Ports and allowed traffic for Cyral sidecars and control plane

Sidecar ingress ports

The sidecar accepts incoming traffic on the following ports from clients connecting to data repositories:


  • MongoDB ports — 27017-27028

  • MySQL ports — 3306-3310

  • PostgreSQL ports — 5432-5436

  • Snowflake ports — 443-447

  • SQLServer — 1433-1437




Sidecar egress ports

The Cyral sidecar sends traffic from a number of ports on instances in the sidecar cluster. If you choose to limit outbound traffic from the sidecar cluster, leave the following ports open:


  • data repository destination ports — The default port for each database type listed above is the first number shown for each range. If your repository is configured to use a non-default port, then the sidecar needs access to outbound traffic on the configured database port.

  • ports 80 (TCP), 443 (TCP) — Sidecar initiates software image downloads

  • port 8022 (TCP)  — SSH connection to the Cyral control plane




Control plane traffic

As a cloud service, your Cyral control plane instance runs in your VPC. The control plane hostname is <tenant>.cyral.com, where <tenant> is replaced with your organization’s account name. 


The control plane must be able to receive inbound traffic on these ports:

  • port 8022 (TCP) — sidecar connections

  • ports 80 (TCP), 443 (TCP) — HTTPS access for users connecting to the Cyral Management Console (web UI)



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.