CliQr is now part of Cisco Learn More About Cisco

Phase 2: Configure Network Rules

Network Rules Overview

In this phase, you must setup Network rules to enable communication across various components.

Icon

The network settings in this page provide the minimal port requirements for inter-component communication.

Production environments typically are secured by only allowing communication through the ports specified in this section.

Icon

In environments where all the components can communicate with each other via any port (typically POC environments or private datacenters), be aware that you must configure the firewall rules or security groups based on your enterprise requirements – do not expose unnecessary ports to the external network or the publicly-available internet.

Icon

For each CloudCenter component, you may configure both Ingress and Egress rules.

If you open all traffic for Egress rules (by setting the IP address range to 0.0.0.0/0) and allow all browsers to access each VM, then you do not need to follow the Egress rule port requirements for each component.

See Components Overview > Network Architecture for an example of the ports used for a basic CloudCenter installation.

Security Groups

For AWS or OpenStack, the network rules are configured using security groups. For all other clouds, follow the cloud-specific nuances identified in Phase 1: Prepare Infrastructure for each cloud.

Icon
  • All port requirements use TCP protocol.
  • For all communication between the components and HTTPS access, use TLS as the SSL protocol.

Once you configure the security groups, accurately, the JSON file should pass without any errors.

The tables in this section list the networking requirements for each Component Role.

 CCM Network Rules

CCM Network Rules                                                                                                                                       

 CCM

CCM Ports

Port

Direction

Remote Source

Notes

80

Ingress (optional)

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For HTTP to HTTPS redirection.

Egress0.0.0.0/0To download installer or appliance packages.

443      

Egress0.0.0.0/0To download installer or appliance packages.

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For UI/API access.

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

5671Ingress/Egress (optional)ESB API CommunicationFor two-way communication with the ESB AMQP module in the CCM. This port must be open if you need to establish programmatic access to the AMQP module – only required if you use the ESB functionality.
15672Ingress/Egress (optional)ESB UI CommunicationFor two-way communication with the ESB AMQP module in the CCM. This port must be open if you need to establish access to the AMQP module from the AMQP UI – only required if you use the ESB functionality.

8443

 

Ingress

  • CCO or
  • CCO_LB

For two-way communication between the CCO and CCM VMs.

Icon

Required for all Cloud Regions supported by your CloudCenter deployment.

Egress

  • CCO or
  • CCO_LB 

Ingress (optional)

  • MON or
  • MON_PRIMARY and  MON_SECONDARY 

For two-way communication between the Monitor CM and the CCM VM.

Egress (Optional)

  • MON or
  • MON_LB 

Ingress

  • AMQP_IP or
  • AMQP_LB

For Web SSH/VNC through Guacamole.

 CCM_SA

CCM_SA Ports                                                                                                                                                 

Port

Direction

Remote Source

Notes

80

Ingress (optional)

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For HTTP to HTTPS redirection.

Egress0.0.0.0/0To download installer or appliance packages.

443      

Egress0.0.0.0/0To download installer or appliance packages.

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For UI/API access.

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

5671Ingress/Egress (optional)ESB API CommunicationFor two-way communication with the ESB AMQP module in the CCM. This port must be open if you need to establish programmatic access to the AMQP module – only required if you use the ESB functionality.
15672Ingress/Egress (optional)ESB UI CommunicationFor two-way communication with the ESB AMQP module in the CCM. This port must be open if you need to establish access to the AMQP module from the AMQP UI – only required if you use the ESB functionality.

8443

 

Ingress

  • CCO or 
  • CCO_LB

For two-way communication between the CCO and CCM VMs.

Egress

  • CCO or
  • CCO_LB

Ingress (optional)

  • MON or 
  • MON_PRIMARY & MON_SECONDARY

For two-way communication between Monitor VM and the CCM VM.

Egress (Optional)

  • MON or
  • MON_LB

Ingress

  • AMQP or
  • AMQP_LB

For Web SSH/VNC through Guacamole.

  5432

Egress

MGMTPOSTGRES

For communication to the database.

 MGMTPOSTGRES

MGMTPOSTGRES Ports

Port

Direction

Remote Source

Notes

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

22

Ingress (Optional)

Allowed SSH source IP

For troubleshooting purposes.

5432  

Ingress 

CCM_SA

For incoming connection from a CCM standalone VM.

 MGMTPOSTGRES_MASTER and MGMTPOSTGRES_SLAVE

MGMTPOSTGRES_MASTER and MGMTPOSTGRES_SLAVE Ports

Port

Direction

Remote Source

Notes

22

Ingress (Optional)

Allowed SSH source IP

For troubleshooting purposes.

Ingress/EgressMGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVEFor static file sync between the MGMTPOSTGRES master and slave VMs.
80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

5432

Ingress 

CCM_SA_PRIMARY, CCM_SA_SECONDARY

For incoming connection from the CCM standalone VM.

Ingress/Egress

MGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVE

For communication between master and slave database VMs.

5405

(UDP)

Ingress/Egress

MGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVE

2224

Ingress/Egress

MGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVE

For Pacemaker clustering between both database VMs to ensure high availability.

 

 

3121

Ingress/Egress

MGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVE

21064

Ingress/Egress

MGMTPOSTGRES_MASTER, MGMTPOSTGRES_SLAVE

 CCM_SA_PRIMARY and CCM_SA_SECONDARY

CCM_SA_PRIMARY and CCM_SA_SECONDARY Ports

Port

Direction

Remote Source

Notes

80Egress0.0.0.0/0To download installer or appliance packages.

443

 

Ingress

CCM_LB

For incoming connection from the CCM load balancer VM.

Egress0.0.0.0/0To download installer or appliance packages.

22

Ingress (Optional)

Allowed SSH source IP

For troubleshooting purposes.

Ingress/Egress

  • CCM_SA_PRIMARY or
  • CCM_SA_SECONDARY

For static file sync between the CCM Primary and Secondary VMs.

8443

 

 

 

 

Ingress

CCM_LB

For incoming connection from CCM load balancer VM.

Egress

  • CCO or
  • CCO_LB

For communication to the CCO VMs.

Egress (Optional)

  • MON or
  • MON_LB

For communication to Monitor VMs.

5671Ingress/Egress (optional)ESB API CommunicationFor two-way communication with the ESB AMQP module in the CCM. This port must be open if you need to establish programmatic access to the AMQP module – only required if you use the ESB functionality.
15672Ingress/Egress (optional)ESB UI CommunicationFor two-way communication with the ESB AMQP module in the CCM. This port must be open if you need to establish access to the AMQP module from the AMQP UI – only required if you use the ESB functionality.

5703

Ingress/Egress

  • CCM_SA_PRIMARY or
  • CCM_SA_SECONDARY

For internal implementation to handle data in HA.

5432

Egress

  • MGMTPOSTGRES or
  • MGMTPOSTGRES_VIP

For communication to the database.

 CCM_LB

CCM_LB Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80

Ingress (optional)

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For HTTP to HTTPS redirection.

Egress0.0.0.0/0To download installer or appliance packages.

443      

 

Egress0.0.0.0/0To download installer or appliance packages.

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For UI/API access.

Egress

CCM_SA_PRIMARY and CCM_SA_SECONDARY

For communication with CCM primary and secondary VMs.

8443

 

Egress

CCM_SA_PRIMARY and CCM_SA_SECONDARY

For communication with CCM primary and secondary VMs.

Ingress

  • CCO or
  • CCO_LB

For communication from the CCO VM.

Ingress (optional)

  • MON or
  • MON_PRIMARY and MON_SECONDARY

For communication from the Monitor VM.

Ingress

  • AMQP or
  • AMQP_LB

For Web SSH/VNC through Guacamole.

 CCO Network Rules

CCO Network Rules                                                                                            

 CCO Ports

CCO Ports                                                                                                        

Port

Direction

Remote Source

Notes

8443   

Ingress/
Egress

  • CCM or
  • CCM_SA or
  • CCM_SA_PRIMARY and CCM_SA_SECONDARY
  • Monitor

For two-way communication between the CCO and CCM VMs.

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

All

Egress (Conditional)

Cloud Region EndPoints, Script Sources

For cloud region endpoint access and for downloading scripts/packages defined in external services.

2375

Egress (Conditional)

  • Only for CloudCenter 4.6.x and earlier
  • Not used for CloudCenter 4.7.x and later

EXT_SCRIPT_EXECUTOR

For Docker container engine access to execute external scripts.

2376Egress (Conditional)
  • Only for CloudCenter 4.7.x and later
  • Not used for CloudCenter 4.6.x and earlier
EXT_SCRIPT_EXECUTORFor Docker container engine access to execute external scripts.

 CCO_PRIMARY/SECONDARY/TERTIARY

CCO_PRIMARY, SECONDARY, and TERTIARY Ports                                    

Port

Direction

Remote Source

Notes

8443   

Ingress/
Egress

  • CCO_LB
  • Monitor

For two-way communication between the CCO and CCM VMs.

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

All

Egress (Conditional)

Cloud Region EndPoints, Script Sources

For cloud region endpoint access and for downloading scripts/packages defined in external services.

2375

Egress (Conditional)

  • Only for CloudCenter 4.6.x and earlier
  • Not used for CloudCenter 4.7.x and later

EXT_SCRIPT_EXECUTOR

For Docker container engine access to execute external scripts.

2376

Egress (Conditional)

  • Only for CloudCenter 4.7.x and later
  • Not used for CloudCenter 4.6.x and earlier
EXT_SCRIPT_EXECUTOR

For Docker container engine access to execute external scripts.

5701

Ingress/Egress

CCO_PRIMARY
CCO_SECONDARY
CCO_TERTIARY

For internal implementation to handle data in HA.

27017

Ingress

CCO_PRIMARY
CCO_SECONDARY
CCO_TERTIARY

For the MongoDB connection
 CCO_LB

CCO_LB Ports                                                                                             

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

8443

Ingress

  • CCM or
  • CCM_SA or
  • CCM_PRIMARY, CCM_SECONDARY

For communication to the CCO from the CCM VMs.

Egress

  • CCO or
  • CCO_PRIMARY, CCO_SECONDARY,  and CCM_TERTIARY
  • Monitor

For communication to CCO VMs from the CCO load balancer.

 AMQP Network Rules

AMQP Network Rules                                                                                                                                        

 AMQP

AMQP Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

5671

Ingress

  • CCO or
  • CCO_LB
  • Worker VM IP Range

For communication from the CCO VM and from launched VMs.

7789

Ingress

Worker VM IP Range

For SSH/VNC access of launched VMs. Done through reverse proxy for loop back connection.

7788

Ingress/Egress

  • AMQP or
  • AMQP_PRIMARY, AMQP_SECONDARY, and AMQP_LB

For SSH/VNC access of launched VMs. Done through reverse proxy. Done through reverse proxy for loop back connection.

443

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For SSH/VNC and RDP access of launched VMs.

8443

Egress

  • CCM or CCM_SA or CCM_LB
  • CCO or CCO_LB

For SSH/VNC access of launched VMs. Guacamole server on AMQP VM communicates to the CCM and CCO VMs via this port.

 AMQP_PRIMARY and AMQP_SECONDARY

AMQP_PRIMARY and AMQP_SECONDARY Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

5671

Ingress

  • CCO or CCO_LB
  • Worker VM IP Range

For communication from the CCO VM and from launched VMs

7789

Ingress

Worker VM IP Range

For SSH/VNC access of launched VMs. Done through reverse proxy for loop back connection.

7788

Ingress/Egress

  • AMQP or
  • AMQP_LB

For SSH/VNC access of launched VMs. Done through reverse proxy for loop back connection.

443

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For SSH/VNC and RDP access of launched VMs.

8443

Egress

  • CCM or CCM_SA or CCM_LB
  • CCO or CCO_LB

For SSH/VNC access of launched VMs. Guacamole server on AMQP communicates to CCM and CCO on this port.

4369

Ingress/Egress

AMQP_PRIMARY and AMQP_SECONDARY

For communication between AMQP primary and secondary VMs.

25672

Ingress/Egress

AMQP_PRIMARY and AMQP_SECONDARY

For communication between AMQP primary and secondary VMs.

 AMQP_LB

AMQP_LB Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

5671

Ingress

  • CCO or
  • CCO_PRIMARY, CCO_SECONDARY, CCO_TERTIARY, and CCO_LB
  • Application (Worker) VM IP range

For communication from the CCO VM and from launched VMs.

7789

Ingress

Worker VM IP Range

For SSH/VNC access of launched VMs. Done through reverse proxy for loop back connection.

7788

Ingress

  • AMQP or
  • AMQP_PRIMARY, AMQP_SECONDARY, and AMQP_LB

For SSH/VNC access of launched VMs. Done through reverse proxy for loop back connection.

443

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For SSH/VNC access of launched VMs. Done through reverse proxy.

 External Scripts Network Rules

EXT_SCRIPT_EXECUTOR Network Rules                                                                                                     

 EXT_SCRIPT_EXECUTOR Ports

EXT_SCRIPT_EXECUTOR Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

2375 (prior to CloudCenter 4.6.2)

Ingress

  • CCO or
  • CCO_PRIMARY, CCO_SECONDARY, and CCM_TERTIARY

For HTTP CCO VM access  to Docker engine endpoints

2376 (effective CloudCenter 4.6.2 and later)Ingress
  • CCO or
  • CCO_PRIMARY, CCO_SECONDARY, and CCM_TERTIARY

For HTTPS CCO VM access  to Docker engine endpoints

 Guacamole Network Rules

GUAC Network Rules                                                                                                                                        

 GUAC Ports

GUAC Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

7789

Ingress

Worker VM IP Range

For SSH/VNC access of launched VMs. Done through reverse proxy.

7788

Ingress/Egress

GUAC

For SSH/VNC access of launched VMs. Done through reverse proxy.

80Egress0.0.0.0/0To download installer or appliance packages.

443

Egress0.0.0.0/0To download installer or appliance packages.

Ingress

0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

For SSH/VNC and RDP access of launched VMs.

8443

Egress

  • CCM or CCM_SA or CCM_LB
  • CCO or CCO_LB

For SSH/VNC access of launched VM. Guacamole server on AMQP VM communicates with the CCM and CCO VMs on this port.

 Monitor Network Rules

Monitor Network Rules                                                                                                                                      

 MON Ports

MON Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0./0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.
4560Ingress
  • CCM_IP or
    CCM_PRIMARY_IP and  CCM_SECONDARY_IP
  • CCO_IP or
    CCO_PRIMARY_IP, CCO_SECONDARY_IP, and CCO_TERTIARY_IP
(Logstash) To collect, process, and push the logs to the CCM and/or CCO.
8881Ingress
  • CCM_IP or
    CCM_PRIMARY_IP and  CCM_SECONDARY_IP
  • CCO_IP or
    CCO_PRIMARY_IP, CCO_SECONDARY_IP, and CCO_TERTIARY_IP
(Elasticsearch) To download logs for the CCM and/or CCO.
8882IngressPublic browser accessTo view the logs in the Kibana console.

8443

 

Ingress/ Egress

  • CCM or
  • CCM_SA or
  • CCM_SA_PRIMARY, CCM_SA_SECONDARY, and CCM_LB

For two-way communication between the CCM and Monitor VMs.

Egress

CCO or CCO_LB

For access to the CCO VM.

 MON_PRIMARY and MON_SECONDARY Ports

MON_PRIMARY and MON_SECONDARY Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.
4560Ingress
  • CCM_IP or
    CCM_PRIMARY_IP and  CCM_SECONDARY_IP
  • CCO_IP or
    CCO_PRIMARY_IP, CCO_SECONDARY_IP, and CCO_TERTIARY_IP
(Logstash)To collect, process, and push the logs to the CCM and/or CCO.
8881Ingress
  • CCM_IP or
    CCM_PRIMARY_IP and  CCM_SECONDARY_IP
  • CCO_IP or
    CCO_PRIMARY_IP, CCO_SECONDARY_IP, and CCO_TERTIARY_IP
(Elasticsearch) To download logs for the CCM and/or CCO.
8882IngressPublic browser accessTo view the logs in the Kibana console.

8443

 

Ingress

MON_LB

For communication from the Monitor load balancer.

Egress

CCO or CCO_LB

For access to the CCO VM.

 MON_LB Ports

MON_LB Ports

Port

Direction

Remote Source

Notes

22

Ingress (optional)

Allowed SSH source IP

For troubleshooting purposes.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.
4560Ingress
  • CCM_IP or
    CCM_PRIMARY_IP and  CCM_SECONDARY_IP
  • CCO_IP or
    CCO_PRIMARY_IP, CCO_SECONDARY_IP, and CCO_TERTIARY_IP
(Logstash) To collect, process, and push the logs to the CCM and/or CCO.
8881Ingress
  • CCM_IP or
    CCM_PRIMARY_IP and  CCM_SECONDARY_IP
  • CCO_IP or
    CCO_PRIMARY_IP, CCO_SECONDARY_IP, and CCO_TERTIARY_IP
(Elasticsearch) To download logs for the CCM and/or CCO.
8882IngressPublic browser accessTo view the logs in the Kibana console.

8443

 

Ingress

  • CCM or
  • CCM_SA or
  • CCM_SA_PRIMARY and CCM_SA_SECONDARY

For communication from the CCM VMs.

Egress

MON_PRIMARY and MON_SECONDARY

For access to the Monitor VMs.

 Bundle Store Network Rules

Bundle Store Network Rules                                                                                                                            

 BUNDLE_STORE Ports

BUNDLE_STORE Ports

Port 

Direction                

Remote Source         

Notes

22

Ingress (Optional)

Allowed SSH source IP

For SSH access.

80

Ingress 

Worker VMs IP range

For application VM (worker) to download bootstrap script and agent package

 Package Store Network Rules

PACKAGE_STORE Network Rules                                                                                                                    

 PACKAGE_STORE Ports

PACKAGE_STORE Ports

Port

Direction

Remote Source

Notes

22

 

Ingress (Optional)

Allowed SSH source IP

For SSH access.

Egress

Public Repo Server – repo.cliqrtech.com

For syncing all OS, Components and Service packages

80

Ingress 

All components and worker VMs IP range

For application VM (worker) to download bootstrap script and agent package

Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

5000

Ingress(Conditional)

Worker VMs IP range

For application VM (worker) to download container service images

 Docker Registry Network Rules

DOCKER_REGISTRY Network Rules                                                                                                               

 DOCKER_REGISTRY Ports

DOCKER_REGISTRY Ports

Port

Direction

Remote Source

Notes

22

Ingress (Optional)

Allowed SSH source IP

For SSH access.

80Egress0.0.0.0/0To download installer or appliance packages.
443Egress0.0.0.0/0To download installer or appliance packages.

5000

Ingress 

Application VM(s) IP range

For the Application VM (worker) to download container service images.

Proxy Settings

If you need a proxy server to connect to the internet, be sure to configure the Proxy setting for the CCM and CCO server in Phase 4: Install Components

 

  • No labels