You are currently viewing version 1.1 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

Understanding which ports the hybrid runtime plane uses is important for enterpriseimplementations. This section describes the ports used for secure communications within theruntime plane as well as external ports used for communications with external services.

Internal connections

Communication between the runtime plane and management plane is secured with TLS 1-way and OAuth2.0. Individual services use different protocols, depending on which service they are communicatingwith.

The following image shows the ports and communications channels within the hybrid runtimeplane:

The following table describes the ports and communications channels within the hybrid runtimeplane:

Internal Connections
Source		Destination	Protocol/Port(s)	Security Protocol	Description
MART	arrow_right_alt	Cassandra	TCP/9042 TCP/9142	mTLS	Sends data for persistence
MART Istio Ingress	arrow_right_alt	MART	TCP/8443	TLS	Requests from the management plane go through the MART Istio Ingress
Default Istio Ingress	arrow_right_alt	Message Processor	TCP/8443	TLS (Apigee-generated, self-signed cert)	Processes incoming API requests
Message Processor	arrow_right_alt	Cassandra	TCP/9042 TCP/9142	mTLS	Sends data for persistence
Message Processor	arrow_right_alt	fluentd (Analytics)	TCP/20001	mTLS	Streams data to the data collection pod
Cassandra	compare_arrows	Cassandra	TCP/7001	mTLS	Intra-node cluster communications. Note that you can also leave port 7000 open for firewall configuration as a backup option for potential troubleshooting.
Prometheus	arrow_right_alt	Cassandra	TCP/7070 (HTTPS)	TLS	Scrapes metrics data from various services
		MART	TCP/8843 (HTTPS)	TLS
		Message Processor	TCP/8843 (HTTPS)	TLS
		Synchronizer	TCP/8843 (HTTPS)	TLS
		UDCA	TCP/7070 (HTTPS)	TLS

External connections

To appropriately configure your network firewall, you should know the inbound and outbound portsused by hybrid to communicate with external services.

The following image shows the ports used for external communications with the hybrid runtimeplane:

The following table describes the ports used for external communications with the hybrid runtimeplane:

External Connections
Source		Destination	Protocol/Port(s)	Security Protocol	Description
Inbound Connections (exposed externally)
Apigee Services	arrow_right_alt	MART Istio Ingress	TCP/443	OAuth over TLS 1.2	Hybrid API calls from the management plane
Client Apps	arrow_right_alt	Default Istio Ingress	TCP/*	None/OAuth over TLS 1.2/mTLS	API requests from external apps
Outbound Connections
Message Processor	arrow_right_alt	Backend services	TCP/* UDP/*	None/OAuth over TLS 1.2	Sends requests to customer-defined hosts
Synchronizer	arrow_right_alt	Apigee Services	TCP/443	OAuth over TLS 1.2	Fetches configuration data; connects toapigee.googleapis.com
		GCP			Connects toiamcredentials.googleapis.com for authorization
UDCA (Analytics)	arrow_right_alt	Apigee Services (UAP)	TCP/443	OAuth over TLS 1.2	Sends data to UAP in the management plane and to GCP; connects toapigee.googleapis.com andstorage.googleapis.com
Prometheus (Metrics)	arrow_right_alt	GCP (Stackdriver)	TCP/443	TLS	Sends data to Stackdriver in the management plane; connects tomonitoring.googleapis.com
fluentd (Logging)	arrow_right_alt	GCP (Stackdriver)	TCP/443	TLS	Sends data to Stackdriver in the management plane; connects tologging.googleapis.com
MART	arrow_right_alt	GCP	TCP/443	OAuth over TLS 1.2	Connects toiamcredentials.googleapis.com for authorization
* indicates that the port is configurable. Apigee recommends using 443.

You should not allow external connections for any specific IP addresses associated with*.googleapis.com. The IP addresses can change since the domain currently resolves tomultiple addresses.