Network port configurations
This document describes the various network port ranges and their uses.
All Redis Enterprise Software deployments span multiple physical/virtual nodes. You'll need to keep several ports open between these nodes. This document describes the various port ranges and their uses.
Ports and port ranges used by Redis Enterprise Software
Redis Enterprise Software's port usage falls into three general categories:
- Internal: For traffic between or within cluster nodes
- External: For traffic from client applications or external monitoring resources
- Active-Active: For traffic to and from clusters hosting Active-Active databases
| Protocol | Port | Configurable | Connection source | Description |
|---|---|---|---|---|
| TCP | 8001 | ❌ No | Internal, External | Traffic from application to Redis Enterprise Software Discovery Service |
| TCP | 8070 | ❌ No | External | Metrics exported and managed by the web proxy |
| TCP | 3347-3349, 8000, 8071, 9091, 9125 | ❌ No | Internal | Internal metrics ports |
| TCP | 8443 | ✅ Yes | Internal, External | Secure (HTTPS) access to the management web UI |
| TCP | 9081 | ✅ Yes | Internal | CRDB coordinator for Active-Active management (internal) |
| TCP | 9443, 8080 | ✅ Yes | Internal, External, Active-Active | REST API traffic, including cluster management and node bootstrap |
| TCP | 10050 | ❌ No | Internal | Zabbix monitoring |
| TCP | 10000-10049, 10051-19999 | ✅ Yes | Internal, External, Active-Active | Database traffic |
| UDP | 53, 5353 | ❌ No | Internal, External | DNS/mDNS traffic |
| TCP | 1968 | ❌ No | Internal | Proxy traffic |
| TCP | 3333-3345, 3350, 36379, 36380 | ❌ No | Internal | Internode communication |
| TCP | 20000-29999 | ❌ No | Internal | Database shard traffic |
| TCP | 8002, 8004, 8006 | ✅ Yes | Internal | Default system health monitoring (envoy admin, envoy management server, gossip envoy admin) |
| TCP | 8444, 9080 | ❌ No | Internal | Traffic between web proxy and cnm_http/cm |
Change port configuration
Reserve ports
Redis Enterprise Software reserves some ports by default (system_reserved_ports). To reserve other ports or port ranges and prevent the cluster from assigning them to database endpoints, configure reserved_ports using one of the following methods:
-
rladmin cluster config reserved_ports <list of ports/port ranges>For example:
rladmin cluster config reserved_ports 11000 13000-13010 -
Update cluster settings REST API request
PUT /v1/cluster { "reserved_ports": ["list of ports/port ranges"] }For example:
PUT /v1/cluster { "reserved_ports": ["11000", "13000-13010"] }
Change the Cluster Manager UI port
The Redis Enterprise Software Cluster Manager UI uses port 8443, by default. You can change this to a custom port as long as the new port is not in use by another process.
To change this port, run:
rladmin cluster config cm_port <new-port>
After changing the Redis Enterprise Software web UI port, you must connect any new node added to the cluster to the UI with the custom port number:
https://newnode.mycluster.example.com:<nonstandard-port-number>
Change the envoy ports
For system health monitoring, Redis uses the following ports by default:
-
Port 8002 for envoy admin
-
Port 8004 for envoy management server
-
Port 8006 for gossip envoy admin
You can change each envoy port to a custom port using the rladmin cluster config command as long as the new port is not in use by another process. When you change envoy_admin_port, expect a restart of envoy.
To change the envoy admin port, run:
$ rladmin cluster config envoy_admin_port <new-port>
Updating envoy_admin_port... restarting now
To change the envoy management server port, run:
$ rladmin cluster config envoy_mgmt_server_port <new-port>
Cluster configured successfully
To change the gossip envoy admin port, run:
$ rladmin cluster config gossip_envoy_admin_port <new-port>
Cluster configured successfully
Change the REST API port
For the REST API, Redis Enterprise Software uses port 9443 (secure) and port 8080 (not secure), by default. You can change this to a custom port as long as the new port is not in use by another process.
To change these ports, run:
rladmin cluster config cnm_http_port <new-port>
rladmin cluster config cnm_https_port <new-port>
Ubuntu conflicts with port 53
If port 53 is in use, the installation fails. This can occur in
default installations of Ubuntu 18.04 and 20.04 in which systemd-resolved (DNS server) is running.
To prevent this issue, change the system configuration to make this port available before installation.
-
Edit
/etc/systemd/resolved.conf:sudo vi /etc/systemd/resolved.conf -
Add
DNSStubListener=noas the last line in the file and save the file. -
Rename the current
/etc/resolv.conffile:sudo mv /etc/resolv.conf /etc/resolv.conf.orig -
Create a symbolic link for
/etc/resolv.conf:sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.confNote:You might encounter a temporary name resolution error (sudo: unable to resolve host {hostname}: Temporary failure in name resolution), which should be fixed when you restartsystemd-resolvedin the next step. -
Restart the DNS service:
sudo service systemd-resolved restart
Update sysctl.conf to avoid port collisions
To avoid port collision, update /etc/sysctl.conf to include:
net.ipv4.ip_local_port_range = 30000 65535
Configure HTTPS
Require HTTPS for API endpoints
By default, the Redis Enterprise Software API supports communication over HTTP and HTTPS. However, you can turn off HTTP support to ensure that API requests are encrypted.
Before you turn off HTTP support, make sure you migrate any scripts or proxy configurations that use HTTP to the encrypted API endpoint to prevent broken connections.
To turn off HTTP support for API endpoints, run:
rladmin cluster config http_support disabled
After you turn off HTTP support, traffic sent to the unencrypted API endpoint is blocked.
HTTP to HTTPS redirection
Starting with version 6.0.12, you cannot use automatic HTTP to HTTPS redirection.
To poll metrics from the metrics_exporter or to access the Cluster Manager UI, use HTTPS in your request. HTTP requests won't be automatically redirected to HTTPS for those services.
Nodes on different VLANs
Nodes in the same cluster must reside on the same VLAN. If you can't host the nodes on the same VLAN, then you must open all ports between them.