CliQr is now part of Cisco Learn More About Cisco

Phase 2: Configure Network Rules

Network Rules Overview

In this phase, you must setup Network rules to enable communication across various components.

Icon

The network settings in this page provide the minimal port requirements for inter-component communication.

Production environments typically are secured by only allowing communication through the ports specified in this section.

Icon

In environments where all the components can communicate with each other via any port (typically POC environments or private datacenters), be aware that you must configure the firewall rules or security groups based on your enterprise requirements – do not expose unnecessary ports to the external network or the publicly-available internet.

Icon

For each CloudCenter component, you may configure both Ingress and Egress rules.

If you open all traffic for Egress rules (by setting the IP address range to 0.0.0.0/0) and allow all browsers to access each VM, then you do not need to follow the Egress rule port requirements for each component.

Security Groups

To configure the network rules for each VM, you must setup appropriate inter-connectivity between CloudCenter Components .

For VMs launched in AWS or OpenStack, you already achieved this task by setting up security groups and associating them with the VM.

Icon
  • All port requirements use TCP protocol.
  • For all communication between the components and HTTPS access, use TLS as the SSL protocol.

The tables in this section list the networking requirements for each Component Role.

 CCM Network Rules

CCM Network Rules                                                                                                                                       

 CCM

CCM Ports

Port

Direction

Remote Source

Notes

80

Ingress (optional)

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For HTTP to HTTPS redirection.

Egress0.0.0.0/0To download installer or appliance packages.

443      

Egress0.0.0.0/0To download installer or appliance packages.

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For UI/API access.

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

8443

 

Ingress

CCO_IP or CCO_PRIMARY_IP &  CCO_SECONDARY_IP

For two-way communication between the CCO and CCM VMs.

Icon

Required for all Cloud Regions supported by your CloudCenter deployment.

Egress

CCO_IP or CCO_LB_IP

Ingress (optional)

MON_IP or  MON_PRIMARY_IP &  MON_SECONDARY_IP

For two-way communication between the Monitor CM and the CCM VM.

Egress (Optional)

MON_IP or MON_LB_IP

Ingress

AMQP_IP or AMQP_PRIMARY_IP & AMQP_SECONDARY_IP

For Web SSH/VNC through Guacamole.

 CCM_SA

CCM_SA Ports                                                                                                                                                    

Port

Direction

Remote Source

Notes

80

Ingress (optional)

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For HTTP to HTTPS redirection.

Egress0.0.0.0/0To download installer or appliance packages.

443      

Egress0.0.0.0/0To download installer or appliance packages.

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For UI/API access.

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

8443

 

Ingress

CCO or  CCO_PRIMARY, CCO_SECONDARY

For two-way communication between the CCO and CCM VMs.

Egress

CCO or CCO_LB

Ingress (optional)

MON or  MON_PRIMARY & MON_SECONDARY

For two-way communication between Monitor VM and the CCM VM.

Egress (Optional)

MON, MON_LB

Ingress

AMQP or AMQP_PRIMARY, AMQP_SECONDARY

For Web SSH/VNC through Guacamole.

  5432

Egress

MGMTPOSTGRES

For communication to the database.

 MGMTPOSTGRES

MGMTPOSTGRES Ports

Port

Direction

Remote Source

Notes

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

22

Ingress (Optional)

Allowed SSH source IP

For troubleshooting purposes.

5432  

Ingress 

CCM_SA

For incoming connection from a CCM standalone VM.

 CCM_SA_PRIMARY and CCM_SA_SECONDARY

CCM_SA_PRIMARY and CCM_SA_SECONDARY Ports

Port

Direction

Remote Source

Notes

80Egress0.0.0.0/0To download installer or appliance packages.

443

 

Ingress

CCM_LB

For incoming connection from the CCM load balancer VM.

Egress0.0.0.0/0To download installer or appliance packages.

22

Ingress (Optional)

Allowed SSH source IP

For troubleshooting purposes.

Ingress/Egress

CCM_SA_PRIMARY or CCM_SA_SECONDARY

For static file sync between the CCM Primary and Secondary VMs.

8443

 

 

Ingress

CCM_LB

For incoming connection from CCM load balancer VM.

Egress

CCO or CCO_LB

For communication to the CCO VMs.

Egress (Optional)

MON or MON_LB

For communication to Monitor VMs.

 5703

Ingress/Egress

CCM_SA_PRIMARY or CCM_SA_SECONDARY

For internal implementation to handle data in HA.

 5432

Egress

MGMTPOSTGRES or MGMTPOSTGRES_VIP

For communication to the database.

 MGMTPOSTGRES_MASTER and MGMTPOSTGRES_SLAVE

MGMTPOSTGRES_MASTER and MGMTPOSTGRES_SLAVE Ports

Port

Direction

Remote Source

Notes

22

Ingress (Optional)

Allowed SSH source IP

For troubleshooting purposes.

Ingress/EgressMGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVEFor static file sync between the MGMTPOSTGRES master and slave VMs.
80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

5432

Ingress 

CCM_SA_PRIMARY, CCM_SA_SECONDARY

For incoming connection from the CCM standalone VM.

Ingress/Egress

MGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVE

For communication between master and slave database VMs.

5405

(UDP)

Ingress/Egress

MGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVE

2224

Ingress/Egress

MGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVE

For Pacemaker clustering between both database VMs to ensure high availability.

 

 

3121

Ingress/Egress

MGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVE

21064

Ingress/Egress

MGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVE

 CCM_LB

CCM_LB Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80

Ingress (optional)

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For HTTP to HTTPS redirection.

Egress0.0.0.0/0To download installer or appliance packages.

443      

 

Egress0.0.0.0/0To download installer or appliance packages.

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For UI/API access.

Egress

CCM_SA_PRIMARY, CCM_SA_SECONDARY

For communication with CCM primary and secondary VMs.

8443

 

Egress

CCM_SA_PRIMARY, CCM_SA_SECONDARY

For communication with CCM primary and secondary VMs.

Ingress

CCO or  CCM_SA_PRIMARY, CCM_SA_SECONDARY

For communication from the CCO VM.

Ingress (optional)

MON or MON_PRIMARY, MON_SECONDARY

For communication from the Monitor VM.

Ingress

AMQP or AMQP_PRIMARY, AMQP_SECONDARY

For Web SSH/VNC through Guacamole.

 CCO Network Rules

CCO Network Rules                                                                                                                                           

 

 CCO Ports

CCO Ports                                                                                                                                                           

Port

Direction

Remote Source

Notes

8443   

Ingress/
Egress

CCM or CCM_SA or CCM_SA_PRIMARY and
CCM_SA_SECONDARY

For two-way communication between the CCO and CCM VMs.

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

All

Egress (Conditional)

Cloud Region EndPoints, Script Sources

For cloud region endpoint access and for downloading scripts/packages defined in external services.

2375

Egress (Conditional)

  • Only for CloudCenter 4.6.x and earlier
  • Not used for CloudCenter 4.7.x and later

EXT_SCRIPT_EXECUTOR

For Docker container engine access to execute external scripts.

 CCO_PRIMARY and CCO_SECONDARY

CCO_PRIMARY, SECONDARY, and TERTIARY Ports                                                                                              

Port

Direction

Remote Source

Notes

8443   

Ingress/
Egress

CCO_LB

For two-way communication between the CCO and CCM VMs.

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

All

Egress (Conditional)

Cloud Region EndPoints, Script Sources

For cloud region endpoint access and for downloading scripts/packages defined in external services.

2375

Egress (Conditional)

  • Only for CloudCenter 4.6.x and earlier
  • Not used for CloudCenter 4.7.x and later

EXT_SCRIPT_EXECUTOR

For Docker container engine access to execute external scripts.

5701

Ingress/Egress

CCO_PRIMARY
CCO_SECONDARY
CCM_TERTIARY

For internal implementation to handle data in HA.

27017

IngressCCO HA ServersFor the MongoDB connection
 CCO_LB

CCO_LB Ports                                                                                             

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

8443

Ingress

CCM or CCM_SA or CCM_SA_PRIMARY, CCM_SA_SECONDARY

For communication to the CCO from the CCM VMs.

Egress

CCO or CCO_PRIMARY, CCO_SECONDARY,  and CCM_TERTIARY

For communication to CCO VMs from the CCO load balancer.

 AMQP Network Rules

AMQP Network Rules                                                                                                                                        

 AMQP

AMQP Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

5671

Ingress

  • CCO or CCO_PRIMARY, CCO_SECONDARY, and CCM_TERTIARY
  • Worker VM IP Range

For communication from the CCO VM and from launched VMs.

7789

Ingress

Worker VM IP Range

For SSH/VNC access of launched VMs. Done through reverse proxy.

7788

Ingress/Egress

AMQP or AMQP_PRIMARY, AMQP_SECONDARY, AMQP_LB

For SSH/VNC access of launched VMs. Done through reverse proxy.

443

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For SSH/VNC and RDP access of launched VMs.

8443

Egress

  • CCM or CCM_SA or CCM_SA_PRIMARY, CCM_SA_SECONADRY
  • CCO or CCO_PRIMARY, CCO_SECONDARY, and CCM_TERTIARY

For SSH/VNC access of launched VMs. Guacamole server on AMQP VM communicates to the CCM and CCO VMs via this port.

 AMQP_PRIMARY and AMQP_SECONDARY

AMQP_PRIMARY and AMQP_SECONDARY Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

5671

Ingress

  • CCO or CCO_PRIMARY, CCO_SECONDARY,
  • Worker VM IP Range

For communication from the CCO VM and from launched VMs

7789

Ingress

Worker VM IP Range

For SSH/VNC access of launched VMs. Done through reverse proxy

7788

Ingress/Egress

AMQP or AMQP_PRIMARY, AMQP_SECONDARY

For SSH/VNC access of launched VMs. Done through reverse proxy.

443

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For SSH/VNC and RDP access of launched VMs.

8443

Egress

  • CCM or CCM_SA or CCM_LB
  •  CCO or CCO_LB

For SSH/VNC access of launched VMs. Guacamole server on AMQP communicates to CCM and CCO on this port.

4369

Ingress/Egress

AMQP_PRIMARY, AMQP_SECONDARY

For communication between AMQP primary and secondary VMs.

25672

Ingress/Egress

AMQP_PRIMARY, AMQP_SECONDARY

For communication between AMQP primary and secondary VMs.

 AMQP_LB

AMQP_LB Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

  • Allowed SSH source IP

For troubleshooting purposes.

5671

Ingress

  • CCO or CCO_PRIMARY, CCO_SECONDARY,
  • Worker VM IP Range

For communication from the CCO VM and from launched VMs.

7789

Ingress

Worker VM IP Range

For SSH/VNC access of launched VMs. Done through reverse proxy.

7788

Ingress

AMQP or AMQP_PRIMARY, AMQP_SECONDARY, AMQP_LB

For SSH/VNC access of launched VMs. Done through reverse proxy.

443

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For SSH/VNC access of launched VMs. Done through reverse proxy.

 External Scripts Network Rules

EXT_SCRIPT_EXECUTOR Network Rules                                                                                                     

 

 EXT_SCRIPT_EXECUTOR Ports

EXT_SCRIPT_EXECUTOR Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

2375 (prior to CloudCenter 4.6.2)

Ingress

CCO or CCO_PRIMARY, CCO_SECONDARY, and CCM_TERTIARY

For HTTP CCO VM access  to Docker engine endpoints

2376 (effective CloudCenter 4.6.2 and later)IngressCCO or CCO_PRIMARY, CCO_SECONDARY, and CCM_TERTIARY

For HTTPS CCO VM access  to Docker engine endpoints

 Guacamole Network Rules

GUAC  Network Rules                                                                                                                                          

 GUAC Ports

GUAC Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

7789

Ingress

Worker VM IP Range

For SSH/VNC access of launched VMs. Done through reverse proxy.

7788

Ingress/Egress

GUAC

For SSH/VNC access of launched VMs. Done through reverse proxy.

80Egress0.0.0.0/0To download installer or appliance packages.

443

Egress0.0.0.0/0To download installer or appliance packages.

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For SSH/VNC and RDP access of launched VMs.

8443

Egress

  • CCM or CCM_SA or CCM_LB
  • CCO or CCO_LB

For SSH/VNC access of launched VM. Guacamole server on AMQP VM communicates with the CCM and CCO VMs on this port.

 Monitor Network Rules

Monitor Network Rules                                                                                                                                      

 MON Ports

MON Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0./0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.
4560IngressLogstashTo collect, process, and push the logs to the CCM and/or CCO.
8881IngressElasticsearchTo download logs for the CCM and/or CCO.
8882IngressKibanaTo view the logs in the Kibana console.

8443

 

Ingress/ Egress

CCM or CCM_SA or CCM_SA_PRIMARY, CCM_SA_SECONDARY, CCM_LB

For two-way communication between the CCM and Monitor VMs.

Egress

CCO or CCO_LB

For access to the CCO VM.

 MON_PRIMARY and MON_SECONDARY Ports

MON_PRIMARY and MON_SECONDARY Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.
4560IngressLogstashTo collect, process, and push the logs to the CCM and/or CCO.
8881IngressElasticsearchTo download logs for the CCM and/or CCO.
8882IngressKibanaTo view the logs in the Kibana console.

8443

 

Ingress

MON_LB

For communication from the Monitor load balancer.

Egress

CCO or CCO_LB

For access to the CCO VM.

 MON_LB Ports

MON_LB Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.
4560IngressLogstashTo collect, process, and push the logs to the CCM and/or CCO.
8881IngressElasticsearchTo download logs for the CCM and/or CCO.
8882IngressKibanaTo view the logs in the Kibana console.

8443

 

Ingress

CCM or CCM_SA or CCM_SA_PRIMARY, CCM_SA_SECONDARY

For communication from the CCM VMs.

Egress

MON_PRIMARY, MON_SECONDARY

For access to the Monitor VMs.

 Bundle Store Network Rules

Bundle Store Network Rules                                                                                                                            

 BUNDLE_STORE Ports

BUNDLE_STORE Ports

Port 

Direction                

Remote Source         

Notes

22

Ingress (Optional)

Allowed SSH source IP

For SSH access.

80

Ingress 

Worker VMs IP range

For application VM (worker) to download bootstrap script and agent package

 Package Store Network Rules

PACKAGE_STORE Network Rules                                                                                                                    

 PACKAGE_STORE Ports

PACKAGE_STORE Ports

Port

Direction

Remote Source

Notes

22

 

Ingress (Optional)

Allowed SSH source IP

For SSH access.

Egress

Public Repo Server – repo.cliqrtech.com

For syncing all OS, Components and Service packages

80

Ingress 

All components and worker VMs IP range

For application VM (worker) to download bootstrap script and agent package

Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

5000

Ingress(Conditional)

Worker VMs IP range

For application VM (worker) to download container service images

 Docker Registry Network Rules

DOCKER_REGISTRY  Network Rules                                                                                                               

 DOCKER_REGISTRY Ports

DOCKER_REGISTRY Ports

Port

Direction

Remote Source

Notes

22

Ingress (Optional)

Allowed SSH source IP

For SSH access.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

5000

Ingress 

Worker VMs IP range

For worker VM to download container service images.

Proxy Settings

If you need a proxy server to connect to the Internet, follow this process:

  1. Modify your proxy environment to reflect your proxy settings.
  2. The CloudCenter platform requires the following line to be added to JAVA_OPTS for CCM and CCO.
    -Dhttp.proxyHost=<proxy_hostname> -Dhttp.proxyPort=<port_number>

  3. Application VMs may need additional settings. Contact the CloudCenter Support Team for additional details.

 

  • No labels