Network Setup

Available ports

Resources in JSC Cloud are located in a dedicated DMZ at JSC, which determines the rules for accessing VMs and also for outbound network traffic. This results in a limited number of ports being available to offer services in virtual machines. For security considerations, inbound connections to JSC Cloud are limited to the following ports.

The following table contains the central firewall configuration. Whereas the OpenStack firewall can be configured at a user’s own discretion, the perimeter firewall imposes the rules as stated above.

Port

Purpose

Availabililty

80

HTTP

global

8008

HTTP-alt

global

8080

HTTP-alt

global

443

HTTPS

global

8443

HTTPS-alt

global

22

SSH

global

6443

Kubernetes API

global

7000-7020

general purpose, custom services

global

5432

PostgreSql DB

from HPC systems

3306

MySQL, MariaDB

from HPC systems

Users located at JSC may see a more liberal firewall policy, which should be taken into account when exposing services to the general public.

If your software insists on using a specific port and not be reconfigurable to any of the available ports, a local redirect may solve this problem for you. See below an example of redirecting port 80, which is available in JSC Cloud, to local port 8080, which is very often used by user managed web servers or development environments.

$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination :8080

This will redirect external connections from outside the host. If you need the same redirection on localhost (IP address 127.0.0.1), then an additional rule is required to do this:

$ sudo iptables -t nat -A OUTPUT -p tcp -o lo --dport 80 -j REDIRECT --to-ports 8080

Please be sure to have a mechanism in place to persist these settings, so they will survive a reboot of the VM.

Outbound connections are possible with the sole exception of port 25/tcp, which is used for unauthenticated SMTP. If you need to send emails, then please use port 587/tcp to connect to your mail submission server.

If the available ports are not sufficient for your use-case, additional ports could be approved. However, this requires a detailed justification and should be an exception.