Cyral
Get Started Sign In

Ports and allowed traffic for Cyral sidecars

Sidecar ingress ports

The sidecar accepts incoming traffic from clients on any of the ports defined by the Cyral administrator using CloudFormation, Terraform or Helm template. These ports can be adjusted by using the variable SidecarPorts for CloudFormation, 
sidecar_ports for Terraform and service.ports for Helm. By default, the sidecar defines the following set of ports on these templates:

  • 80, 443, 453, 1433, 1521, 3306, 3307, 5432, 5439, 9996, 9999, 27017, 27018, 27019, 31010


Sidecar egress ports

The Cyral sidecar sends traffic from a number of ports on instances of the sidecar. If you choose to limit outbound traffic from the sidecar, leave the following ports open:

  • data repository destination ports (TCP) — The default port for each database type listed above is the first number shown for each range. If your repository is configured to use a non-default port, then the sidecar needs access to outbound traffic on the configured database port.

  • port 443 (HTTPS and gRPC for Cyral control plane) — Used for connecting to the control plane  whose hostname is {TENANT}.app.cyral.comwhere {TENANT} is your organization’s account name.

  • port 443 (HTTPS downloads) — The sidecar downloads software dependencies from the following domains at initialization time.

    • amazonlinux.{AWS_REGION}.s3.amazonaws.com

      • Required to update the Amazon Linux 2 image with latest changes and install packages using yum
      • Replace {AWS_REGION} with the code AWS region where the sidecar will be deployed (e.g. amazonlinux.us-west-1.s3.amazonaws.com)

    • amazonlinux-2-repos-{AWS_REGION}.s3.amazonaws.com

      • Required to update the Amazon Linux 2 image with latest changes and install packages using yum
      • Replace {AWS_REGION} with the code AWS region where the sidecar will be deployed (e.g. amazonlinux-2-repos-us-west-1.s3.amazonaws.com
    • gcr.io

      • Required to download images from Cyral's private container registry

    • storage.googleapis.com/artifacts.cyralpublic.appstop.com

      • Required to download prerequisite software used to run the sidecar (docker-compose and jq)

    • {TENANT}.app.cyral.com

      • Required to enable sidecar instances to download docker compose file

      • Replace {TENANT} with your organization's account name (e.g. acme.app.cyral.com)

Note: Legacy sidecars (<= v2.17.x) require an SSH connection to the control plane on port 8022 (TCP).



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.