2. Home
  4. Docs
  6. ClusterControl
  8. Requirements
  10. Firewall and Security Groups

Firewall and Security Groups

It is important to secure the ClusterControl host and the database cluster. It is recommended for users to isolate the database infrastructure from the public Internet and just whitelist the known hosts or networks to reach the database cluster.

ClusterControl requires ports used by the following services to be opened/enabled:

  • ICMP (echo reply/request).
  • SSH (default is 22).
  • HTTP (default is 80).
  • HTTPS (default is 443).
  • MySQL (default is 3306).
  • CMON RPC (default is 9500).
  • CMON RPC TLS (default is 9501).
  • CMON Events (default is 9510).
  • CMON SSH (default is 9511).
  • CMON Cloud (default is 9518).
  • Streaming port for backups through socat/netcat (default is 9999).

ClusterControl supports various database and application vendors and each has its own set of standard ports that need to be reachable. Following ports and services need to be reachable by ClusterControl on the managed database nodes:

Database Cluster (Vendor) Port/Service
MySQL/MariaDB (single instance and replication)
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 3306 (MySQL)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
  • MariaDB Galera Cluster
  • Percona XtraDB Cluster
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 3306 (MySQL)
  • 4444 (SST)
  • 4567 TCP/UDP (Galera)
  • 4568 (Galera IST)
  • 9200 (HAProxy health check)
  • 9101 (HAProxy Exporter)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
MySQL Cluster (NDB)
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 1186 (MySQL Cluster)
  • 2200 (MySQL Cluster)
  • 3306 (MySQL)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
MongoDB replica set
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 27017 (mongod)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
MongoDB sharded cluster
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 27018 (mongod)
  • 27017 (mongos)
  • 27019 (config server)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
PostgreSQL
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 5432 (postgres)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
TimeScaleDB
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 5432 (postgres)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
HAProxy
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 9600 (HAProxy stats)
  • 3307 (MySQL load-balanced)
  • 3308 (MySQL load-balanced read-only)
  • 5433 (PostgreSQL load-balanced)
  • 5434 (PostgreSQL load-balanced read-only)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
MariaDB MaxScale
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 6603 (MaxCtrl – CLI)
  • 4006 (Round robin listener)
  • 4008 (Read/Write split listener)
  • 4442 (Debug information)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
Keepalived
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 224.0.0.0/8 (multicast request)
  • IP protocol 112 (VRRP)
Galera Arbitrator (garbd)
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 4567 (Galera)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
ProxySQL
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 6032 (ProxySQL Admin)
  • 6033 (MySQL load-balanced)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
Prometheus
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 9090 (Prometheus)
Microsoft SQL Server
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 1433 (SQL Server)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
Redis
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 6379  (Redis)
  • 16379 (Cluster bus)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
Elasticsearch
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 9200  (Elastic HTTP/Transfer)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
Valkey
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 6379  (Valkey)
  • 16379 (Cluster bus)
  • 9100 (Node Exporter)
  • 9011 (Process Exporter)
Was this article helpful to you? Yes No