Secure ports usage
Understanding which ports the hybrid runtime plane uses is important for enterpriseimplementations. This section describes the ports used for secure communications within theruntime plane as well as external ports used for communications with external services.
Internal connections
Communication between the runtime plane and management plane is secured with TLS 1-way and OAuth2.0. Individual services use different protocols, depending on which service they are communicatingwith.
The certificates used for intra-component communication are generated by Apigee's certificatemanager. You do not have to provide a certificate or manage it.
The following image shows the ports and communications channels within the hybrid runtimeplane:
The following table describes the ports and communications channels within the hybrid runtimeplane:
| Internal Connections | |||||
|---|---|---|---|---|---|
| Source | Destination | Protocol/Ports | Security protocol | Description | |
| MART | Cassandra | TCP/9042 TCP/9142 | mTLS | Sends data for persistence. | |
| Apigee Connect | MART | TCP/8443 | TLS | Requests from the management plane go through Apigee Connect. Apigee Connect initiates the connection. | |
| Default Istio Ingress | Message Processor | TCP/8443 | TLS (Apigee-generated, self-signed cert) | Processes incoming API requests. | |
| Message Processor | Cassandra | TCP/9042 TCP/9142 | mTLS | Sends data for persistence. | |
| Message Processor | fluentd (analytics / logging) | TCP/20001 | mTLS | Streams data to the data collection pod. | |
| Cassandra | Cassandra | TCP/7001 TCP/7199 | mTLS | Intra-node cluster communications. | |
| Cassandra | Cassandra | TCP/7001 | mTLS | Inter-region communications. | |
| Synchronizer | Cassandra | TCP/9042 TCP/9142 | mTLS | Sends data for persistence. | |
| Prometheus (metrics) | Cassandra | TCP/7070 (HTTPS) | TLS | Scrapes metrics data from various services. | |
| MART | TCP/8843 (HTTPS) | TLS | |||
| Message Processor | TCP/8843 (HTTPS) | TLS | |||
| Synchronizer | TCP/8843 (HTTPS) | TLS | |||
| UDCA | TCP/7070 (HTTPS) | TLS | |||
| Watcher | Ingress pods | TCP/8843 | TLS | Polls to get deployment status. | |
External connections
To appropriately configure your network firewall, you should know the inbound and outbound portsused by hybrid to communicate with external services.
The following image shows the ports used for external communications with the hybrid runtimeplane:
The following table describes the ports used for external communications with the hybrid runtimeplane:
| External Connections | |||||
|---|---|---|---|---|---|
| Source | Destination | Protocol/Port(s) | Security Protocol | Description | |
| Inbound Connections (exposed externally) | |||||
| OPTIONAL: Apigee Services Only if not usingApigee Connect (recommended). SeeTwo-way Connections below. | MART Istio Ingress | TCP/443 | OAuth over TLS 1.2 | Hybrid API calls from the management plane. | |
| Client Apps | Default Istio Ingress | TCP/* | None/OAuth over TLS 1.2 | API requests from external apps. | |
| Outbound Connections | |||||
| Message Processor | Backend services | TCP/* UDP/* | None/OAuth over TLS 1.2 | Sends requests to customer-defined hosts. | |
| Synchronizer | Apigee Services | TCP/443 | OAuth over TLS 1.2 | Fetches configuration data; connects toapigee.googleapis.com. | |
| Google Cloud | Connects toiamcredentials.googleapis.com for authorization. | ||||
| UDCA (Analytics) | Apigee Services (UAP) | TCP/443 | OAuth over TLS 1.2 | Sends data to UAP in the management plane and to Google Cloud; connects toapigee.googleapis.com andstorage.googleapis.com. | |
| Apigee Connect | Apigee Services | TCP/443 | TLS | Establishes the connection with the management plane; connects toapigeeconnect.googleapis.com. | |
| Prometheus (metrics) | Google Cloud (Cloud Operations) | TCP/443 | TLS | Sends data to Cloud Operations in the management plane; connects tomonitoring.googleapis.com. | |
| fluentd (logging) | Google Cloud (Cloud Operations) | TCP/443 | TLS | Sends data to Cloud Operations in the management plane; connects tologging.googleapis.com | |
| MART | Google Cloud | TCP/443 | OAuth over TLS 1.2 | Connects toiamcredentials.googleapis.com for authorization. | |
| Message Processor | Distributed Trace back end | http or https | TLS (configurable) | (Optional) Communicates trace information to the Distributed Trace back end service. Configure the service and protocol in theTraceConfig API. The back end for Distributed Trace is usually Cloud Trace or Jaeger. | |
| Two-way Connections | |||||
| Apigee Connect | Apigee Services | TCP/443 | TLS | Communicates management data between the managemennt plane and the Management API for runtime data (MART) in the runtime plane. Apigee Connect initiates the connection; connects toapigeeconnect.googleapis.com. Therefore, you do not need to configure your firewall for inbound connectivity. | |
| * indicates that the port is configurable. Apigee recommends using port 443. | |||||
You should not allow external connections for specific IP addresses associated with*.googleapis.com. The IP addresses can change since the domain currently resolves tomultiple addresses.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.