Sidecar ingress ports
The sidecar accepts incoming traffic from clients on any of the ports defined by the Cyral administrator using CloudFormation, Terraform or Helm template. These ports can be adjusted by using the variable SidecarPorts for CloudFormation,
sidecar_ports for Terraform and service.ports for Helm. By default, the sidecar defines the following set of ports on these templates:
80, 443, 453, 1433, 1521, 3306, 3307, 5432, 5439, 9996, 9999, 27017, 27018, 27019, 31010
Sidecar egress ports
The Cyral sidecar sends traffic from a number of ports on instances of the sidecar. If you choose to limit outbound traffic from the sidecar, leave the following ports open:
data repository destination ports (TCP) — The default port for each database type listed above is the first number shown for each range. If your repository is configured to use a non-default port, then the sidecar needs access to outbound traffic on the configured database port.
port 443 (HTTPS and gRPC for Cyral control plane) — Used for connecting to the control plane whose hostname is {TENANT}.app.cyral.com, where {TENANT} is your organization’s account name.
port 443 (HTTPS downloads) — The sidecar downloads software dependencies from the following domains at initialization time.
amazonlinux.{AWS_REGION}.s3.amazonaws.com
- Required to update the Amazon Linux 2 image with latest changes and install packages using yum
Replace {AWS_REGION} with the code AWS region where the sidecar will be deployed (e.g. amazonlinux.us-west-1.s3.amazonaws.com)
amazonlinux-2-repos-{AWS_REGION}.s3.amazonaws.com
- Required to update the Amazon Linux 2 image with latest changes and install packages using yum
- Replace {AWS_REGION} with the code AWS region where the sidecar will be deployed (e.g. amazonlinux-2-repos-us-west-1.s3.amazonaws.com
gcr.io
Required to download images from Cyral's private container registry
storage.googleapis.com/artifacts.cyralpublic.appstop.com
Required to download prerequisite software used to run the sidecar (docker-compose and jq)
{TENANT}.app.cyral.com
Required to enable sidecar instances to download docker compose file
Replace {TENANT} with your organization's account name (e.g. acme.app.cyral.com)
Note: Legacy sidecars (<= v2.17.x) require an SSH connection to the control plane on port 8022 (TCP).