This document provides a comprehensive reference for all network ports required when self-hosting the ACTIVATE platform. Use this guide to configure firewalls, network security groups, and load balancers for your deployment.
The ACTIVATE platform uses a hub-and-spoke network model:
These ports must be exposed on the control plane cluster's load balancer or ingress for the platform to function.
| Port | Protocol | Required | Purpose |
|---|---|---|---|
| 443 | TCP (HTTPS) | Yes | Platform web UI, REST API, and agent WebSocket tunnels |
| 80 | TCP (HTTP) | Recommended | HTTP-to-HTTPS redirect |
| 8443 | TCP (HTTPS) | Optional | CAC/Smart Card authentication (mTLS) |
This is the primary entry point for all platform traffic. A single port serves:
/api/...)wss://<platform-host>/ws/ssh/tunnel using persistent multiplexed WebSocket connectionsTLS termination can be handled by the ACTIVATE ingress service itself (using the configured TLS secret) or by an external load balancer / reverse proxy.
Serves only as an HTTP-to-HTTPS redirect. Can be omitted if your load balancer handles redirection externally.
Required only for deployments using DoD CAC / smart card authentication. This port runs a separate TLS listener that requires mutual TLS (client certificate verification) against the DoD PKE certificate chain. If your deployment uses CAC authentication, TLS must be terminated by ACTIVATE. An external load balancer or reverse proxy cannot terminate TLS on this port, as the platform needs direct access to the client certificate. If your deployment does not use CAC authentication, this port does not need to be exposed.
These ports are used for communication between services inside the control plane Kubernetes cluster. They should not be exposed externally. Kubernetes internal networking handles routing.
| Port | Protocol | Service | Notes |
|---|---|---|---|
| 5432 | TCP | PostgreSQL | Usage metrics, billing, and activity tracking |
| 27017 | TCP | MongoDB (replica set) | User accounts, platform configuration, and metadata |
If using managed database services outside the cluster, ensure the control plane can reach the database endpoints on these ports. This may require VNet peering, private endpoints, or firewall rules on the database service.
| Port | Protocol | Service | Notes |
|---|---|---|---|
| 5672 | TCP (AMQP) | RabbitMQ | Inter-service messaging for job orchestration and cluster operations |
| 15672 | TCP (HTTP) | RabbitMQ Management | Optional management UI for debugging. Do not expose externally. |
| Port | Protocol | Service | Notes |
|---|---|---|---|
| 8200 | TCP (HTTP) | HashiCorp Vault | Credential storage. Must be initialized and unsealed. |
These are internal HTTP services that communicate behind the ingress. They do not need external exposure or special firewall rules. Kubernetes service discovery handles routing.
| Port | Service | Purpose |
|---|---|---|
| 3000 | Cloud cacher | Cloud resource caching service |
| 4006 | Legacy API | REST API (Node.js). Scheduled for removal in v8. |
| 8888 | Internal API | Workspace scaling, cost routes (admin, not externally exposed) |
Compute cluster agents running on cloud clusters, managed clusters, or existing on-premises clusters communicate with the control plane over a single outbound connection. No inbound ports need to be opened on the compute cluster side.
wss://<platform-host>/ws/ssh/tunnel (port 443).User workspaces and the platform connect to compute clusters over SSH (port 22) for running jobs and interactive sessions. The pw ssh command intelligently selects the connection method based on network configuration:
This means clusters should have port 22 open for SSH from the control plane, unless all SSH traffic is routed through the agent tunnel.
Cloud clusters are provisioned by the platform through a configured cloud account (e.g., AWS, Azure, GCP). The platform provisions compute nodes in the cloud provider, and each node's agent automatically establishes a tunnel connection back to the control plane.
Network requirements from the cloud cluster:
| Direction | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Outbound | Control plane host | 443 | TCP (WSS/HTTPS) | Agent tunnel, API calls, heartbeats |
| Inbound | Controller node | 22 | TCP (SSH) | SSH access from workspaces (if not using tunnel) |
Managed clusters are batch scheduler clusters (e.g., PBS, Slurm, LSF) registered with the platform. Node agents are installed using a one-time registration token and maintain a persistent tunnel connection to the control plane.
Network requirements from the managed cluster:
| Direction | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Outbound | Control plane host | 443 | TCP (WSS/HTTPS) | Agent tunnel, API calls, heartbeats |
| Inbound | Controller node | 22 | TCP (SSH) | SSH access from workspaces (if not using tunnel) |
Existing clusters are user-provided infrastructure that you register with the platform. They use the same outbound-only agent tunnel as cloud and managed clusters.
Network requirements from the existing cluster:
| Direction | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Outbound | Control plane host | 443 | TCP (WSS/HTTPS) | Agent tunnel, API calls, heartbeats |
| Inbound | Controller node | 22 | TCP (SSH) | SSH access from workspaces (if not using tunnel) |
On-Premises Firewall Configuration
Since agents only make outbound connections to port 443 on the control plane, on-premises clusters behind restrictive firewalls only need a single egress rule allowing HTTPS traffic to the platform hostname. No inbound firewall rules or port forwarding are required on the on-premises network.
Cloud clusters provisioned by the platform use additional ports for internal communication between the controller node and compute nodes. These ports do not need to be exposed to the control plane. They are used within the cluster's own network.
| Port | Protocol | Purpose |
|---|---|---|
| 2049 | TCP (NFS) | NFS exports from controller to compute nodes |
| Port | Protocol | Purpose |
|---|---|---|
| 6817 | TCP | Slurmctld (Slurm controller daemon) |
| 6819 | TCP | Slurmdbd (Slurm database daemon) |
| 3306 | TCP | MySQL for Slurm accounting database |
| 8192–60000 | TCP | Slurm srun interactive job step communication |
| Port | Protocol | Purpose |
|---|---|---|
| 1024–65535 | TCP | User workflows and application traffic between controller and compute nodes |
These ports are for communication within the cloud cluster network. They do not need to be reachable from the control plane or the internet.
User workspaces can run on a dedicated user host, in a separate Kubernetes cluster, or in a dedicated namespace. The following ports are used by workspace containers and accessed by platform services.
| Port | Protocol | Purpose |
|---|---|---|
| 22 | TCP (SSH) | SSH access to the workspace |
| 3000 | TCP (HTTP) | IDE (code editor) |
| 3001 | TCP (HTTP) | Workspace API |
| 3003 | TCP (HTTP) | Workspace API |
| 3004 | TCP (HTTP) | Workspace API (also used by connected clusters) |
| 1024–65535 | TCP | User-started services and application traffic |
These ports are internal and do not need external exposure.
If using NFS or a shared filesystem for platform storage (see Kubernetes Deployment Guide), the control plane services need access to the NFS endpoint.
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 2049 | TCP (NFS) | Control plane → Storage | Shared filesystem for user uploads and workflow assets |
If the platform is configured to send email notifications (billing alerts, user invitations), the control plane needs outbound access to your SMTP server.
| Direction | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Outbound | SMTP server | 587 | TCP (SMTP/STARTTLS) | Email delivery |
For a standard deployment, only one port needs external exposure on the control plane:
| Port | Protocol | Purpose |
|---|---|---|
| 443 | TCP | All platform traffic (UI, API, agent tunnels) |
| Port | Protocol | Location | Direction | Required | Purpose |
|---|---|---|---|---|---|
| 443 | HTTPS/WSS | Control plane LB | Inbound | Yes | UI, API, agent tunnels |
| 80 | HTTP | Control plane LB | Inbound | Optional | HTTP redirect |
| 8443 | HTTPS (mTLS) | Control plane LB | Inbound | Optional | CAC/Smart Card auth |
| 2049 | NFS | Control plane → Storage | Outbound | Yes | Shared filesystem |
| 3000 | HTTP | Internal | — | Yes | Cloud cacher |
| 4006 | HTTP | Internal | — | Yes | Legacy API (removal planned in v8) |
| 5432 | TCP | Internal | — | Yes | PostgreSQL |
| 5672 | AMQP | Internal | — | Yes | RabbitMQ |
| 8200 | HTTP | Internal | — | Yes | Vault |
| 8888 | HTTP | Internal | — | Yes | Internal API |
| 15672 | HTTP | Internal | — | Optional | RabbitMQ Management |
| 27017 | TCP | Internal | — | Yes | MongoDB |
| 587 | SMTP | Outbound | Outbound | Optional | Email notifications |
| 443 | WSS/HTTPS | Agent → Control plane | Outbound (from agent) | Yes | Agent tunnel and heartbeats |
| 22 | SSH | Compute clusters | Inbound (from control plane) | Conditional | SSH access from workspaces (not needed if using tunnel) |
| 2049 | NFS | Cloud cluster internal | — | Yes | NFS exports (controller → compute) |
| 6817 | TCP | Cloud cluster internal | — | Conditional | Slurmctld (Slurm clusters) |
| 6819 | TCP | Cloud cluster internal | — | Conditional | Slurmdbd (Slurm clusters) |
| 3306 | TCP | Cloud cluster internal | — | Conditional | MySQL for Slurm accounting |
| 8192–60000 | TCP | Cloud cluster internal | — | Conditional | Slurm srun ports |