Ports and allowed traffic for Cyral sidecars and control plane

Sidecar ingress ports

The sidecar accepts incoming traffic on the following ports from clients connecting to data repositories:


  • MongoDB ports — 27017-27028

  • MySQL ports — 3306 - 3310

  • PostgreSQL ports — 5432-5436

  • Snowflake ports — 443-447

  • SQLServer — 1433-1437




Sidecar egress ports

The Cyral sidecar sends traffic from a number of ports on instances in the sidecar cluster. If you choose to limit outbound traffic from the sidecar cluster, leave the following ports open:


  • data repository destination ports — The default port for each database type listed above is the first number shown for each range. If your repository is configured to use a non-default port, then the sidecar needs access to outbound traffic on the configured database port.

  • ports 80 (TCP), 443 (TCP) — Sidecar initiates software image downloads

  • port 8022 (TCP)  — SSH connection to the Cyral control plane needed only for legacy sidecars (v2.17.x and older)

  • port 8000 (HTTPS), 9080 (GRPC) — Used for connecting to Cyral control plane




Control plane traffic

As a cloud service, your Cyral control plane instance runs in your VPC. The control plane hostname is <tenant>.cyral.com, where <tenant> is replaced with your organization’s account name. 


The control plane must be able to receive inbound traffic on these ports:

  • port 8022 (TCP) — sidecar connections needed to support legacy sidecars (v2.17.x and older)

  • ports 80 (TCP), 443 (TCP) — HTTPS access for users connecting to the Cyral control plane UI (web UI)

  • ports 8000, 9080 — HTTPS and GRPC access to the Cyral control plane for users and sidecars



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.