Cyral
Get Started Sign In

Ports and allowed traffic for Cyral sidecars and control plane

Sidecar ingress ports

The sidecar accepts incoming traffic from clients on any of the ports defined by the Cyral administrator using the Terraform or Helm template. These ports can be adjusted by using the variable sidecar_ports for Terraform and sidecarPorts for Helm. By default, the sidecar defines the following set of ports on these templates:

  • 80, 443, 453, 1433, 1521, 3306, 3307, 5432, 27017, 27018, 27019, 31010


For sites that deploy the sidecar using the Cloudformation template, the following ranges of ports are defined by default and can be used by any repository:

  • 80 - 84

  • 443 - 447

  • 1433 - 1437

  • 1521 - 1525

  • 3306 - 3310

  • 5432 - 5436

  • 27017 - 27028

  • 31010 - 31014


Sidecar egress ports

The Cyral sidecar sends traffic from a number of ports on instances of the sidecar. If you choose to limit outbound traffic from the sidecar, leave the following ports open:

  • data repository destination ports (TCP) — The default port for each database type listed above is the first number shown for each range. If your repository is configured to use a non-default port, then the sidecar needs access to outbound traffic on the configured database port.

  • ports 443 (HTTPS) — The sidecar downloads software dependencies from the following domains at initialization time.

    • amazonlinux.{AWS_REGION}.s3.amazonaws.com 

      • Replace {AWS_REGION} with the code AWS region where the sidecar will be deployed (e.g. amazonlinux.us-west-1.s3.amazonaws.com)

    • amazonlinux-2-repos-{AWS_REGION}.s3.amazonaws.com

      • Replace {AWS_REGION} with the code AWS region where the sidecar will be deployed (e.g. amazonlinux-2-repos-us-west-1.s3.amazonaws.com)
    • artifacts.cyralpublic.appstop.com

    • dl.fedoraproject.org

    • gcr.io

      • The sidecar will download images from Cyral's private container registry

    • github.com

    • raw.githubusercontent.com

    • storage.googleapis.com

    • {TENANT}.app.cyral.com 

      • Replace {TENANT} with your organization's account name (e.g. acme.app.cyral.com)

  • port 8000 (HTTPS), 9080 (gRPC) — Used for connecting to the control plane  whos hostname is {TENANT}.app.cyral.comwhere {TENANT} is your organization’s account name.

Note: Legacy sidecars (<= v2.17.x) require SSH connection to the control plane on port 8022 (TCP).

Control plane traffic

The Cyral control plane runs as a cloud service whose hostname is {TENANT}.app.cyral.com, where {TENANT} is replaced with your organization’s account name (e.g. acme.app.cyral.com)

The control plane must be able to receive inbound traffic on these ports:

  • ports 80 (TCP), 443 (HTTPS) — HTTPS access for users connecting to the Cyral control plane UI (web UI)

  • ports 8000 (HTTPS), 9080 (gRPC) — HTTPS and gRPC access to the Cyral control plane for users and sidecars

Note: Legacy sidecars (<= v2.17.x) require SSH connection to the control plane on port 8022 (TCP).


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.