Understanding which ports the hybrid runtime plane uses is important for enterprise
implementations. This section describes the ports used for secure communications within the
runtime plane as well as external ports used for communications with external services.
Internal connections
Communication between the runtime plane and management plane is secured with TLS 1-way and OAuth
2.0. Individual services use different protocols, depending on which service they are communicating
with.
The following image shows the ports and communications channels within the hybrid runtime
plane:
The following table describes the ports and communications channels within the hybrid runtime
plane:
Internal Connections
Source
Destination
Protocol/Port(s)
Security Protocol
Description
MART
arrow_right_alt
Cassandra
TCP/9042 TCP/9142
mTLS
Sends data for persistence
MART Istio Ingress
arrow_right_alt
MART
TCP/8443
TLS
Requests from the management plane go through the MART Istio Ingress
Default Istio Ingress
arrow_right_alt
Message Processor
TCP/8443
TLS (Apigee-generated, self-signed cert)
Processes incoming API requests
Message Processor
arrow_right_alt
Cassandra
TCP/9042 TCP/9142
mTLS
Sends data for persistence
Message Processor
arrow_right_alt
fluentd (Analytics)
TCP/20001
mTLS
Streams data to the data collection pod
Cassandra
compare_arrows
Cassandra
TCP/7001
mTLS
Intra-node cluster communications. Note that you can also leave port 7000 open for
firewall configuration as a backup option for potential troubleshooting.
Prometheus
arrow_right_alt
Cassandra
TCP/7070 (HTTPS)
TLS
Scrapes metrics data from various services
MART
TCP/8843 (HTTPS)
TLS
Message Processor
TCP/8843 (HTTPS)
TLS
Synchronizer
TCP/8843 (HTTPS)
TLS
UDCA
TCP/7070 (HTTPS)
TLS
External connections
To appropriately configure your network firewall, you should know the inbound and outbound ports
used by hybrid to communicate with external services.
The following image shows the ports used for external communications with the hybrid runtime
plane:
The following table describes the ports used for external communications with the hybrid runtime
plane:
External Connections
Source
Destination
Protocol/Port(s)
Security Protocol
Description
Inbound Connections (exposed externally)
Apigee Services
arrow_right_alt
MART Istio Ingress
TCP/443
OAuth over TLS 1.2
Hybrid API calls from the management plane
Client Apps
arrow_right_alt
Default Istio Ingress
TCP/*
None/OAuth over TLS 1.2/mTLS
API requests from external apps
Outbound Connections
Message Processor
arrow_right_alt
Backend services
TCP/* UDP/*
None/OAuth over TLS 1.2
Sends requests to customer-defined hosts
Synchronizer
arrow_right_alt
Apigee Services
TCP/443
OAuth over TLS 1.2
Fetches configuration data; connects to apigee.googleapis.com
GCP
Connects to iamcredentials.googleapis.com for authorization
UDCA (Analytics)
arrow_right_alt
Apigee Services (UAP)
TCP/443
OAuth over TLS 1.2
Sends data to UAP in the management plane and to GCP; connects to
apigee.googleapis.com and storage.googleapis.com
Prometheus (Metrics)
arrow_right_alt
GCP (Stackdriver)
TCP/443
TLS
Sends data to Stackdriver in the management plane; connects to
monitoring.googleapis.com
fluentd (Logging)
arrow_right_alt
GCP (Stackdriver)
TCP/443
TLS
Sends data to Stackdriver in the management plane; connects to
logging.googleapis.com
MART
arrow_right_alt
GCP
TCP/443
OAuth over TLS 1.2
Connects to iamcredentials.googleapis.com for authorization
* indicates that the port is configurable. Apigee recommends using 443.
You should not allow external connections for any specific IP addresses associated with
*.googleapis.com. The IP addresses can change since the domain currently resolves to
multiple addresses.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document outlines the port usage for the Apigee hybrid runtime plane, which is currently on version 1.1 and is end-of-life.\u003c/p\u003e\n"],["\u003cp\u003eInternal communications within the hybrid runtime plane use a variety of protocols and ports, including TCP 9042/9142 for Cassandra, TCP 8443 for MART and Message Processor interactions, and TCP 7001 for inter-Cassandra node communication, all using mTLS or TLS for security.\u003c/p\u003e\n"],["\u003cp\u003eExternal connections to and from the hybrid runtime plane use ports such as TCP 443 for communications with Apigee Services and GCP, secured with OAuth over TLS 1.2, while client app traffic uses a configurable port secured by None/OAuth over TLS 1.2/mTLS.\u003c/p\u003e\n"],["\u003cp\u003eThe document details outbound connections from components like Message Processor, Synchronizer, UDCA, Prometheus, and fluentd to various external services, including Apigee Services, GCP, and customer-defined backend services.\u003c/p\u003e\n"],["\u003cp\u003eFirewall configurations should avoid relying on specific IP addresses for \u003ccode\u003e*.googleapis.com\u003c/code\u003e due to their dynamic nature, and instead focus on the domain name and relevant ports.\u003c/p\u003e\n"]]],[],null,["# Configure ports and set up firewalls\n\n| You are currently viewing version 1.1 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nUnderstanding which ports the hybrid runtime plane uses is important for enterprise\nimplementations. This section describes the ports used for secure communications within the\nruntime plane as well as external ports used for communications with external services.\n\nInternal connections\n--------------------\n\nCommunication between the runtime plane and management plane is secured with TLS 1-way and OAuth\n2.0. Individual services use different protocols, depending on which service they are communicating\nwith.\n\nThe following image shows the ports and communications channels within the hybrid runtime\nplane:\n\nThe following table describes the ports and communications channels within the hybrid runtime\nplane:\n\nExternal connections\n--------------------\n\nTo appropriately configure your network firewall, you should know the inbound and outbound ports\nused by hybrid to communicate with external services.\n\nThe following image shows the ports used for external communications with the hybrid runtime\nplane:\n\nThe following table describes the ports used for external communications with the hybrid runtime\nplane:\n\nYou should not allow external connections for any specific IP addresses associated with\n`*.googleapis.com`. The IP addresses can change since the domain currently resolves to\nmultiple addresses."]]
