Network ports

For regular operations and for debugging, there are some ports you must keep open to network traffic from end users. Another, larger list of ports must be kept open for network traffic between the nodes in the cluster.

This article summarizes the list of ports, both required and optional, for regular operations of ThoughtSpot. Optional ports appear at the end of each list.

Ports for end user access

Click to see the ports that must be open for requests from end users.
Port Mandatory Protocol Service Name Direction Source Destination Description

443

Mandatory

TCP

HTTPS

bidirectional

All users IP addresses

All nodes

Secure HTTP.

80

Optional

TCP

nginx

inbound

All nodes

All nodes

Primary app HTTP port (nginx)

Ports for data architect and admin user access

Click to see the ports that must be open for requests from data architect and admin users.
Port Mandatory Protocol Service Name Direction Source Destination Description

22

Mandatory

TCP

SSH

inbound

Administrators IP addresses

All nodes

Secure shell access. Also used for scp (secure copy).

443

Mandatory

TCP

HTTPS

inbound

All users IP addresses

All nodes

Secure HTTP.

8441

Mandatory

HTTP

etl_http_server

bidirectional

All nodes

All nodes

Keeps track of the status of different load attempts on the cluster.

8442

Mandatory

HTTPS

etl_http_server

bidirectional

All nodes

All nodes

Secure service accepting data to be loaded into Falcon, ThoughtSpot’s in-memory database, over a REST interface.

80

Optional

TCP

nginx

inbound

All nodes

All nodes

Primary app HTTP port (nginx)

12345

Optional unless using Simba

TCP

Simba

bidirectional

Administrators IP addresses

All nodes

Allows Simba to push data to ThoughtSpot using ODBC and JDBC drivers or other ETL tools.

Ports for cluster operation

Click to see the static ports ThoughtSpot uses for cluster operation.
Port Mandatory Protocol Service Name Direction Source Destination Description

22

Mandatory

TCP

SSH

bidirectional

ThoughtSpot Support

All nodes

Inbound for cluster administration. Outbound for ThoughtSpot Support services (Reverse SSH tunnel) as necessary.

25

Mandatory

TCP

SMTP or Secure SMTP

outbound

All nodes and SMTP relay (provided by customer)

All nodes

Allow outbound connection to the configured email relay on port 25 (or any non-standard port as required by the mail relay). Refer to Set the relay host for SMTP.

53

Mandatory

UDP

DNS Resolver

bidirectional

Configured DNS servers

All nodes

Name resolution.

123

Mandatory, unless using the Amazon Time Sync Service.

UDP

NTP service

bidirectional

ThoughtSpot Support

All nodes

Port used by NTP service. If your company cannot use this port, you can use the Amazon Time Sync Service and customize the port it uses.

389 or 636

Mandatory

TCP/UDP

LDAP or LDAPS

outbound

All nodes and LDAP server, provided by customer

All nodes

Allow outbound access for the IP address of the LDAP server in use.

443

Mandatory

TCP

HTTPS

outbound

All nodes

thoughtspot.egnyte.com

For transferring files to thoughtspot.egnyte.com and downloading new releases.

443

Mandatory

TCP

HTTPS

outbound

All nodes

For transferring product usage data to mixpanel cloud.

outbound

443

Mandatory

TCP

HTTPS

outbound

All nodes

je8b47jfif.execute-api.us-east-2.amazonaws.com
s3.us-west-1.amazonaws.com
s3-us-west-1.amazonaws.com
s3.dualstack.us-west-1.amazonaws.com

For transferring monitoring data to InfluxCloud. (Given address will resolve to point to AWS instances).

2049

Mandatory

TCP/UDP

NFS: In case one needs to mount NFS share on TS node.

bidirectional

ThoughtSpot Support

All nodes

Port used by NFS.

80

Optional

TCP

HTTP

Inbound

ThoughtSpot Support

All nodes

HTTP access to the cluster. By default SSL is enabled and only used to redirect to HTTPS.

443

Optional unless using consumption-based pricing

TCP

HTTPS

outbound

All nodes

redshift-pricing.thoughtspot.cloud

Required for consumption-based pricing.

5439

Optional unless using consumption-based pricing

TCP

Redshift

outbound

All nodes

redshift-pricing.thoughtspot.cloud

Required for consumption-based pricing.

Ports for Intelligent Platform Management Interface (IPMI)

Click to see the static ports ThoughtSpot uses for out-of-band IPMI communications between the cluster and ThoughtSpot Support. You only need to open these ports if you deploy ThoughtSpot on a hardware appliance: either the Super Micro Computer or Dell appliance.
Port Mandatory Protocol Service Name Direction Source Destination Description

443

Mandatory

TCP

S-HTTP

bidirectional

ThoughtSpot Support

All nodes

All nodes out of band management (OOBM)

623

Mandatory

UDP

Serial-over-LAN

bidirectional

ThoughtSpot Support

All nodes

All nodes out of band management (OOBM)

80

Optional

TCP

HTTP

Inbound

ThoughtSpot Support

All nodes

HTTP access to the cluster. By default SSL is enabled and only used to redirect to HTTPS.

Ports for intracluster network operations

Static ports are used for communication between services within the cluster. ThoughtSpot recommends that you open all ports within a cluster. This is not required, but it ensures that cluster communication works properly if additional ports are used in a future software release.

If your organization does not allow you to open all ports, make sure you open the required intracluster ports listed in the following table. In addition, a number of ports are dynamically assigned to services, which change between runs. The dynamic ports come from the range of ports that are dynamically allocated by Linux (20K+).

Click to see the ports ThoughtSpot uses for intracluster network operations
Port Mandatory Protocol Service Name Direction Source Dest. Description

443

Mandatory

TCP

Secure nginx

inbound

All nodes

All nodes

Primary app HTTPS port (nginx)

2100

Mandatory

TCP

Oreo RPC port

bidirectional

All nodes

All nodes

Node daemon RPC

2101

Mandatory

TCP

Oreo HTTP port

bidirectional

All nodes

All nodes

Node daemon HTTP

2181

Mandatory

TCP

Zookeeper servers listen on this RPC port for client connections

bidirectional

All nodes

All nodes

Zookeeper servers listen on this RPC port for client connections. Zookeeper is ThoughtSpot’s cluster-wide configuration management tool.

2200

Mandatory

TCP

Orion master RPC port

bidirectional

All nodes

All nodes

Internal communication with Orion, ThoughtSpot’s cluster management tool.

2201

Mandatory

TCP

Orion master HTTP port

bidirectional

All nodes

All nodes

Port used to debug Orion, ThoughtSpot’s cluster management tool.

2205

Mandatory

TCP

Cluster update service TCP port

bidirectional

All nodes

All nodes

Internal communication with the cluster manager

2210

Mandatory

TCP

Cluster stats service RPC port

bidirectional

All nodes

All nodes

Internal communication with the stats collector

2211

Mandatory

TCP

Cluster stats service HTTP port

bidirectional

All nodes

All nodes

Port used to debug the stats collector

2230

Mandatory

TCP

Callosum stats collector RPC port

bidirectional

All nodes

All nodes

Internal communication with Callosum, ThoughtSpot’s BI stats collector.

2231

Mandatory

TCP

Callosum stats collector HTTP port

bidirectional

All nodes

All nodes

Port used to debug Callosum, ThoughtSpot’s BI stats collector.

2240

Mandatory

TCP

Alert manager

bidirectional

All nodes

All nodes

Port where alerting service receives alert events

2241

Mandatory

TCP

Alert manager

bidirectional

All nodes

All nodes

Port where alerting service receives alert events

2888

Mandatory

TCP

Ports used by Zookeeper servers for communication between themselves

bidirectional

All nodes

All nodes

Ports used by Zookeeper servers for communication between themselves. Zookeeper is ThoughtSpot’s cluster-wide configuration management tool.

3181

Mandatory

TCP

Ports used by Zookeeper servers for communication between themselves

bidirectional

All nodes

All nodes

Ports used by Zookeeper servers for communication between themselves. Zookeeper is ThoughtSpot’s cluster-wide configuration management tool.

3888

Mandatory

TCP

Ports used by Zookeeper servers for communication between themselves

bidirectional

All nodes

All nodes

Ports used by Zookeeper servers for communication between themselves. Zookeeper is ThoughtSpot’s cluster-wide configuration management tool.

4000

Mandatory

TCP

Falcon worker RPC port

bidirectional

All nodes

All nodes

Port used by data cache for communication between themselves. Falcon is ThoughtSpot’s in-memory database.

4001

Mandatory

TCP

Falcon worker HTTP port

bidirectional

All nodes

All nodes

Port used to debug the data cache. Falcon is ThoughtSpot’s in-memory database.

4002

Mandatory

TCP

Falcon worker HTTP port

bidirectional

All nodes

All nodes

Port used to debug the data cache. Falcon is ThoughtSpot’s in-memory database.

4003

Mandatory

TCP

Falcon worker RPC port

bidirectional

All nodes

All nodes

Port used by data cache for communication between themselves. Falcon is ThoughtSpot’s in-memory database.

4004

Mandatory

TCP

Falcon worker RPC port

bidirectional

All nodes

All nodes

Port used by data cache for communication between themselves. Falcon is ThoughtSpot’s in-memory database.

4010

Mandatory

TCP

Falcon moderator

bidirectional

All nodes

All nodes

Debug DFS data

4011

Mandatory

TCP

Falcon moderator

bidirectional

All nodes

All nodes

Debug DFS data

4021

Mandatory

TCP

Sage metadata service port (exported by Tomcat), Callosum services like meta-data services, medata-dependency service, scheduling service, session-less service, spotiq service

bidirectional

All nodes

All nodes

Port where search service (Sage) contacts metadata service (Callosum) for metadata

4123

Mandatory

TCP

Prism. Prism is an API gateway that connects ThoughtSpot’s frontend to multiple backend services.

bidirectional

All nodes

All nodes

Intracluster communication. Allows table joins.

4181

Mandatory

TCP

Ports used by Zookeeper servers for communication between themselves

bidirectional

All nodes

All nodes

Ports used by Zookeeper servers for communication between themselves. Zookeeper is ThoughtSpot’s cluster-wide configuration management tool.

4201

Mandatory

TCP

Sage auto complete server HTTP interface port

bidirectional

All nodes

All nodes

Port used to debug Sage, ThoughtSpot’s search service.

4231

Mandatory

TCP

Sage index server HTTP port

bidirectional

All nodes

All nodes

Port used to debug Sage, ThoughtSpot’s search service.

4232

Mandatory

TCP

Sage index server metadata subscriber port

bidirectional

All nodes

All nodes

Port used for internal communication for Sage, ThoughtSpot’s search service.

4233

Mandatory

TCP

Sage index server RPC port

bidirectional

All nodes

All nodes

Port used for internal communication for Sage, ThoughtSpot’s search service.

4241

Mandatory

TCP

Sage auto complete server HTTP port

bidirectional

All nodes

All nodes

Port used to debug Sage, ThoughtSpot’s search service.

4242

Mandatory

TCP

Sage auto complete server RPC port

bidirectional

All nodes

All nodes

Port used for internal communication for Sage, ThoughtSpot’s search service.

4243

Mandatory

TCP

Sage auto complete server metadata subscriber port

bidirectional

All nodes

All nodes

Port used for internal communication for Sage, ThoughtSpot’s search service.

4244

Mandatory

TCP

Sage auto complete server metadata subscriber port

bidirectional

All nodes

All nodes

Port used for internal communication for Sage, ThoughtSpot’s search service.

4245

Mandatory

TCP

Sage auto complete server metadata subscriber port

bidirectional

All nodes

All nodes

Port used for internal communication for Sage, ThoughtSpot’s search service.

4249

Mandatory

TCP

Ports used by Enlite/SpotIQ

bidirectional

All nodes

All nodes

Port used for SpotIQ internal communication.

4251

Mandatory

TCP

Sage master RPC port

bidirectional

All nodes

All nodes

Port used for internal communication for Sage, ThoughtSpot’s search service.

4405

Mandatory

TCP

Diamond (graphite) port

bidirectional

All nodes

All nodes

Port used for communication with monitoring service

4406

Mandatory

TCP

Diamond (graphite) port

bidirectional

All nodes

All nodes

Port used for communication with monitoring service

4500

Mandatory

TCP

Trace vault service RPC port

bidirectional

All nodes

All nodes

Trace collection for ThoughtSpot services

4501

Mandatory

TCP

Trace vault service HTTP port

bidirectional

All nodes

All nodes

Debug trace collection

9200

Mandatory

TCP

Elastic search (ELK)

bidirectional

All nodes

All nodes

Communication with log search service

5021

Mandatory

TCP

Callosum services like meta-data services, medata-dependency service, scheduling service, session-less service, spotiq service

bidirectional

All nodes

All nodes

Port where the search service (Sage) contacts the metadata service (Callosum) for metadata.

5270

Mandatory

TCP

Cluster monitoring service (ELK)

bidirectional

All nodes

All nodes

Services

5271

Mandatory

TCP

Cluster monitoring service (ELK)

bidirectional

All nodes

All nodes

Services

5432

Mandatory

TCP

Postgres database server port

bidirectional

All nodes

All nodes

Communication with Postgres database

5601

Mandatory

TCP

Kibana UI (ELK)

bidirectional

All nodes

All nodes

Services

6021

Mandatory

TCP

Callosum services like meta-data services, medata-dependency service, scheduling service, session-less service, spotiq service

bidirectional

All nodes

All nodes

Port where the search service (Sage) contacts the metadata service (Callosum) for metadata

6311

Mandatory

TCP

R service

bidirectional

All nodes

All nodes

Services

6379

Mandatory

TCP

redis

inbound

All nodes

All nodes

Port for redis access

7000

Mandatory

TCP

Cassandra KV store database

bidirectional

All nodes

All nodes

Debug DFS data. Cassandra is a third-party database management system.

7001

Mandatory

TCP

Cassandra

bidirectional

All nodes

All nodes

Debug DFS data. Cassandra is a third-party database management system.

7021

Mandatory

TCP

Callosum services like meta-data services, medata-dependency service, scheduling service, session-less service, spotiq service

bidirectional

All nodes

All nodes

Port where the search service (Sage) contacts the metadata service (Callosum) for metadata

8008

Mandatory

TCP

Video recorder

bidirectional

All nodes

All nodes

Services

8020

Mandatory

TCP

HDFS namenode server RPC port

bidirectional

All nodes

All nodes

Distributed file system (DFS) communication with clients

8021

Mandatory

TCP

Callosum services like meta-data services, medata-dependency service, scheduling service, session-less service, spotiq service

bidirectional

All nodes

All nodes

Port where the search service (Sage) contacts the metadata service (Callosum) for metadata.

8080

Mandatory

TCP

Tomcat

bidirectional

All nodes

All nodes

BI engine communication with clients

8081

Mandatory

TCP

Callosum/Tomcat status

bidirectional

All nodes

All nodes

BI engine communication with clients

8480

Mandatory

TCP

HDFS journalnode server HTTP port

bidirectional

All nodes

All nodes

Debug DFS metadata

8485

Mandatory

TCP

HDFS journalnode server HTTP port

bidirectional

All nodes

All nodes

Debug DFS metadata

8787

Mandatory

TCP

Periscope (UI) service HTTP port

bidirectional

All nodes

All nodes

Administration UI back end

8888

Mandatory

TCP

HTTP proxy server (tinyproxy)

bidirectional

All nodes

All nodes

Reverse SSH tunnel

9042

Mandatory

HTTP

Munshi server impression service, Cassandra

bidirectional

All nodes

All nodes

Debug DFS data. Cassandra is a third-party database management system.

9090

Mandatory

TCP

Timely

bidirectional

All nodes

All nodes

Services

9099

Mandatory

TCP

Prism. Prism is an API gateway that connects ThoughtSpot’s frontend to multiple backend services.

bidirectional

All nodes

All nodes

Port 9099 is used when GraphQL federation is enabled in Prism. Prism is an API gateway that connects ThoughtSpot’s frontend to multiple backend services, and GraphQL federation combines multiple microservice APIs into a single API.

9160

Mandatory

TCP

Cassandra

bidirectional

All nodes

All nodes

Debug DFS data. Cassandra is a third-party database management system.

11211

Mandatory

TCP/UDP

Memcached server port

bidirectional

All nodes

All nodes

BI engine cache

20123 - 32768

Mandatory

TCP

Dynamic services

bidirectional

All nodes

All nodes

Used for various services, such as atlas, caffeine, callhome, callosum, falcon, monitoring, munshi server, nlp, object_search, postgres, sage UBR, spotiq snapshot, timely.

50010

Mandatory

TCP

HDFS datanode server HTTP port

bidirectional

All nodes

All nodes

Debug DFS data

50020

Mandatory

TCP

HDFS datanode server HTTP port

bidirectional

All nodes

All nodes

Debug DFS data

50070

Mandatory

TCP

HDFS namenode server HTTP port

bidirectional

All nodes

All nodes

Debug DFS metadata

50075

Mandatory

TCP

HDFS datanode server HTTP port

bidirectional

All nodes

All nodes

Debug DFS data

50090

Mandatory

TCP

HDFS secondary namenode server HTTP port

bidirectional

All nodes

All nodes

Debug DFS metadata

Mandatory

ICMP

Used for health check of cluster nodes

bidirectional

All nodes

All nodes

Services

80

Optional

TCP

nginx

inbound

All nodes

All nodes

Primary app HTTP port (nginx)

500

Optional unless using IPSec

UDP

Internet Key Exchange (IKE)

bidirectional

All nodes

All nodes

Required when using IPSec (encryption in transit)

4500

Optional unless using IPSec

UDP

IPSec

bidirectional

All nodes

All nodes

Required when using IPSec (encryption in transit)

Optional unless using IPSec

IP protocol 50

Encapsulating Security Payload (ESP)

bidirectional

All nodes

All nodes

Required when using IPSec (encryption in transit)