1. Home
  2. Docs
  3. ClusterControl
  4. Requirements
  5. Firewall and Security Groups

Firewall and Security Groups

It is important to secure the ClusterControl host and the database cluster. It is recommended for users to isolate the database infrastructure from the public Internet and just whitelist the known hosts or networks to reach the database cluster.

ClusterControl requires ports used by the following services to be opened/enabled:

  • ICMP (echo reply/request).
  • SSH (default is 22).
  • HTTP (default is 80).
  • HTTPS (default is 443).
  • MySQL (default is 3306).
  • CMON RPC (default is 9500).
  • CMON RPC TLS (default is 9501).
  • CMON Events (default is 9510).
  • CMON SSH (default is 9511).
  • CMON Cloud (default is 9518).
  • Streaming port for backups through socat/netcat (default is 9999).

ClusterControl supports various database and application vendors and each has its own set of standard ports that need to be reachable. Following ports and services need to be reachable by ClusterControl on the managed database nodes:

Database Cluster (Vendor) Port/Service
MySQL/MariaDB (single instance and replication)
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 3306 (MySQL)
  • MariaDB Galera Cluster
  • Percona XtraDB Cluster
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 3306 (MySQL)
  • 4444 (SST)
  • 4567 TCP/UDP (Galera)
  • 4568 (Galera IST)
  • 9200 (HAProxy health check)
MySQL Cluster (NDB)
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 1186 (MySQL Cluster)
  • 2200 (MySQL Cluster)
  • 3306 (MySQL)
MongoDB replica set
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 27017 (mongod)
MongoDB sharded cluster
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 27018 (mongod)
  • 27017 (mongos)
  • 27019 (config server)
PostgreSQL
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 5432 (postgres)
TimeScaleDB
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 5432 (postgres)
HAProxy
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 9600 (HAProxy stats)
  • 3307 (MySQL load-balanced)
  • 3308 (MySQL load-balanced read-only)
  • 5433 (PostgreSQL load-balanced)
  • 5434 (PostgreSQL load-balanced read-only)
MariaDB MaxScale
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 6603 (MaxCtrl – CLI)
  • 4006 (Round robin listener)
  • 4008 (Read/Write split listener)
  • 4442 (Debug information)
Keepalived
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 224.0.0.0/8 (multicast request)
  • IP protocol 112 (VRRP)
Galera Arbitrator (garbd)
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 4567 (Galera)
ProxySQL
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 6032 (ProxySQL Admin)
  • 6033 (MySQL load-balanced)
Prometheus
  • 22 (SSH)
  • ICMP (echo reply/request)
  • 9090 (Prometheus)
Was this article helpful to you? Yes No