Skip to content

Ports & Networking Reference

This guide outlines all network interactions in a VOR Stream deployment so that operators can create accurate firewall rules and security-group policies.

Internal Traffic

Traffic described in this section never leaves the private network that hosts VOR Stream; user-facing flows are documented in External Traffic.

Service discovery with Consul

Consul provides both service discovery and centralized configuration:

  • Client agents run on every host.
  • Server agents run on hosts listed in the [consul] block of the Ansible inventory file.

The diagram below illustrates communication between server agents and their client counterparts.

flowchart TB
  %% Group servers and clients
  subgraph SubCS[Consul Servers]
    direction LR
    A["Consul Server A"]
    B["Consul Server B"]
    C["Consul Server C"]
  end

  subgraph SubCC[Consul Clients]
    direction LR
    CA["Consul Client A"]
    CB["Consul Client B"]
    CC["Consul Client C"]
  end

  %% Server-Server mesh
  A <-- 8300,8301 --> B
  B <-- 8300,8301 --> C

  %% Client-Server
  SubCC -- 8300 --> SubCS
  SubCC <-- 8301 --> SubCS

  %% Client-Client gossip
  CA <-- 8301 --> CB
  CB <-- 8301 --> CC

Internal port matrix

Ports are given destination-first ( means "connection initiates to this service"). All Consul Serf traffic is TCP and UDP.

Tip

The table is sortable if you want to sort it by the source service.

Target Service Port Purpose / Notes Source Service
Compute 23234 SSH — run execution Mid-Tier
Consul Client 8301 Serf LAN (TCP + UDP) Consul Client
Consul Client 8301 Serf LAN (TCP + UDP) Consul Server
Consul Client 8600 DNS interface (TCP + UDP) Web
Consul Server 8300 internal RPC Consul Client
Consul Server 8301 Serf LAN (TCP + UDP) Consul Client
Consul Server 8300 internal RPC Consul Server
Consul Server 8301 Serf LAN (TCP + UDP) Consul Server
Django 8001 API Mid-Tier
Django 8001 API SDK
Mid-Tier 1962 API Compute
Mid-Tier 1962 API Django
Mid-Tier 1962 API Web
Postgres 5432 Used only if Postgres is selected Django
Postgres 5432 Used only if Postgres is selected Vault
RabbitMQ 15672 Management UI Compute
RabbitMQ 5672 AMQP Compute
RabbitMQ 15672 Management UI Mid-Tier
RabbitMQ 5672 AMQP Mid-Tier
RabbitMQ 15672 Management UI Vault
SDK 9000 gRPC API Compute
SDK 9000 gRPC API Mid-Tier
SQL Server 1433 Used only if SQL Server is selected Django
SQL Server 1433 Used only if SQL Server is selected Vault
Vault 8200 HTTP API Compute
Vault 8200 HTTP API Django
Vault 8200 HTTP API Mid-Tier
Vault 8200 HTTP API SDK
Web 8081 CLI Auth Compute

Note

Connections originating from Vault are only necessary when you enable dynamic secrets for the destination service. Static key-value secrets do not require Vault to call the service.

Internal traffic diagram

The diagram below visualizes internal service flows, excluding Consul traffic. All services communicate with their local Consul agent, which relays to the server cluster.

graph LR
    Super[VOR Stream Mid-Tier]
    Compute[Compute Server]
    RabbitMQ[RabbitMQ Server]
    Django[Django Mid-Tier]
    Vault[Vault Server]
    SDK[SDK Server]
    Postgres[Postgres Server]
    Caddy[Web Server]

    %% Mid-tier outbound
    Super -->|8001| Django
    Super -->|23234| Compute
    Super -->|9000| SDK
    Super -->|8200| Vault
    Super -->|5672| RabbitMQ
    Super -->|15672| RabbitMQ

    %% Django outbound
    Django -->|1962| Super
    Django -->|5432| Postgres
    Django -->|8200| Vault

    %% Compute outbound
    Compute -->|1962| Super
    Compute -->|9000| SDK
    Compute -->|5672| RabbitMQ
    Compute -->|15672| RabbitMQ
    Compute -->|8200| Vault

    %% SDK outbound
    SDK -->|8200| Vault
    SDK -->|8001| Django

    %% Vault outbound
    Vault -->|5432| Postgres
    Vault -->|15672| RabbitMQ

    Caddy -->|1962| Super

Service Host-Group mapping

Use the table below with your Ansible inventory file to convert service-level rules into host-level rules for single- or multi-tier deployments.

Service Ansible host group
Compute compute
Consul Client all
Consul Server consul
Consul UI consul_ui
Django django
Mid-Tier super
Postgres postgres
RabbitMQ rabbitmq
SDK sdk
Vault vault
Web web

External Traffic

This section covers all traffic that must enter or leave the VOR Stream environment.

OpenID Connect (OIDC) considerations

The Mid-Tier, Django, Vault, and SDK services rely on OpenID Connect Discovery for authentication. At application startup, the service will obtain the provider configuration from the OIDC provider as described in section 4 of the specification. This requires that the service is able to reach the OIDC provider. If defining network traffic rules, check the configured OIDC provider(s) documentation to see if it provides a list of fixed IP addresses or ranges that serve their OIDC endpoints. Otherwise, allow outbound HTTPS to the provider’s FQDN.

Azure Entra ID IP ranges

Microsoft publishes weekly JSON files containing IP ranges for public-cloud services, including Entra ID (formerly Azure AD).

  1. Download the latest Azure IP Ranges and Service Tags file.

    Warning

    The file is updated weekly. Automate this download and update process so that VOR Stream services retain access.

  2. Extract the Entra ID (AzureActiveDirectory) ranges:

    jq -r '.values[] | select(.name == "AzureActiveDirectory") | .properties.addressPrefixes[]' \
  ServiceTags_Public_20250505.json # (1)!
    1. As it changes each week, your filename will differ. Substitute the actual filename here.

External port matrix

This table lists the ports that need to be exposed externally, along with the intended audience and purpose of each connection. Use it when configuring perimeter controls like firewalls or reverse proxies.

Audience Host group Port Purpose Notes
Administrators consul_ui 8500 Consul UI Optional but recommended for viewing service inventory and status
Administrators rabbitmq 15672 RabbitMQ Management UI Optional
Administrators vault 8200 Vault API Optional
Administrators / Power Users super 22 SSH CLI access to VOR Stream
All users django 8001 Django API
All users web 8081 Web UI