Network ports
For regular operations and for debugging, there are some ports you must keep open to network traffic from end users. Another, larger list of ports must be kept open for network traffic between the nodes in the cluster.
This article summarizes the list of ports, both required and optional, for regular operations of ThoughtSpot. Optional ports appear at the end of each list. |
Ports for end user access
Click to see the ports that must be open for requests from end users.
Port | Mandatory | Protocol | Service Name | Direction | Source | Destination | Description |
---|---|---|---|---|---|---|---|
443 |
Mandatory |
TCP |
HTTPS |
bidirectional |
All users IP addresses |
All nodes |
Secure HTTP. |
80 |
Optional |
TCP |
nginx |
inbound |
All nodes |
All nodes |
Primary app HTTP port (nginx) |
Ports for data architect and admin user access
Click to see the ports that must be open for requests from data architect and admin users.
Port | Mandatory | Protocol | Service Name | Direction | Source | Destination | Description |
---|---|---|---|---|---|---|---|
22 |
Mandatory |
TCP |
SSH |
inbound |
Administrators IP addresses |
All nodes |
Secure shell access. Also used for scp (secure copy). |
443 |
Mandatory |
TCP |
HTTPS |
inbound |
All users IP addresses |
All nodes |
Secure HTTP. |
8441 |
Mandatory |
HTTP |
|
bidirectional |
All nodes |
All nodes |
Keeps track of the status of different load attempts on the cluster. |
8442 |
Mandatory |
HTTPS |
|
bidirectional |
All nodes |
All nodes |
Secure service accepting data to be loaded into Falcon, ThoughtSpot’s in-memory database, over a REST interface. |
80 |
Optional |
TCP |
nginx |
inbound |
All nodes |
All nodes |
Primary app HTTP port (nginx) |
12345 |
Optional unless using Simba |
TCP |
Simba |
bidirectional |
Administrators IP addresses |
All nodes |
Allows Simba to push data to ThoughtSpot using ODBC and JDBC drivers or other ETL tools. |
Ports for cluster operation
Click to see the static ports ThoughtSpot uses for cluster operation.
Port | Mandatory | Protocol | Service Name | Direction | Source | Destination | Description |
---|---|---|---|---|---|---|---|
22 |
Mandatory |
TCP |
SSH |
bidirectional |
ThoughtSpot Support |
All nodes |
Inbound for cluster administration. Outbound for ThoughtSpot Support services (Reverse SSH tunnel) as necessary. |
25 |
Mandatory |
TCP |
SMTP or Secure SMTP |
outbound |
All nodes and SMTP relay (provided by customer) |
All nodes |
Allow outbound connection to the configured email relay on port 25 (or any non-standard port as required by the mail relay). Refer to Set the relay host for SMTP. |
53 |
Mandatory |
UDP |
DNS Resolver |
bidirectional |
Configured DNS servers |
All nodes |
Name resolution. |
123 |
Mandatory, unless using the Amazon Time Sync Service. |
UDP |
NTP service |
bidirectional |
ThoughtSpot Support |
All nodes |
Port used by NTP service. If your company cannot use this port, you can use the Amazon Time Sync Service and customize the port it uses. |
389 or 636 |
Mandatory |
TCP/UDP |
LDAP or LDAPS |
outbound |
All nodes and LDAP server, provided by customer |
All nodes |
Allow outbound access for the IP address of the LDAP server in use. |
443 |
Mandatory |
TCP |
HTTPS |
outbound |
All nodes |
thoughtspot.egnyte.com |
For transferring files to thoughtspot.egnyte.com and downloading new releases. |
443 |
Mandatory |
TCP |
HTTPS |
outbound |
All nodes |
For transferring product usage data to mixpanel cloud. |
outbound |
443 |
Mandatory |
TCP |
HTTPS |
outbound |
All nodes |
je8b47jfif.execute-api.us-east-2.amazonaws.com |
For transferring monitoring data to InfluxCloud. (Given address will resolve to point to AWS instances). |
2049 |
Mandatory |
TCP/UDP |
NFS: In case one needs to mount NFS share on TS node. |
bidirectional |
ThoughtSpot Support |
All nodes |
Port used by NFS. |
80 |
Optional |
TCP |
HTTP |
Inbound |
ThoughtSpot Support |
All nodes |
HTTP access to the cluster. By default SSL is enabled and only used to redirect to HTTPS. |
443 |
Optional unless using consumption-based pricing |
TCP |
HTTPS |
outbound |
All nodes |
redshift-pricing.thoughtspot.cloud |
Required for consumption-based pricing. |
5439 |
Optional unless using consumption-based pricing |
TCP |
Redshift |
outbound |
All nodes |
redshift-pricing.thoughtspot.cloud |
Required for consumption-based pricing. |
Ports for Intelligent Platform Management Interface (IPMI)
Click to see the static ports ThoughtSpot uses for out-of-band IPMI communications between the cluster and ThoughtSpot Support. You only need to open these ports if you deploy ThoughtSpot on a hardware appliance: either the Super Micro Computer or Dell appliance.
Port | Mandatory | Protocol | Service Name | Direction | Source | Destination | Description |
---|---|---|---|---|---|---|---|
443 |
Mandatory |
TCP |
S-HTTP |
bidirectional |
ThoughtSpot Support |
All nodes |
All nodes out of band management (OOBM) |
623 |
Mandatory |
UDP |
Serial-over-LAN |
bidirectional |
ThoughtSpot Support |
All nodes |
All nodes out of band management (OOBM) |
80 |
Optional |
TCP |
HTTP |
Inbound |
ThoughtSpot Support |
All nodes |
HTTP access to the cluster. By default SSL is enabled and only used to redirect to HTTPS. |
Ports for intracluster network operations
Static ports are used for communication between services within the cluster. ThoughtSpot recommends that you open all ports within a cluster. This is not required, but it ensures that cluster communication works properly if additional ports are used in a future software release.
If your organization does not allow you to open all ports, make sure you open the required intracluster ports listed in the following table. In addition, a number of ports are dynamically assigned to services, which change between runs. The dynamic ports come from the range of ports that are dynamically allocated by Linux (20K+).
Click to see the ports ThoughtSpot uses for intracluster network operations
Port | Mandatory | Protocol | Service Name | Direction | Source | Dest. | Description |
---|---|---|---|---|---|---|---|
443 |
Mandatory |
TCP |
Secure nginx |
inbound |
All nodes |
All nodes |
Primary app HTTPS port (nginx) |
2100 |
Mandatory |
TCP |
Oreo RPC port |
bidirectional |
All nodes |
All nodes |
Node daemon RPC |
2101 |
Mandatory |
TCP |
Oreo HTTP port |
bidirectional |
All nodes |
All nodes |
Node daemon HTTP |
2181 |
Mandatory |
TCP |
Zookeeper servers listen on this RPC port for client connections |
bidirectional |
All nodes |
All nodes |
Zookeeper servers listen on this RPC port for client connections. Zookeeper is ThoughtSpot’s cluster-wide configuration management tool. |
2200 |
Mandatory |
TCP |
Orion master RPC port |
bidirectional |
All nodes |
All nodes |
Internal communication with Orion, ThoughtSpot’s cluster management tool. |
2201 |
Mandatory |
TCP |
Orion master HTTP port |
bidirectional |
All nodes |
All nodes |
Port used to debug Orion, ThoughtSpot’s cluster management tool. |
2205 |
Mandatory |
TCP |
Cluster update service TCP port |
bidirectional |
All nodes |
All nodes |
Internal communication with the cluster manager |
2210 |
Mandatory |
TCP |
Cluster stats service RPC port |
bidirectional |
All nodes |
All nodes |
Internal communication with the stats collector |
2211 |
Mandatory |
TCP |
Cluster stats service HTTP port |
bidirectional |
All nodes |
All nodes |
Port used to debug the stats collector |
2230 |
Mandatory |
TCP |
Callosum stats collector RPC port |
bidirectional |
All nodes |
All nodes |
Internal communication with Callosum, ThoughtSpot’s BI stats collector. |
2231 |
Mandatory |
TCP |
Callosum stats collector HTTP port |
bidirectional |
All nodes |
All nodes |
Port used to debug Callosum, ThoughtSpot’s BI stats collector. |
2240 |
Mandatory |
TCP |
Alert manager |
bidirectional |
All nodes |
All nodes |
Port where alerting service receives alert events |
2241 |
Mandatory |
TCP |
Alert manager |
bidirectional |
All nodes |
All nodes |
Port where alerting service receives alert events |
2888 |
Mandatory |
TCP |
Ports used by Zookeeper servers for communication between themselves |
bidirectional |
All nodes |
All nodes |
Ports used by Zookeeper servers for communication between themselves. Zookeeper is ThoughtSpot’s cluster-wide configuration management tool. |
3181 |
Mandatory |
TCP |
Ports used by Zookeeper servers for communication between themselves |
bidirectional |
All nodes |
All nodes |
Ports used by Zookeeper servers for communication between themselves. Zookeeper is ThoughtSpot’s cluster-wide configuration management tool. |
3888 |
Mandatory |
TCP |
Ports used by Zookeeper servers for communication between themselves |
bidirectional |
All nodes |
All nodes |
Ports used by Zookeeper servers for communication between themselves. Zookeeper is ThoughtSpot’s cluster-wide configuration management tool. |
4000 |
Mandatory |
TCP |
Falcon worker RPC port |
bidirectional |
All nodes |
All nodes |
Port used by data cache for communication between themselves. Falcon is ThoughtSpot’s in-memory database. |
4001 |
Mandatory |
TCP |
Falcon worker HTTP port |
bidirectional |
All nodes |
All nodes |
Port used to debug the data cache. Falcon is ThoughtSpot’s in-memory database. |
4002 |
Mandatory |
TCP |
Falcon worker HTTP port |
bidirectional |
All nodes |
All nodes |
Port used to debug the data cache. Falcon is ThoughtSpot’s in-memory database. |
4003 |
Mandatory |
TCP |
Falcon worker RPC port |
bidirectional |
All nodes |
All nodes |
Port used by data cache for communication between themselves. Falcon is ThoughtSpot’s in-memory database. |
4004 |
Mandatory |
TCP |
Falcon worker RPC port |
bidirectional |
All nodes |
All nodes |
Port used by data cache for communication between themselves. Falcon is ThoughtSpot’s in-memory database. |
4010 |
Mandatory |
TCP |
Falcon moderator |
bidirectional |
All nodes |
All nodes |
Debug DFS data |
4011 |
Mandatory |
TCP |
Falcon moderator |
bidirectional |
All nodes |
All nodes |
Debug DFS data |
4021 |
Mandatory |
TCP |
Sage metadata service port (exported by Tomcat), Callosum services like meta-data services, medata-dependency service, scheduling service, session-less service, spotiq service |
bidirectional |
All nodes |
All nodes |
Port where search service (Sage) contacts metadata service (Callosum) for metadata |
4123 |
Mandatory |
TCP |
Prism. Prism is an API gateway that connects ThoughtSpot’s frontend to multiple backend services. |
bidirectional |
All nodes |
All nodes |
Intracluster communication. Allows table joins. |
4181 |
Mandatory |
TCP |
Ports used by Zookeeper servers for communication between themselves |
bidirectional |
All nodes |
All nodes |
Ports used by Zookeeper servers for communication between themselves. Zookeeper is ThoughtSpot’s cluster-wide configuration management tool. |
4201 |
Mandatory |
TCP |
Sage auto complete server HTTP interface port |
bidirectional |
All nodes |
All nodes |
Port used to debug Sage, ThoughtSpot’s search service. |
4231 |
Mandatory |
TCP |
Sage index server HTTP port |
bidirectional |
All nodes |
All nodes |
Port used to debug Sage, ThoughtSpot’s search service. |
4232 |
Mandatory |
TCP |
Sage index server metadata subscriber port |
bidirectional |
All nodes |
All nodes |
Port used for internal communication for Sage, ThoughtSpot’s search service. |
4233 |
Mandatory |
TCP |
Sage index server RPC port |
bidirectional |
All nodes |
All nodes |
Port used for internal communication for Sage, ThoughtSpot’s search service. |
4241 |
Mandatory |
TCP |
Sage auto complete server HTTP port |
bidirectional |
All nodes |
All nodes |
Port used to debug Sage, ThoughtSpot’s search service. |
4242 |
Mandatory |
TCP |
Sage auto complete server RPC port |
bidirectional |
All nodes |
All nodes |
Port used for internal communication for Sage, ThoughtSpot’s search service. |
4243 |
Mandatory |
TCP |
Sage auto complete server metadata subscriber port |
bidirectional |
All nodes |
All nodes |
Port used for internal communication for Sage, ThoughtSpot’s search service. |
4244 |
Mandatory |
TCP |
Sage auto complete server metadata subscriber port |
bidirectional |
All nodes |
All nodes |
Port used for internal communication for Sage, ThoughtSpot’s search service. |
4245 |
Mandatory |
TCP |
Sage auto complete server metadata subscriber port |
bidirectional |
All nodes |
All nodes |
Port used for internal communication for Sage, ThoughtSpot’s search service. |
4249 |
Mandatory |
TCP |
Ports used by Enlite/SpotIQ |
bidirectional |
All nodes |
All nodes |
Port used for SpotIQ internal communication. |
4251 |
Mandatory |
TCP |
Sage master RPC port |
bidirectional |
All nodes |
All nodes |
Port used for internal communication for Sage, ThoughtSpot’s search service. |
4405 |
Mandatory |
TCP |
Diamond (graphite) port |
bidirectional |
All nodes |
All nodes |
Port used for communication with monitoring service |
4406 |
Mandatory |
TCP |
Diamond (graphite) port |
bidirectional |
All nodes |
All nodes |
Port used for communication with monitoring service |
4500 |
Mandatory |
TCP |
Trace vault service RPC port |
bidirectional |
All nodes |
All nodes |
Trace collection for ThoughtSpot services |
4501 |
Mandatory |
TCP |
Trace vault service HTTP port |
bidirectional |
All nodes |
All nodes |
Debug trace collection |
9200 |
Mandatory |
TCP |
Elastic search (ELK) |
bidirectional |
All nodes |
All nodes |
Communication with log search service |
5021 |
Mandatory |
TCP |
Callosum services like meta-data services, medata-dependency service, scheduling service, session-less service, spotiq service |
bidirectional |
All nodes |
All nodes |
Port where the search service (Sage) contacts the metadata service (Callosum) for metadata. |
5270 |
Mandatory |
TCP |
Cluster monitoring service (ELK) |
bidirectional |
All nodes |
All nodes |
Services |
5271 |
Mandatory |
TCP |
Cluster monitoring service (ELK) |
bidirectional |
All nodes |
All nodes |
Services |
5432 |
Mandatory |
TCP |
Postgres database server port |
bidirectional |
All nodes |
All nodes |
Communication with Postgres database |
5601 |
Mandatory |
TCP |
Kibana UI (ELK) |
bidirectional |
All nodes |
All nodes |
Services |
6021 |
Mandatory |
TCP |
Callosum services like meta-data services, medata-dependency service, scheduling service, session-less service, spotiq service |
bidirectional |
All nodes |
All nodes |
Port where the search service (Sage) contacts the metadata service (Callosum) for metadata |
6311 |
Mandatory |
TCP |
R service |
bidirectional |
All nodes |
All nodes |
Services |
6379 |
Mandatory |
TCP |
Redis Server |
Bidirectional |
All nodes |
All nodes |
Redis client to server communication and data exchange |
7000 |
Mandatory |
TCP |
Cassandra KV store database |
bidirectional |
All nodes |
All nodes |
Debug DFS data. Cassandra is a third-party database management system. |
7001 |
Mandatory |
TCP |
Cassandra |
bidirectional |
All nodes |
All nodes |
Debug DFS data. Cassandra is a third-party database management system. |
7021 |
Mandatory |
TCP |
Callosum services like meta-data services, medata-dependency service, scheduling service, session-less service, spotiq service |
bidirectional |
All nodes |
All nodes |
Port where the search service (Sage) contacts the metadata service (Callosum) for metadata |
8008 |
Mandatory |
TCP |
Video recorder |
bidirectional |
All nodes |
All nodes |
Services |
8020 |
Mandatory |
TCP |
HDFS namenode server RPC port |
bidirectional |
All nodes |
All nodes |
Distributed file system (DFS) communication with clients |
8021 |
Mandatory |
TCP |
Callosum services like meta-data services, medata-dependency service, scheduling service, session-less service, spotiq service |
bidirectional |
All nodes |
All nodes |
Port where the search service (Sage) contacts the metadata service (Callosum) for metadata. |
8080 |
Mandatory |
TCP |
Tomcat |
bidirectional |
All nodes |
All nodes |
BI engine communication with clients |
8081 |
Mandatory |
TCP |
Callosum/Tomcat status |
bidirectional |
All nodes |
All nodes |
BI engine communication with clients |
8480 |
Mandatory |
TCP |
HDFS journalnode server HTTP port |
bidirectional |
All nodes |
All nodes |
Debug DFS metadata |
8485 |
Mandatory |
TCP |
HDFS journalnode server HTTP port |
bidirectional |
All nodes |
All nodes |
Debug DFS metadata |
8787 |
Mandatory |
TCP |
Periscope (UI) service HTTP port |
bidirectional |
All nodes |
All nodes |
Administration UI back end |
8888 |
Mandatory |
TCP |
HTTP proxy server (tinyproxy) |
bidirectional |
All nodes |
All nodes |
Reverse SSH tunnel |
9042 |
Mandatory |
HTTP |
Munshi server impression service, Cassandra |
bidirectional |
All nodes |
All nodes |
Debug DFS data. Cassandra is a third-party database management system. |
9090 |
Mandatory |
TCP |
Timely |
bidirectional |
All nodes |
All nodes |
Services |
9099 |
Mandatory |
TCP |
Prism. Prism is an API gateway that connects ThoughtSpot’s frontend to multiple backend services. |
bidirectional |
All nodes |
All nodes |
Port 9099 is used when GraphQL federation is enabled in Prism. Prism is an API gateway that connects ThoughtSpot’s frontend to multiple backend services, and GraphQL federation combines multiple microservice APIs into a single API. |
9160 |
Mandatory |
TCP |
Cassandra |
bidirectional |
All nodes |
All nodes |
Debug DFS data. Cassandra is a third-party database management system. |
11211 |
Mandatory |
TCP/UDP |
Memcached server port |
bidirectional |
All nodes |
All nodes |
BI engine cache |
20123 - 32768 |
Mandatory |
TCP |
Dynamic services |
bidirectional |
All nodes |
All nodes |
Used for various services, such as atlas, caffeine, callhome, callosum, falcon, monitoring, munshi server, nlp, object_search, postgres, sage UBR, spotiq snapshot, timely. |
50010 |
Mandatory |
TCP |
HDFS datanode server HTTP port |
bidirectional |
All nodes |
All nodes |
Debug DFS data |
50020 |
Mandatory |
TCP |
HDFS datanode server HTTP port |
bidirectional |
All nodes |
All nodes |
Debug DFS data |
50070 |
Mandatory |
TCP |
HDFS namenode server HTTP port |
bidirectional |
All nodes |
All nodes |
Debug DFS metadata |
50075 |
Mandatory |
TCP |
HDFS datanode server HTTP port |
bidirectional |
All nodes |
All nodes |
Debug DFS data |
50090 |
Mandatory |
TCP |
HDFS secondary namenode server HTTP port |
bidirectional |
All nodes |
All nodes |
Debug DFS metadata |
Mandatory |
ICMP |
Used for health check of cluster nodes |
bidirectional |
All nodes |
All nodes |
Services |
|
80 |
Optional |
TCP |
nginx |
inbound |
All nodes |
All nodes |
Primary app HTTP port (nginx) |
500 |
Optional unless using IPSec |
UDP |
Internet Key Exchange (IKE) |
bidirectional |
All nodes |
All nodes |
Required when using IPSec (encryption in transit) |
4500 |
Optional unless using IPSec |
UDP |
IPSec |
bidirectional |
All nodes |
All nodes |
Required when using IPSec (encryption in transit) |
Optional unless using IPSec |
IP protocol 50 |
Encapsulating Security Payload (ESP) |
bidirectional |
All nodes |
All nodes |
Required when using IPSec (encryption in transit) |