Ingress communication
General list of the EXPOSED ports on the instance :
- 22 : To access the instance via SSH from your computer. SSH access to the instance is required for administration and debugging.
- 80 : To access the Terraform Cloud application via HTTP. This port redirects to port 443 for HTTPS.
- 443 : To access the Terraform Cloud application via HTTPS (Nginx - dashboard UI, API endpoints, webhooks, etc)
- 8800 : To access the installer dashboard (ReplicatedUI dashboard)
Port that should be available for OTHER members of the cluster (V5) and internally
- 9870-9880 (inclusive) : For internal communication on the host and its subnet; not publicly accessible.
- 23000-23100 (inclusive) : For internal communication on the host and its subnet; not publicly accessible.
Higher ports and their function in details
Please note that the list below is incomplete and may contain minor errors
| Port or range of ports | Function/Application |
|---|---|
| 2003 | Graphite (Carbon) feeding port (monitoring, metrics) |
| 2004 | Graphite (Carbon) feeding port (monitoring, metrics) |
| 4150-4151, 4160-4161, 4170-4171 | Replicated NSQD (messaging platform-daemon for internal communication) |
| 5432 | Internal Postgres |
| 5672 | RabbitMQ TFE worker coordination |
| 6379 | Redis (Caching and coordination between web and background workers in the application layer) |
| 7586 | TFE ingress - pulls in version control systems (VCS) (GitHub, BitBUcket, etc) data and stores via Archivist |
| 7588 | TFE State parser |
| 7675 | TFE Archivist - stores data in object storage, encrypts it via Vault |
| 8089 | InfluxDB default UDP Service (monitoring, metrics) |
| 8125 | StatsD (monitoring, metrics) |
| 8200 | TFE node Vault (built-in) for encrypting practically everything |
| 8800 | ReplicatedUI (TFE setup Dashboard) |
| 9292 | Atlas engine (old name of TFE engine) |
| 9873 | ReplicatedUI retraced engine API (replicated audit subcomponent) |
| 9874-9879 | ReplicatedUI entry point span |
| 23005 | TFE Health Check point |
| 23020 | Nomad (built-in) scheduler (for Sentinel runs) |
| 32774-32776 | ReplicatedUI internal StatsD ports mapped then to standard (see above 2003⁄2004 and 8125 ) |
Egress communication
If Terraform Enterprise is installed in online mode, it accesses the following hostnames to get software updates:
- api.replicated.com
- get.replicated.com
- registry-data.replicated.com
- registry.replicated.com
- quay.io
- quay-registry.s3.amazonaws.com
- index.docker.io
- auth.docker.io
- registry-1.docker.io
- download.docker.com
- production.cloudflare.docker.com
Airgapped installs do not check for updates over the network.
Additionally, the following hostnames are accessed unless a custom Terraform bundle is supplied:
- registry.terraform.io (when using Terraform 0.12 and later)
- releases.hashicorp.com
When Cost Estimation is enabled, it uses the respective cloud provider’s APIs to get up-to-date pricing info.
- api.pricing.us-east-1.amazonaws.com
- cloud.google.com
- azure.microsoft.com
Other
If a firewall is configured on the instance, be sure that traffic can flow out of the docker0 interface to the instance’s primary address.