Secure database ports

All network security starts with strict and proper firewall rules on interfaces that are exposed to the internet, allowing only the absolute minimum traffic in or out of the internal network. Firewall security is especially important when running your infrastructure in a public cloud. Wherever you host your clusters, DataStax strongly recommends using a firewall on all nodes in your cluster.

Begin with a restrictive configuration that blocks all traffic except SSH. Then, open up the following ports in compliance with your security requirements to allow communication between the nodes. If these ports are not opened, the node acts as a standalone database server rather than joining the cluster when you start Hyper-Converged Database (HCD) on a node.

If the cluster uses SSL only, close any non-SSL ports that have dedicated SSL ports. To ensure communication is not disabled to any non-SSL clients, DataStax recommends testing the configuration in a staging environment before enabling the firewall in production environments.

Configuration files

The following table lists the configuration files that must be opened for HCD to function properly in a cluster environment.

Filename Location dependent on the type of installation

cassandra-env.sh

Package installations: /etc/hcd/cassandra/cassandra-env.sh

Tarball installations: <installation_location>/resources/cassandra/conf/cassandra-env.sh

cassandra.yaml

Package installations: /etc/hcd/cassandra/cassandra.yaml

Tarball installations: <installation_location>/resources/cassandra/conf/cassandra.yaml

hcd.yaml

Package installations: /etc/hcd/hcd.yaml

Tarball installations: <installation_location>/resources/dse/conf/hcd.yaml

HCD ports

The following table lists the essential ports that must be opened for HCD to function properly in a cluster environment.

Default port Service Configurable in

Core HCD database ports

7000

HCD internode cluster communication port. Required for nodes to communicate with each other in the cluster.

cassandra.yaml

7001

HCD SSL internode cluster communication port. Required for encrypted internode communication.

cassandra.yaml

9042

HCD native transport port for client connections. This is the primary port for CQL client connections. When SSL is enabled, this port can handle both encrypted and unencrypted connections.

cassandra.yaml

9142

HCD dedicated SSL port for client connections. Used when you want a separate port for encrypted client connections. Setting native_transport_port_ssl to a different value from native_transport_port uses encryption for native_transport_port_ssl while keeping native_transport_port unencrypted.

cassandra.yaml

7199

HCD JMX monitoring port. Used for monitoring and management operations. DataStax recommends allowing connections only from the local node.

cassandra-env.sh

Additional HCD ports

8609

HCD internode messaging service port. Used for internal messaging between nodes.

hcd.yaml

22

SSH access port. Standard SSH port for administrative access.

OS configuration

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com