Skip to main content

Security and Firewall

[edit on GitHub]

Warning

Chef Automate 4.x will not be available for download before the end of September 2022. We are working on making the upgrade process a seamless experience. Until then, you can download Chef Automate 3.0.49. Please get in touch with support for more information.

The Chef Automate High Availability (HA) cluster requires multiple ports for the front and backend servers to operate effectively and reduce network traffic. Below is a breakdown of those ports and what needs to be open for each set of servers.

Ports required for all Machines

MachinesChef AutomateChef Infra ServerPostgresqlOpenSearchBastion
IncomingTCP 22, 9631, 443, 80TCP 22, 9631, 443, 80TCP 22, 9631, 7432, 5432, 9638
UDP 9638
TCP 22, 9631, 9200, 9300, 9638, 6432
UDP 9638
OutgoingTCP 22, 9631, 443, 80TCP 22, 9631, 443, 80TCP 22, 9631, 7432, 5432, 9638
UDP 9638
TCP 22, 9631, 9200, 9300, 9638, 6432
UDP 9638
TCP 22, 9631

Note

  • Custom SSH port is supported, but same port should be used accross all the machines.

Port usage definitions

ProtocolPort NumberUsage
TCP22SSH to configure services
TCP9631Habitat HTTP API
TCP443Allow Users to reach UI / API
TCP80Optional, Allows users to redirect to 443
TCP9200OpenSearch API HTTPS Access
TCP9300Allows OpenSearch node to distribute data in its cluster.
TCP/UDP9638Habitat gossip (UDP)
TCP7432HAProxy, which redirects to Postgresql Leader
TCP6432Re-elect Postgresql Leader, if Postgresql leader is down

Was this page helpful?

×









Search Results