Security and Minion Appliance firewall rules

This section describes the communication endpoints and firewall rules for the Minion Appliance.

Communication endpoints

The Minion Appliance communicates with the following external endpoints. Users cannot modify these endpoints. Sites that restrict outgoing connections must make exceptions for the following:

Service

DNS Alias

Comment

Port

Docker Registry*

auth.docker.io

registry-1.docker.io

registry.hub.docker.com

production.cloudflare.docker.com

notary.docker.io

Authentication

DockerHub registry

Amazon AWS load balancer

Pulling Docker images

Retrieve trusted digests of Docker images

443/tcp https

Ubuntu core

ntp.ubuntu.com

Clock synchronization systemd-timesyncd

123/udp ntp

Azure IoT Hub

prod-maas.azure-devices.net

https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-understand-ip-address

5671/tcp amqps

Snapcraft*

api.snapcraft.io

serial-vault-partners.canonical.com

snapcraft.io store API service

Initial link with Ubuntu’s application store

443/tcp https

Snapcraft CDN*

canonical-lcy01.cdn.snapcraftcontent.com

canonical-lgw01.cdn.snapcraftcontent.com

canonical-bos01.cdn.snapcraftcontent.com

cloudfront.cdn.snapcraftcontent.com

Snapcraft CDN network

443/tcp https

*An asterisk indicates services that you can configure to go through an HTTP proxy. In this case the Minion Appliance needs connectivity to the HTTP proxy and the HTTP proxy needs connectivity to Snapcraft, Snapcraft CDN, or Docker.

The user can configure the following communication endpoints. (The first four cells show services OpenNMS has written.)

Host/IP

Description

Comment

Port

opennms-ip:8980/opennms

OpenNMS API

REST API for Minion. User can change ports (OpenNMS code)

8980/tcp http
8443, 443 https

Telemetryd UDP listener

UDP port

UDP listener for flow datagrams (OpenNMS code)

<user-defined>/udp

Syslogd UDP listener

UDP port

UDP listener for Syslog datagrams (OpenNMS code)

<user-defined>/udp

SNMP Trap listener

UDP port

UDP listener for SNMP trap and SNMP, informs datagrams (OpenNMS code

<user-defined>/udp

activemq-ip:61616

ActiveMQ

Messaging <Minion> ActiveMQ message broker by default runs within JVM of OpenNMS, user can change

61616/tcp activemq

kafka-broker:9092

Kafka Service Port

Messaging Minion Apache Kafka is used, user can change

9092/tcp kafka
9093/ssl

The following illustrates the communication endpoints with the Minion Appliance:

appliance communication
src="https://polyfill.io/v3/polyfill.min.js?features=es6">