Sidecar ingress ports

The sidecar accepts incoming traffic on the following ports from clients connecting to data repositories:

• MongoDB ports — 27017-27028

• MySQL ports — 3306 - 3310

• PostgreSQL ports — 5432-5436

• Snowflake ports — 443-447

• SQLServer — 1433-1437

Sidecar egress ports

The Cyral sidecar sends traffic from a number of ports on instances in the sidecar cluster. If you choose to limit outbound traffic from the sidecar cluster, leave the following ports open:

• data repository destination ports — The default port for each database type listed above is the first number shown for each range. If your repository is configured to use a non-default port, then the sidecar needs access to outbound traffic on the configured database port.

• ports 80 (TCP), 443 (TCP) — Sidecar initiates software image downloads

• port 8022 (TCP)  — SSH connection to the Cyral control plane needed only for legacy sidecars (v2.17.x and older)

• port 8000 (HTTPS), 9080 (GRPC) — Used for connecting to Cyral control plane

Control plane traffic

As a cloud service, your Cyral control plane instance runs in your VPC. The control plane hostname is <tenant>.cyral.com, where <tenant> is replaced with your organization’s account name. 

The control plane must be able to receive inbound traffic on these ports:

• port 8022 (TCP) — sidecar connections needed to support legacy sidecars (v2.17.x and older)

• ports 80 (TCP), 443 (TCP) — HTTPS access for users connecting to the Cyral control plane UI (web UI)

• ports 8000, 9080 — HTTPS and GRPC access to the Cyral control plane for users and sidecars