Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Networking

This topic describes the network usage and requirements for both system instances and services.

You can configure the network settings for each service when you install the system. You cannot change these settings after the system is up and running. If your networking environment changes such that the system can no longer function with its current networking configuration, you need to reinstall the system.

WARNING

The HCI product uses both internal and external ports to operate its services and the system-internal ports do not have authentication or Transport Layer Security (TLS). At a minimum, use your firewall to make these ports accesible only to other instances in the system. If any users have root access to your system, your network and its systems are vulnerable to unauthorized use.

To secure your data and HCI system, you need to manually use iptables or firewalld to restrict ports to only local commnuications that the HCI installer otherwise leaves open. See System-internal ports and Example HCI firewall setup.

Additionally, you can use Internet Protocol Security (IPSec) or an equivalent to secure internode communications. Consult with your system administrator to configure your network with this added security.

Instance IP address requirements

All instance IP addresses must be static. This includes both internal and external network IP addresses, if applicable to your system.

ImportantIf the IP address of any instance changes, see Handling network changes.

Network types

Each of the HCI services can bind to one type of network, either internal or external, for receiving incoming traffic. If your network infrastructure supports having two networks, you might want to isolate the traffic for most system services to a secured internal network that has limited access to avoid critical security risks to your data and system. You can then leave only the Search-App and Admin-App services on your external network for user access.

You can use either a single network type for all services or a mix of both types. To use both types, every instance in your system must be addressable by two IP addresses: one on your internal network and one on your external network. If you use only one network type, each instance needs only one IP address.

Allowing access to external resources

Regardless of whether you're using a single network type or a mix of types, you need to configure your network environment to ensure that all instances have outgoing access to the external resources you want to use.

This includes:

  • The data sources where your data is stored.
  • Identity providers for user authentication.
  • Email servers that you want to use for sending email notifications.
  • Any external search indexes (for example, HDDS indexes) that you want to make accessible through HCI.

Ports

Each service binds to a number of ports for receiving incoming traffic. Before installing HCI, you can configure the services to use different ports, or use the default values shown in the following tables.

Port values can be reconfigured during system installation, so your system might not use the default values. You cannot change service port values when the system is up and running.

To view the ports that your system is using, view the Network tab for each service your system runs (Services > service-name > Network).

WARNING

The HCI product uses both internal and external ports to operate its services and the system-internal ports do not have authentication or Transport Layer Security (TLS). At a minimum, use your firewall to make these ports accesible only to other instances in the system. If any users have root access to your system, your network and its systems are vulnerable to unauthorized use.

To secure your data and HCI system, you need to manually use iptables or firewalld to restrict ports to only local commnuications that the HCI installer otherwise leaves open. See System-internal ports and Example HCI firewall setup.

Additionally, you can use Internet Protocol Security (IPSec) or an equivalent to secure internode communications. Consult with your system administrator to configure your network with this added security.

System-external ports

ImportantTo keep your system secure, HCI system-external ports require user authentication and utilize Transport Layer Security (TLS).

The following table contains information about the service ports that are used to interact with the system.

On every instance in the system, each of these ports:

  • Must be accessible from any network that needs administrative or search access to the system.
  • Must be accessible from every other instance in the system.
NoteDebug ports are accessible only when debug is set to true in /<installation-directory>/config/cluster.config
Default Port ValueServicePurpose

6162

Monitor-App

Access to the HCM application, which is used to monitor the health of HCP systems.

WARNINGThe Monitor-App service will not function properly if it is assigned a port value lower than 1024.

8000

Admin-App

Access to administrative interfaces:

  • Administration App
  • Administrative REST API
  • Administrative CLI

8888

Search-App

Access to search interfaces:

  • Search App
  • Workflow Designer
  • Search REST API
  • Workflow Designer REST API
  • Search CLI
  • Workflow Designer CLI

System-internal ports

This table lists the ports used for intra-system communication by the services. On every instance in the system, each of these ports:

  • Must be accessible from every other instance in the system.
  • Should not be accessible from outside the system.

You can find more information on how these ports are used in the documentation for the third-party software underlying each service.

NoteFor a secure and recommended firewall setup using these internet ports, see Example HCI firewall setup.
Default Port ValueUsed ByPurpose
2181

Synchronization service

Synchronization service client port.

2888

Synchronization service

Synchronization service internal communication.

3888

Synchronization service

Synchronization service leader election.

4040

Workflow jobs

Spark UI port.

5001

Admin-App service

Debug port for Admin-App service.

5005

Workflow jobs

The port to use for debugging the job driver.

5008

Workflow jobs

The port to use for debugging the job executor.

5002

Search-App service

Debug port used by the Search-App service.
5003

Index service

Debug port used by the Index service.
5050

Cluster-Coordination service

Primary port for communicating with Cluster-Coordination.
5051

Cluster-Worker service

Primary port for communicating with Cluster-Worker.

5123

Monitor-App service

The debug port used by the Monitor App.

5555

Watchdog service

Port for JMX connections to Watchdog service.

6175

Monitor-App service

The port used by the Monitor App for graceful shutdowns.

7000

Database service

TCP port for commands and data.

7199

Database service

Port for JMX connections to Database service.

7203

Message Queue service

Port for JMX connections to Message Queue service.

8005

Admin-App service

Port used by Admin-App for graceful shutdowns.

8006

Search App service

Port used by the Search App service for graceful shutdowns.
8080

Service-Deployment service

Primary port for communicating with Service-Deployment.
8081

Scheduling service

Primary port for communicating with the Scheduling service.
WARNINGIf you change the port number for the Scheduling service, in order for the changes to take effect, you will need to restart HCI.service on all system nodes.
5007

Sentinel service

Debug port used by Sentinel service.

8007

Sentinel service

Port used by the Sentinel service for graceful shutdowns.

8889

Sentinel service

Primary port for communicating with Sentinel.

8893Monitor-App servicePort used for the Monitor App Analytics functionality.
8983

Index service

Primary port used to communicate with the Index service.

WARNINGThe port assigned to the Index service should not be below 1024.
9042

Database service

Primary port for communicating with the Database service.

9091

Network-Proxy service

Primary port for communicating with Network-Proxy.
9092

Message Queue service

Primary port for communicating with Message Queue service.

9200

Metrics service

Port used to communicate with the Metrics service cluster.

9201

Metrics service

Port used to communicate with an individual Metrics service node.

9301

Metrics service

Port that nodes in the Metrics service cluster should use when communicating with each other.

9600

Logging service

Primary port for communicating with Logging service.

9601

Logging service

The port used to receive syslog messages.

10000

Index service

Port used by the Index service for graceful shutdowns.

15050

Cluster-Coordination service

Cluster-Coordination internal communication

18000

Admin-App service

Admin-App internal communication.

18080

Service-Deployment service

Service-Deployment internal communication

18889

Sentinel service

Sentinel service internal communication.

31000-34000

Cluster-Coordination and Cluster-Worker services

High ports used by both Mesos and Docker.

Example HCI firewall setup

Important
  • This example details the steps required for a single node. This process must be repeated across all nodes in your system.
  • Users upgrading their systems from HCI 1.6.1 to later versions of HCI who currently have existing signal sources and scripts executed will not receive syslog messages until these firewall scripts are rerun on their upgraded system.
  • Prior to running the scripts, ensure that the firewall service is enabled.
  • While running the scripts, users may enounter errors due to nmcli not working as a result of NetworkManager being disabled. To enable it, type: systemctl start NetworkManager
  • After the scripts have concluded, you will need to restart HCI.

The following is an example of what a hardened HCI cluster running CentOS Linux 7.4.1708 (Core) would look like if it was set up to ONLY allow HCI to run from within it.

The following firewall scripts are now located in <hci_install_directory>/bin:

  • hciConfigFirewallExample.sh
  • hciFirewallExampleUtils
  • hciProcessFirewall

To run the example script on your system, execute hciConfigFirewallExample.sh.

WARNING

The following firewalld example was created using our proprietary script. It is compatible with HCI versions 1.5 and later.

This script IS NOT officially supported or licensed by Hitachi Vantara. Usage of this script assumes all risks and responsibilities associated with it. Also, based on your personal network and system settings, your mileage with its usage and implementation may vary. Contact your system administrator if you have any network security or firewall concerns.

Set up two network interfaces to be used as a trusted network interface (for internal HCI traffic) and a non-trusted network interface (external HCI traffic).
Network interfaces examples
ens160 : 172.18.118.111In the following config example, this network interface is the external non-trusted interface.
ens192 : 172.118.110.111In the following config example, this network interface is the internal trusted interface.
Set up three active zones and a default zone.
Zone setup
Default Zonedrop
Active Zones

HCI-External

trusted

HCI-AdminApp-Mon

Firewalld configuration example: drop
To view your current settings: firewall-cmd --list-all --zone=drop
targetDROP
icmp-block-inversionno
interfaces<blank>
sources<blank>
services<blank>
ports<blank>
protocols<blank>
masqueradeno
forward-ports<blank>
source-ports<blank>
icmp-blocks<blank>
rich rules<blank>
Firewalld config example: HCI-External
To view your current settings: firewall-cmd --list-all --zone=HCI-External
targetDROP
icmp-block-inversionno
interfacesens160
sources<blank>
servicesssh
ports8000/tcp 8888/tcp 6162/tcp
protocols<blank>
masqueradeno
forward-ports<blank>
source-ports<blank>
icmp-blocks<blank>
rich rules<blank>
Firewalld config example: trusted
To view your current settings: firewall-cmd --list-all --zone=trusted
targetACCEPT
icmp-block-inversionno
interfacesens192
sources<blank>
services<blank>
ports<blank>
protocols<blank>
masqueradeno
forward-ports<blank>
source-ports<blank>
icmp-blocks<blank>
rich rules<blank>
Firewalld config example: HCI-AdminApp-Mon
To view your current settings: firewall-cmd --list-all --zone=HCI-AdminApp-Mon
targetdefault
icmp-block-inversionno
interfaces<blank>
sourcesipset:HCI-Cluster-External
services<blank>
ports<blank>
protocolstcp
masqueradeno
forward-ports<blank>
source-ports18000/tcp
icmp-blocks<blank>
rich rules<blank>
Linux system example: ipset table
To view your current settings: ipset list
Namedefault
Typeno
Revision<blank>
Headeripset:HCI-Cluster-External
Size in memory<blank>
References<blank>
Members

<IP_ADDRESS_FOR_NODE_1>

<IP_ADDRESS_FOR_NODE_2>

<IP_ADDRESS_FOR_NODE_3>

<IP_ADDRESS_FOR_NODE_4>

NoteThese values would be filled with the specific IP addresses for each of your system nodes.
The following is an example of what the iptables look like after completing the above:
To view your current settings: iptables -S
  • -P INPUT ACCEPT

  • -P FORWARD ACCEPT

  • -P OUTPUT ACCEPT

  • -N FORWARD_IN_ZONES

  • -N FORWARD_IN_ZONES_SOURCE

  • -N FORWARD_OUT_ZONES

  • -N FORWARD_OUT_ZONES_SOURCE

  • -N FORWARD_direct

  • -N FWDI_HCI-AdminApp-Mon

  • -N FWDI_HCI-AdminApp-Mon_allow

  • -N FWDI_HCI-AdminApp-Mon_deny

  • -N FWDI_HCI-AdminApp-Mon_log

  • -N FWDI_HCI-External

  • -N FWDI_HCI-External_allow

  • -N FWDI_HCI-External_deny

  • -N FWDI_HCI-External_log

  • -N FWDI_drop

  • -N FWDI_drop_allow

  • -N FWDI_drop_deny

  • -N FWDI_drop_log

  • -N FWDI_trusted

  • -N FWDI_trusted_allow

  • -N FWDI_trusted_deny

  • -N FWDI_trusted_log

  • -N FWDO_HCI-AdminApp-Mon

  • -N FWDO_HCI-AdminApp-Mon_allow

  • -N FWDO_HCI-AdminApp-Mon_deny

  • -N FWDO_HCI-AdminApp-Mon_log

  • -N FWDO_HCI-External

  • -N FWDO_HCI-External_allow

  • -N FWDO_HCI-External_deny

  • -N FWDO_HCI-External_log

  • -N FWDO_drop

  • -N FWDO_drop_allow

  • -N FWDO_drop_deny

  • -N FWDO_drop_log

  • -N FWDO_trusted

  • -N FWDO_trusted_allow

  • -N FWDO_trusted_deny

  • -N FWDO_trusted_log

  • -N INPUT_ZONES

  • -N INPUT_ZONES_SOURCE

  • -N INPUT_direct

  • -N IN_HCI-AdminApp-Mon

  • -N IN_HCI-AdminApp-Mon_allow

  • -N IN_HCI-AdminApp-Mon_deny

  • -N IN_HCI-AdminApp-Mon_log

  • -N IN_HCI-External

  • -N IN_HCI-External_allow

  • -N IN_HCI-External_deny

  • -N IN_HCI-External_log

  • -N IN_drop

  • -N IN_drop_allow

  • -N IN_drop_deny

  • -N IN_drop_log

  • -N IN_trusted

  • -N IN_trusted_allow

  • -N IN_trusted_deny

  • -N IN_trusted_log

  • -N OUTPUT_direct

  • -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

  • -A INPUT -i lo -j ACCEPT

  • -A INPUT -j INPUT_direct

  • -A INPUT -j INPUT_ZONES_SOURCE

  • -A INPUT -j INPUT_ZONES

  • -A INPUT -m conntrack --ctstate INVALID -j DROP

  • -A INPUT -j REJECT --reject-with icmp-host-prohibited

  • -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

  • -A FORWARD -i lo -j ACCEPT

  • -A FORWARD -j FORWARD_direct

  • -A FORWARD -j FORWARD_IN_ZONES_SOURCE

  • -A FORWARD -j FORWARD_IN_ZONES

  • -A FORWARD -j FORWARD_OUT_ZONES_SOURCE

  • -A FORWARD -j FORWARD_OUT_ZONES

  • -A FORWARD -m conntrack --ctstate INVALID -j DROP

  • -A FORWARD -j REJECT --reject-with icmp-host-prohibited

  • -A OUTPUT -j OUTPUT_direct

  • -A FORWARD_IN_ZONES -i ens192 -j FWDI_trusted

  • -A FORWARD_IN_ZONES -i ens160 -j FWDI_HCI-External

  • -A FORWARD_IN_ZONES -j FWDI_drop

  • -A FORWARD_IN_ZONES_SOURCE -m set --match-set HCI-Cluster-External src -g FWDI_HCI-AdminApp-Mon

  • -A FORWARD_OUT_ZONES -o ens192 -j FWDO_trusted

  • -A FORWARD_OUT_ZONES -o ens160 -j FWDO_HCI-External

  • -A FORWARD_OUT_ZONES -j FWDO_drop

  • -A FORWARD_OUT_ZONES_SOURCE -m set --match-set HCI-Cluster-External dst -g FWDO_HCI-AdminApp-Mon

  • -A FWDI_HCI-AdminApp-Mon -j FWDI_HCI-AdminApp-Mon_log

  • -A FWDI_HCI-AdminApp-Mon -j FWDI_HCI-AdminApp-Mon_deny

  • -A FWDI_HCI-AdminApp-Mon -j FWDI_HCI-AdminApp-Mon_allow

  • -A FWDI_HCI-AdminApp-Mon -p icmp -j ACCEPT

  • -A FWDI_HCI-External -j FWDI_HCI-External_log

  • -A FWDI_HCI-External -j FWDI_HCI-External_deny

  • -A FWDI_HCI-External -j FWDI_HCI-External_allow

  • -A FWDI_HCI-External -j DROP

  • -A FWDI_drop -j FWDI_drop_log

  • -A FWDI_drop -j FWDI_drop_deny

  • -A FWDI_drop -j FWDI_drop_allow

  • -A FWDI_drop -j DROP

  • -A FWDI_trusted -j FWDI_trusted_log

  • -A FWDI_trusted -j FWDI_trusted_deny

  • -A FWDI_trusted -j FWDI_trusted_allow

  • -A FWDI_trusted -j ACCEPT

  • -A FWDO_HCI-AdminApp-Mon -j FWDO_HCI-AdminApp-Mon_log

  • -A FWDO_HCI-AdminApp-Mon -j FWDO_HCI-AdminApp-Mon_deny

  • -A FWDO_HCI-AdminApp-Mon -j FWDO_HCI-AdminApp-Mon_allow

  • -A FWDO_HCI-External -j FWDO_HCI-External_log

  • -A FWDO_HCI-External -j FWDO_HCI-External_deny

  • -A FWDO_HCI-External -j FWDO_HCI-External_allow

  • -A FWDO_HCI-External -j DROP

  • -A FWDO_drop -j FWDO_drop_log

  • -A FWDO_drop -j FWDO_drop_deny

  • -A FWDO_drop -j FWDO_drop_allow

  • -A FWDO_drop -j DROP

  • -A FWDO_trusted -j FWDO_trusted_log

  • -A FWDO_trusted -j FWDO_trusted_deny

  • -A FWDO_trusted -j FWDO_trusted_allow

  • -A FWDO_trusted -j ACCEPT

  • -A INPUT_ZONES -i ens192 -j IN_trusted

  • -A INPUT_ZONES -i ens160 -j IN_HCI-External

  • -A INPUT_ZONES -j IN_drop

  • -A INPUT_ZONES_SOURCE -m set --match-set HCI-Cluster-External src -g IN_HCI-AdminApp-Mon

  • -A IN_HCI-AdminApp-Mon -j IN_HCI-AdminApp-Mon_log

  • -A IN_HCI-AdminApp-Mon -j IN_HCI-AdminApp-Mon_deny

  • -A IN_HCI-AdminApp-Mon -j IN_HCI-AdminApp-Mon_allow

  • -A IN_HCI-AdminApp-Mon -p icmp -j ACCEPT

  • -A IN_HCI-AdminApp-Mon_allow -p tcp -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-AdminApp-Mon_allow -p tcp -m tcp --sport 18000 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External -j IN_HCI-External_log

  • -A IN_HCI-External -j IN_HCI-External_deny

  • -A IN_HCI-External -j IN_HCI-External_allow

  • -A IN_HCI-External -j DROP

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 8000 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 8888 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 6162 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_drop -j IN_drop_log

  • -A IN_drop -j IN_drop_deny

  • -A IN_drop -j IN_drop_allow

  • -A IN_drop -j DROP

  • -A IN_trusted -j IN_trusted_log

  • -A IN_trusted -j IN_trusted_deny

  • -A IN_trusted -j IN_trusted_allow

  • -A IN_trusted -j ACCEPT

 

  • Was this article helpful?