Security and Minion Appliance Firewall Rules

This section describes the communication endpoints and firewall rules for the Minion Appliance.

Communication endpoints

The Minion Appliance communicates with the following external endpoints. Users cannot modify these endpoints. Sites that restrict outgoing connections must make exceptions for the following:

Service DNS Alias Comment Port

Docker Registry*

auth.docker.io
registry-1.docker.io
registry.hub.docker.com
production.cloudflare.docker.com
notary.docker.io

Authentication
DockerHub registry
Amazon AWS load balancer
Pulling Docker images.
Retrieve trusted digests of Docker images.
You can also create a private registry.

443/tcp https

Secure NTP

time.cloudflare.com

Clock synchronization systemd-timesyncd

123/udp ntp
4460/tcp ntp

Azure IoT Hub

prod-maas.azure-devices.net

https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-understand-ip-address

5671/tcp amqps

Snapcraft*

api.snapcraft.io
serial-vault-partners.canonical.com

snapcraft.io store API service
Initial link with Ubuntu’s application store

443/tcp https

Snapcraft CDN*

canonical-lcy01.cdn.snapcraftcontent.com
canonical-lgw01.cdn.snapcraftcontent.com
canonical-bos01.cdn.snapcraftcontent.com
cloudfront.cdn.snapcraftcontent.com

Snapcraft CDN network

443/tcp
https

*An asterisk indicates services that you can configure to go through an HTTP proxy. In this case the Minion Appliance needs connectivity to the HTTP proxy and the HTTP proxy needs connectivity to Snapcraft, Snapcraft CDN, or Docker.

The user can configure the following communication endpoints. (The first four cells show services OpenNMS has written.)

Host/IP Description Comment Port

opennms-ip:8980/opennms

OpenNMS API

REST API for Minion. User can change ports (OpenNMS code).

8980/tcp http
8443, 443 https

Telemetryd UDP listener

UDP port

UDP listener for flow datagrams (OpenNMS code)

<user-defined>/udp

Syslogd UDP listener

UDP port

UDP listener for Syslog datagrams (OpenNMS code)

<user-defined>/udp

SNMP Trap listener

UDP port

UDP listener for SNMP trap and SNMP. Informs datagrams (OpenNMS code).

<user-defined>/udp

activemq-ip:61616

ActiveMQ

Messaging <Minion> ActiveMQ message broker by default runs within JVM of OpenNMS. Can be changed by the user.

61616/tcp activemq

kafka-broker:9092

Kafka Service Port

Messaging Minion Apache Kafka is used. Can be changed by the user.

9092/tcp kafka
9093/ssl

The following illustrates the communication endpoints with the Minion Appliance:

Appliance communication endpoints
src="https://polyfill.io/v3/polyfill.min.js?features=es6">