Security and Minion Appliance Firewall Rules This section describes the communication endpoints and firewall rules for the Minion Appliance. Communication endpoints The Minion Appliance communicates with the following external endpoints. Users cannot modify these endpoints. Sites that restrict outgoing connections must make exceptions for the following: Service DNS Alias Comment Port Docker Registry* auth.docker.io registry-1.docker.io registry.hub.docker.com production.cloudflare.docker.com notary.docker.io Authentication DockerHub registry Amazon AWS load balancer Pulling Docker images. Retrieve trusted digests of Docker images. You can also create a private registry. 443/tcp https Secure NTP time.cloudflare.com Clock synchronization systemd-timesyncd 123/udp ntp 4460/tcp ntp Azure IoT Hub prod-maas.azure-devices.net https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-understand-ip-address 5671/tcp amqps Snapcraft* api.snapcraft.io serial-vault-partners.canonical.com snapcraft.io store API service Initial link with Ubuntu’s application store 443/tcp https Snapcraft CDN* canonical-lcy01.cdn.snapcraftcontent.com canonical-lgw01.cdn.snapcraftcontent.com canonical-bos01.cdn.snapcraftcontent.com cloudfront.cdn.snapcraftcontent.com Snapcraft CDN network 443/tcp https *An asterisk indicates services that you can configure to go through an HTTP proxy. In this case the Minion Appliance needs connectivity to the HTTP proxy and the HTTP proxy needs connectivity to Snapcraft, Snapcraft CDN, or Docker. The user can configure the following communication endpoints. (The first four cells show services OpenNMS has written.) Host/IP Description Comment Port opennms-ip:8980/opennms OpenNMS API REST API for Minion. User can change ports (OpenNMS code). 8980/tcp http 8443, 443 https Telemetryd UDP listener UDP port UDP listener for flow datagrams (OpenNMS code) <user-defined>/udp Syslogd UDP listener UDP port UDP listener for Syslog datagrams (OpenNMS code) <user-defined>/udp SNMP Trap listener UDP port UDP listener for SNMP trap and SNMP. Informs datagrams (OpenNMS code). <user-defined>/udp activemq-ip:61616 ActiveMQ Messaging <Minion> ActiveMQ message broker by default runs within JVM of OpenNMS. Can be changed by the user. 61616/tcp activemq kafka-broker:9092 Kafka Service Port Messaging Minion Apache Kafka is used. Can be changed by the user. 9092/tcp kafka 9093/ssl The following illustrates the communication endpoints with the Minion Appliance: Why doesn’t this work? Legal Notice