Secure database ports
All network security starts with strict and proper firewall rules on interfaces that are exposed to the internet, allowing only the absolute minimum traffic in or out of the internal network. Firewall security is especially important when running your infrastructure in a public cloud. Wherever you host your clusters, DataStax strongly recommends using a firewall on all nodes in your cluster.
Begin with a restrictive configuration that blocks all traffic except SSH. Then, open up the following ports in compliance with your security requirements to allow communication between the nodes. If these ports are not opened, the node acts as a standalone database server rather than joining the cluster when you start Hyper-Converged Database (HCD) on a node.
If the cluster uses SSL only, close any non-SSL ports that have dedicated SSL ports. To ensure communication is not disabled to any non-SSL clients, DataStax recommends testing the configuration in a staging environment before enabling the firewall in production environments.
Configuration files
The following table lists the configuration files that must be opened for HCD to function properly in a cluster environment.
Filename | Location dependent on the type of installation |
---|---|
cassandra-env.sh |
Package installations: Tarball installations: |
cassandra.yaml |
Package installations: Tarball installations: |
hcd.yaml |
Package installations: Tarball installations: |
HCD ports
The following table lists the essential ports that must be opened for HCD to function properly in a cluster environment.
Default port | Service | Configurable in |
---|---|---|
Core HCD database ports |
||
7000 |
HCD internode cluster communication port. Required for nodes to communicate with each other in the cluster. |
|
7001 |
HCD SSL internode cluster communication port. Required for encrypted internode communication. |
|
9042 |
HCD native transport port for client connections. This is the primary port for CQL client connections. When SSL is enabled, this port can handle both encrypted and unencrypted connections. |
|
HCD dedicated SSL port for client connections.
Used when you want a separate port for encrypted client connections.
Setting |
|
|
7199 |
HCD JMX monitoring port. Used for monitoring and management operations. DataStax recommends allowing connections only from the local node. |
|
Additional HCD ports |
||
8609 |
HCD internode messaging service port. Used for internal messaging between nodes. |
|
22 |
SSH access port. Standard SSH port for administrative access. |
OS configuration |