Networking
This topic describes the network usage and requirements for both system instances and services.
You can configure the network settings for each service when you install the system. You cannot change these settings after the system is up and running. If your networking environment changes such that the system can no longer function with its current networking configuration, you need to reinstall the system.
The HCI product uses both internal and external ports to operate its services and the system-internal ports do not have authentication or Transport Layer Security (TLS). At a minimum, use your firewall to make these ports accesible only to other instances in the system. If any users have root access to your system, your network and its systems are vulnerable to unauthorized use.
To secure your data and HCI system, you need to manually use iptables or firewalld to restrict ports to only local commnuications that the HCI installer otherwise leaves open. See System-internal ports and Example HCI firewall setup.
Additionally, you can use Internet Protocol Security (IPSec) or an equivalent to secure internode communications. Consult with your system administrator to configure your network with this added security.
Instance IP address requirements
All instance IP addresses must be static. This includes both internal and external network IP addresses, if applicable to your system.
Network types
Each of the HCI services can bind to one type of network, either internal or external, for receiving incoming traffic. If your network infrastructure supports having two networks, you might want to isolate the traffic for most system services to a secured internal network that has limited access to avoid critical security risks to your data and system. You can then leave only the Search-App and Admin-App services on your external network for user access.
You can use either a single network type for all services or a mix of both types. To use both types, every instance in your system must be addressable by two IP addresses: one on your internal network and one on your external network. If you use only one network type, each instance needs only one IP address.
Allowing access to external resources
Regardless of whether you're using a single network type or a mix of types, you need to configure your network environment to ensure that all instances have outgoing access to the external resources you want to use.
This includes:
- The data sources where your data is stored.
- Identity providers for user authentication.
- Email servers that you want to use for sending email notifications.
- Any external search indexes (for example, HDDS indexes) that you want to make accessible through HCI.
Ports
Each service binds to a number of ports for receiving incoming traffic. Before installing HCI, you can configure the services to use different ports, or use the default values shown in the following tables.
Port values can be reconfigured during system installation, so your system might not use the default values. You cannot change service port values when the system is up and running.
To view the ports that your system is using, view the Network tab for each service your system runs (Services > service-name
> Network).
The HCI product uses both internal and external ports to operate its services and the system-internal ports do not have authentication or Transport Layer Security (TLS). At a minimum, use your firewall to make these ports accesible only to other instances in the system. If any users have root access to your system, your network and its systems are vulnerable to unauthorized use.
To secure your data and HCI system, you need to manually use iptables or firewalld to restrict ports to only local commnuications that the HCI installer otherwise leaves open. See System-internal ports and Example HCI firewall setup.
Additionally, you can use Internet Protocol Security (IPSec) or an equivalent to secure internode communications. Consult with your system administrator to configure your network with this added security.
System-external ports
The following table contains information about the service ports that are used to interact with the system.
On every instance in the system, each of these ports:
- Must be accessible from any network that needs administrative or search access to the system.
- Must be accessible from every other instance in the system.
/<installation-directory>/config/cluster.config
Default Port Value | Service | Purpose |
6162 | Monitor-App |
Access to the HCM application, which is used to monitor the health of HCP systems. WARNINGThe Monitor-App service will not function properly if it is assigned a port value lower than 1024.
|
8000 |
Admin-App |
Access to administrative interfaces:
|
8888 | Search-App |
Access to search interfaces:
|
System-internal ports
This table lists the ports used for intra-system communication by the services. On every instance in the system, each of these ports:
- Must be accessible from every other instance in the system.
- Should not be accessible from outside the system.
You can find more information on how these ports are used in the documentation for the third-party software underlying each service.
Default Port Value | Used By | Purpose |
2181 |
Synchronization service |
Synchronization service client port. |
2888 |
Synchronization service |
Synchronization service internal communication. |
3888 |
Synchronization service |
Synchronization service leader election. |
4040 |
Workflow jobs |
Spark UI port. |
5001 |
Admin-App service | Debug port for Admin-App service. |
5005 |
Workflow jobs |
The port to use for debugging the job driver. |
5008 |
Workflow jobs |
The port to use for debugging the job executor. |
5002 |
Search-App service | Debug port used by the Search-App service. |
5003 |
Index service | Debug port used by the Index service. |
5050 |
Cluster-Coordination service | Primary port for communicating with Cluster-Coordination. |
5051 |
Cluster-Worker service | Primary port for communicating with Cluster-Worker. |
5123 |
Monitor-App service |
The debug port used by the Monitor App. |
5555 |
Watchdog service | Port for JMX connections to Watchdog service. |
5601 |
Dashboard service |
Primary port for communicating with the Dashboard service. |
6175 |
Monitor-App service |
The port used by the Monitor App for graceful shutdowns. |
7000 |
Database service |
TCP port for commands and data. |
7199 |
Database service |
Port for JMX connections to Database service. |
7203 |
Message Queue service |
Port for JMX connections to Message Queue service. |
8005 |
Admin-App service |
Port used by Admin-App for graceful shutdowns. |
8006 |
Search App service | Port used by the Search App service for graceful shutdowns. |
8020 |
Cluster-File-System service |
Port used for file system metadata operations. |
8080 |
Service-Deployment service | Primary port for communicating with Service-Deployment. |
8081 |
Scheduling service | Primary port for communicating with the Scheduling service. WARNINGIf you change the port number for the Scheduling service, in order for the changes to take effect, you will need to restart HCI.service on all system nodes. |
5007 |
Sentinel service |
Debug port used by Sentinel service. |
8007 |
Sentinel service |
Port used by the Sentinel service for graceful shutdowns. |
8480 |
Cluster-File-System service | HTTP port JournalNodes. |
8481 |
Cluster-File-System service | HTTPs port for JournalNodes. |
8485 |
Cluster-File-System service |
Port for the JournalNode RPC server. |
8889 |
Sentinel service |
Primary port for communicating with Sentinel. |
8893 | Monitor-App service | Port used for the Monitor App Analytics functionality. |
8983 |
Index service |
Primary port used to communicate with the Index service. WARNINGThe port assigned to the Index service should not be below 1024.
|
9000 |
Cluster-File-System service |
Port used for file system metadata operations. |
9042 |
Database service |
Primary port for communicating with the Database service. |
9091 |
Network-Proxy service | Primary port for communicating with Network-Proxy. |
9092 |
Message Queue service |
Primary port for communicating with Message Queue service. |
9200 |
Metrics service |
Port used to communicate with the Metrics service cluster. |
9201 |
Metrics service |
Port used to communicate with an individual Metrics service node. |
9301 |
Metrics service |
Port that nodes in the Metrics service cluster should use when communicating with each other. |
9600 |
Logging service |
Primary port for communicating with Logging service. |
9601 |
Logging service |
The port used to receive syslog messages. |
10000 |
Index service |
Port used by the Index service for graceful shutdowns. |
15050 |
Cluster-Coordination service |
Cluster-Coordination internal communication |
18000 |
Admin-App service |
Admin-App internal communication. |
18080 |
Service-Deployment service |
Service-Deployment internal communication |
18889 |
Sentinel service |
Sentinel service internal communication. |
31000-34000 |
Cluster-Coordination and Cluster-Worker services | High ports used by both Mesos and Docker. |
50010 |
Cluster-File-System service | Port for DataNode data transfers. |
50020 |
Cluster-File-System service |
Port for DataNode IPC server. |
50070 |
Cluster-File-System service | Port for the web UI used to view the current status of the service and explore the clustered file system. |
50075 |
Cluster-File-System service | Port for the web UI used to access the status and logs for DataNodes. |
50090 |
Cluster-File-System service | Secondary HTTP port for NameNodes. |
50091 |
Cluster-File-System service | Secondary HTTPs port for NameNodes. |
50470 |
Cluster-File-System service | HTTPS port for NameNodes. |
50475 |
Cluster-File-System service | HTTPS port for DataNodes. |
Example HCI firewall setup
- This example details the steps required for a single node. This process must be repeated across all nodes in your system.
- Users upgrading their systems from HCI 1.6.1 to later versions of HCI who currently have existing signal sources and scripts executed will not receive syslog messages until these firewall scripts are rerun on their upgraded system.
- Prior to running the scripts, ensure that the firewall service is enabled.
- While running the scripts, users may enounter errors due to nmcli not working as a result of NetworkManager being disabled. To enable it, type:
systemctl start NetworkManager
- After the scripts have concluded, you will need to restart HCI.
The following is an example of what a hardened HCI cluster running CentOS Linux 7.4.1708 (Core) would look like if it was set up to ONLY allow HCI to run from within it.
The following firewall scripts are now located in <hci_install_directory>/bin:
- hciConfigFirewallExample.sh
- hciFirewallExampleUtils
- hciProcessFirewall
To run the example script on your system, execute hciConfigFirewallExample.sh.
The following firewalld example was created using our proprietary script. It is compatible with HCI versions 1.5 and later.
This script IS NOT officially supported or licensed by Hitachi Vantara. Usage of this script assumes all risks and responsibilities associated with it. Also, based on your personal network and system settings, your mileage with its usage and implementation may vary. Contact your system administrator if you have any network security or firewall concerns.
Network interfaces examples | |
ens160 : 172.18.118.111 | In the following config example, this network interface is the external non-trusted interface. |
ens192 : 172.118.110.111 | In the following config example, this network interface is the internal trusted interface. |
Zone setup | |
Default Zone | drop |
Active Zones |
HCI-External trusted HCI-AdminApp-Mon |
To view your current settings: firewall-cmd --list-all --zone=drop | |
target | DROP |
icmp-block-inversion | no |
interfaces | <blank> |
sources | <blank> |
services | <blank> |
ports | <blank> |
protocols | <blank> |
masquerade | no |
forward-ports | <blank> |
source-ports | <blank> |
icmp-blocks | <blank> |
rich rules | <blank> |
To view your current settings: firewall-cmd --list-all --zone=HCI-External | |
target | DROP |
icmp-block-inversion | no |
interfaces | ens160 |
sources | <blank> |
services | ssh |
ports | 8000/tcp 8888/tcp 6162/tcp |
protocols | <blank> |
masquerade | no |
forward-ports | <blank> |
source-ports | <blank> |
icmp-blocks | <blank> |
rich rules | <blank> |
To view your current settings: firewall-cmd --list-all --zone=trusted | |
target | ACCEPT |
icmp-block-inversion | no |
interfaces | ens192 |
sources | <blank> |
services | <blank> |
ports | <blank> |
protocols | <blank> |
masquerade | no |
forward-ports | <blank> |
source-ports | <blank> |
icmp-blocks | <blank> |
rich rules | <blank> |
To view your current settings: firewall-cmd --list-all --zone=HCI-AdminApp-Mon | |
target | default |
icmp-block-inversion | no |
interfaces | <blank> |
sources | ipset:HCI-Cluster-External |
services | <blank> |
ports | <blank> |
protocols | tcp |
masquerade | no |
forward-ports | <blank> |
source-ports | 18000/tcp |
icmp-blocks | <blank> |
rich rules | <blank> |
To view your current settings: ipset list | |
Name | default |
Type | no |
Revision | <blank> |
Header | ipset:HCI-Cluster-External |
Size in memory | <blank> |
References | <blank> |
Members |
<IP_ADDRESS_FOR_NODE_1> <IP_ADDRESS_FOR_NODE_2> <IP_ADDRESS_FOR_NODE_3> <IP_ADDRESS_FOR_NODE_4> NoteThese values would be filled with the specific IP addresses for each of your system nodes.
|
To view your current settings: iptables -S |
|