HA a seamless experience. If you are already using Chef Automate HA, or are planning to use it, please contact your customer success manager or account manager for more information.
The Chef Automate High Availability (HA) cluster requires multiple ports for the front and backend servers to operate effectively and reduce network traffic. Below is a breakdown of those ports and what needs to be open for each set of servers.
Ports required for all Machines
| Machines | Chef Automate | Chef Infra Server | Postgresql | OpenSearch | Bastion |
|---|---|---|---|---|---|
| Incoming | TCP 22, 9631, 443, 80 | TCP 22, 9631, 443, 80 | TCP 22, 9631, 7432, 5432, 9638 UDP 9638 | TCP 22, 9631, 9200, 9300, 9638, 6432 UDP 9638 | |
| Outgoing | TCP 22, 9631, 443, 80 | TCP 22, 9631, 443, 80 | TCP 22, 9631, 7432, 5432, 9638 UDP 9638 | TCP 22, 9631, 9200, 9300, 9638, 6432 UDP 9638 | TCP 22, 9631 |
Note
- Custom SSH port is supported, but same port should be used accross all the machines.
Port usage definitions
| Protocol | Port Number | Usage |
|---|---|---|
| TCP | 22 | SSH to configure services |
| TCP | 9631 | Habitat HTTP API |
| TCP | 443 | Allow Users to reach UI / API |
| TCP | 80 | Optional, Allows users to redirect to 443 |
| TCP | 9200 | OpenSearch API HTTPS Access |
| TCP | 9300 | Allows OpenSearch node to distribute data in its cluster. |
| TCP/UDP | 9638 | Habitat gossip (UDP) |
| TCP | 7432 | HAProxy, which redirects to Postgresql Leader |
| TCP | 6432 | Re-elect Postgresql Leader, if Postgresql leader is down |
Was this page helpful?