Firewall configuration for large installations

These are the port requirements for large installations with compilers.

Graphic showing communication between components in a large installation with compilers and a load balancer.

Port Use
22
  • Code Manager uses this port to tell a git to clone and fetch content via SSH.
443

  • Code Manager uses this port to tell a git to clone and fetch content via HTTPS.

  • This port provides host access to the console.
  • The console accepts HTTPS traffic from end users on this port.
  • Classifier group: PE Console
4433
  • This port is used as a classifier / console services API endpoint.
  • The primary server communicates with the console over this port.
  • Classifier group: PE Console
5432
  • This port is used to replicate PostgreSQL data between the primary server and replica.
  • The PuppetDB service running on compilers uses this port to communicate with PE-PostgreSQL.
8081
  • PuppetDB accepts traffic/requests on this port.
  • The primary server and console send traffic to PuppetDB on this port.
  • PuppetDB status checks are sent over this port.
  • Classifier group: PE PuppetDB
8140
  • The primary server uses this port to accept inbound traffic/requests from agents.
  • The console sends requests to the primary server on this port.
  • Certificate requests are passed over this port unless ca_port is set differently.
  • Puppet Server status checks are sent over this port.
  • The primary server uses this port to send status checks to compilers. (Not required to run PE.)
  • Classifier group: PE Master
8142
  • Orchestrator and the Run Puppet button use this port on the primary server to accept inbound traffic/responses from agents via the Puppet Execution Protocol agent.
  • Classifier group: PE Orchestrator
8143
  • Orchestrator uses this port to accept connections from Puppet Communications Protocol brokers to relay communications. The orchestrator client also uses this port to communicate with the orchestration services running on the primary server. If you install the orchestrator client on a workstation, port 8143 on the primary server must be accessible from the workstation.
  • Classifier group: PE Orchestrator
8147
  • This is the port used for the licensing service and the host-action-collector-service.Traffic is restricted to local access on the Primary only unless external integrations require access to the license service. The Service Now integration is one example of that requirement.
8170
  • Code Manager uses this port to deploy environments, run webhooks, and make API calls.