Agent ports
  • 10 Oct 2024
  • 1 Minute to read
  • Dark
    Light
  • PDF

Agent ports

  • Dark
    Light
  • PDF

Article summary

The Agent Ports page provides essential information about the communication ports used by Traceable's tracing and platform agents. This topic covers the default ports, reverse proxy configuration, and specific port requirements for different functionalities.

This topic details the ports required for communication between the Traceable Platform Agent (TPA) and other services. It also includes guidance on setting up HTTP and HTTPS reverse proxies to manage these connections.

Note

As of TPA version 1.44.0, OPA has been deprecated, and port 8181 is no longer required or used.

Reverse Proxy Configuration

HTTP Reverse Proxy

By default, the TPA exposes individual listeners for each service and port. However, you can configure a reverse proxy for HTTP or HTTPS traffic.

To configure an HTTP reverse proxy, enable it in the configuration as shown below:

# agentconfig.yaml
global:
  enable_http_reverse_proxy: true # false by default

This setting will expose port 5442 as an HTTP reverse proxy and handle all services except for ports 8443, 8444, and 5444.

HTTPS Reverse Proxy

For an HTTPS reverse proxy, update the TLS configuration:

# agentconfig.yaml
global:
  tls_server:
    endpoint: "0.0.0.0:5443"
    key_file: "../injector/pkg/injector/testdata/server.key"
    cert_file: "../injector/pkg/injector/testdata/server.crt"
    root_cert_file: "../injector/pkg/injector/testdata/rootCA.crt"

This configuration exposes port 5443 as an HTTPS reverse proxy, handling all services except ports 8443, 8444, and 5444.

Reverse Proxy Limitations

Both HTTP and HTTPS reverse proxies will work for most ports, except for:

  • TCP 8443: Used by the F5 HSL listener.

  • TCP 8444: Reserved for Apigee.

Required Ports

The following table lists the ports that need to be opened for communication between the tracing agent and the platform agent, along with the tracing agents that use each port:

Port number

Agents

OTLP — 4317

  • Go

  • Java

  • Node.js

  • Python

  • HAProxy Ingress Controller

  • eBPF Tracer

  • Boomi

  • Ambassador

OTLP HTTP — 4318

  • Node.js Lambda

  • Python Lambda

  • Ruby

Zipkin — 9411

  • Kong Ingress Controller

  • NGINX Ingress Controller

  • Istio

  • Kuma

  • Kong

  • NGINX

  • OpenResty

  • Ambassador

Agent Config — 5441

  • NGINX

  • eBPF Tracer

  • Ambassador

  • Go

  • Java

  • Node.js

  • Python

  • HAProxy Ingress Controller

Traceable Module Extension (TME) — 5442

  • Azure APIM

  • IIS

  • Gloo

  • Kong Ingress Controller

  • NGINX Ingress Controller

  • Istio

  • Kuma

  • Apigee Service Callout

  • Kong

  • Mulesoft with XML plugin

  • Mulesoft with Java plugin

  • OpenResty

  • IBM DataPower

  • 3Scale

Health Check

  • F5

  • GCP Traffic mirroring

  • Traffic mirroring for VM

HAProxy TCP — 5444

  • HAProxy

VXLAN — 4789

  • AWS traffic mirroring

  • F5 — Required when F5 mirrored traffic is routed through VXLAN

TLS Packet Forwarder — 8001

  • Required when mirrored traffic is encrypted

TCP — 8443

  • F5 HSL

TCP — 8444

  • Apigee Message Logging

TLS Server — 5443

  • Azure APIM

  • Go

  • Java

  • Node.js

  • IIS

  • Python

  • Apigee Service Callout

  • Mulesoft with XML plugin

  • Mulesoft with Java plugin

  • IBM DataPower

  • eBPF Tracer

  • CloudFlare Worker — Must use port 443 for worker on Traceable Platform agent.

Note

For DaemonSet Mirroring, no external ports need to be exposed. Mirroring to the Traceable Platform Agent (TPA) is conducted through a Unix domain socket, and the Go agent then exports data via the OTLP port.


Was this article helpful?