armsultan
9/2/2016 - 8:40 PM

Docker Swarm Port Requirements, both Swarm Mode 1.12+ and Swarm Classic, plus AWS Security Group Style Tables

Docker Swarm Port Requirements, both Swarm Mode 1.12+ and Swarm Classic, plus AWS Security Group Style Tables

Docker Swarm Mode Ports

Starting with 1.12, Docker Swarm Mode is a built-in solution with built-in key/value store. Easier to get started, and fewer ports to configure.

Inbound Traffic for Swarm Management

  • TCP port 2377 for cluster management & raft sync communications
  • TCP and UDP port 7946 for "control plane" gossip discovery communication
  • UDP port 4789 for "data plane" VXLAN overlay network traffic

AWS Security Group Example

AWS Tip: You should use Security Groups in AWS's "source" field rather then subnets, so SG's will all dynamically update when new nodes are added.

Inbound to Swarm Managers (by default, also workers)

TypeProtocolPortsSource
Custom TCP RuleTCP2377swarm + remote mgmt
Custom TCP RuleTCP7946swarm
Custom UDP RuleUDP7946swarm
Custom UDP RuleUDP4789swarm

Inbound to Swarm Workers

TypeProtocolPortsSource
Custom TCP RuleTCP7946swarm
Custom UDP RuleUDP7946swarm
Custom UDP RuleUDP4789swarm

Docker Swarm "Classic" Ports, with Consul

For Docker 1.11 and older. I Used this list from Docker Docs on Swarm Classic, then tested on multiple swarms.

Inbound to Swarm Nodes

  • 2375 TCP for swarm manger -> nodes (LOCK PORT DOWN, no auth)
  • 7946 TCP/UDP for container network discovery from other swarm nodes
  • 4789 UDP container overlay network from other swarm nodes

Inbound to Swarm Managers

  • 3375 TCP for spawner -> swarm manager (LOCK PORT DOWN, no auth)

Inbound to Consul

  • 8500 TCP for swarm manager/nodes -> consul server (LOCK PORT DOWN, no auth)
  • 8300 TCP for consul agent -> consul server
  • 8301 TCP/UDP for consul agent -> consul agent
  • 8302 TCP/UDP for consul server -> consul server

Swarm Classic Inbound Ports In AWS Security Group Format, with Consul

AWS Tip: You should use Security Groups in AWS's "source" field rather then subnets, so SG's will all dynamically update when new nodes are added.

This is another way to look at the above lists, in a format that makes sense for AWS SG's

  • assume AWS inbound from:
    • Internet ELB -> Swarm Managers
    • Swarm Managers -> Swarm Nodes
    • Swarm Managers -> Consul Internal ELB
    • Swarm Nodes -> Consul Internal ELB
    • Consul Internal ELB -> Consul Nodes

ELB Swarm Manager

TypeProtocolPortsSource
Custom TCP RuleTCP3375spawners

Swarm Managers

TypeProtocolPortsSource
Custom TCP RuleTCP3375elb-swarm-manager

Swarm Nodes

TypeProtocolPortsSource
Custom TCP RuleTCP2375swarm-managers
Custom TCP RuleTCP7946swarm-nodes
Custom UDP RuleUDP7946swarm-nodes
Custom UDP RuleUDP4789swarm-nodes

ELB Consul

TypeProtocolPortsSource
Custom TCP RuleTCP8500swarm-nodes
Custom TCP RuleTCP8500swarm-managers

Consul Nodes

TypeProtocolPortsSource
Custom TCP RuleTCP8500elb-consul
Custom TCP RuleTCP8300-8302consul-nodes
Custom UDP RuleUDP8301-8302consul-nodes