Security and Minion Appliance Firewall Rules

This section describes the communication endpoints and firewall rules for the Minion Appliance.

Communication endpoints

The Minion Appliance communicates with the following external endpoints. Users cannot modify these endpoints. Sites that restrict outgoing connections must make exceptions for the following:

Service DNS Alias Comment Port

Docker Registry*

DockerHub registry
Amazon AWS load balancer
Pulling Docker images.
Retrieve trusted digests of Docker images.
You can also create a private registry.

443/tcp https

Secure NTP

Clock synchronization systemd-timesyncd

123/udp ntp
4460/tcp ntp

Azure IoT Hub

5671/tcp amqps

Snapcraft* store API service
Initial link with Ubuntu’s application store

443/tcp https

Snapcraft CDN*

Snapcraft CDN network


*An asterisk indicates services that you can configure to go through an HTTP proxy. In this case the Minion Appliance needs connectivity to the HTTP proxy and the HTTP proxy needs connectivity to Snapcraft, Snapcraft CDN, or Docker.

The user can configure the following communication endpoints. (The first four cells show services OpenNMS has written.)

Host/IP Description Comment Port



REST API for Minion. User can change ports (OpenNMS code).

8980/tcp http
8443, 443 https

Telemetryd UDP listener

UDP port

UDP listener for flow datagrams (OpenNMS code)


Syslogd UDP listener

UDP port

UDP listener for Syslog datagrams (OpenNMS code)


SNMP Trap listener

UDP port

UDP listener for SNMP trap and SNMP. Informs datagrams (OpenNMS code).




Messaging <Minion> ActiveMQ message broker by default runs within JVM of OpenNMS. Can be changed by the user.

61616/tcp activemq


Kafka Service Port

Messaging Minion Apache Kafka is used. Can be changed by the user.

9092/tcp kafka

The following illustrates the communication endpoints with the Minion Appliance:

Appliance communication endpoints