Understanding which ports the hybrid runtime plane uses is important for enterprise
implementations. This section describes the ports used for secure communications within the
runtime plane as well as external ports used for communications with external services.
Internal connections
Communication between the runtime plane and management plane is secured with TLS 1-way and OAuth
2.0. Individual services use different protocols, depending on which service they are communicating
with.
The certificates used for intra-component communication are generated by Apigee's certificate
manager. You do not have to provide a certificate or manage it.
The following image shows the ports and communications channels within the hybrid runtime
plane:
The following table describes the ports and communications channels within the hybrid runtime
plane:
Internal Connections
Source
Destination
Protocol/Ports
Security protocol
Description
MART
arrow_right_alt
Cassandra
TCP/9042 TCP/9142
mTLS
Sends data for persistence.
Apigee Connect
arrow_right_alt
MART
TCP/8443
TLS
Requests from the management plane go through Apigee Connect. Apigee Connect initiates
the connection.
Default Istio Ingress
arrow_right_alt
Message Processor
TCP/8443
TLS (Apigee-generated, self-signed cert)
Processes incoming API requests.
Message Processor
arrow_right_alt
Cassandra
TCP/9042 TCP/9142
mTLS
Sends data for persistence.
Message Processor
arrow_right_alt
fluentd (analytics / logging)
TCP/20001
mTLS
Streams data to the data collection pod.
Cassandra
compare_arrows
Cassandra
TCP/7001 TCP/7199
mTLS
Intra-node cluster communications.
Cassandra
compare_arrows
Cassandra
TCP/7001
mTLS
Inter-region communications.
Synchronizer
arrow_right_alt
Cassandra
TCP/9042 TCP/9142
mTLS
Sends data for persistence.
Prometheus (metrics)
arrow_right_alt
Cassandra
TCP/7070 (HTTPS)
TLS
Scrapes metrics data from various services.
MART
TCP/8843 (HTTPS)
TLS
Message Processor
TCP/8843 (HTTPS)
TLS
Synchronizer
TCP/8843 (HTTPS)
TLS
UDCA
TCP/7070 (HTTPS)
TLS
Watcher
arrow_right_alt
Ingress pods
TCP/8843
TLS
Polls to get deployment status.
External connections
To appropriately configure your network firewall, you should know the inbound and outbound ports
used by hybrid to communicate with external services.
The following image shows the ports used for external communications with the hybrid runtime
plane:
The following table describes the ports used for external communications with the hybrid runtime
plane:
(Optional) Communicates trace information to the Distributed Trace back end service. Configure the
service and protocol in theTraceConfig API.
The back end for Distributed Trace is usually Cloud Trace or Jaeger.
Two-way Connections
Apigee Connect
compare_arrows
Apigee Services
TCP/443
TLS
Communicates management data between the managemennt plane and the Management API for
runtime data (MART) in the runtime plane. Apigee Connect initiates the connection;
connects toapigeeconnect.googleapis.com. Therefore, you
do not need to configure your firewall for inbound connectivity.
* indicates that the port is configurable. Apigee recommends using port 443.
You should not allow external connections for specific IP addresses associated with*.googleapis.com. The IP addresses can change since the domain currently resolves to
multiple addresses.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe hybrid runtime plane uses specific ports for secure internal communication between its components, with services utilizing various protocols including TLS and mTLS, and the certificates for these internal connections are managed by Apigee.\u003c/p\u003e\n"],["\u003cp\u003eInternal connections include data persistence through Cassandra, management plane requests via Apigee Connect, API request processing by the Message Processor, data streaming to fluentd, and metrics data collection via Prometheus, among others.\u003c/p\u003e\n"],["\u003cp\u003eExternal connections are used for inbound API requests from clients to the Default Istio Ingress, and for outbound communication to backend services, Apigee Services, Google Cloud, and optionally to a Distributed Trace back end.\u003c/p\u003e\n"],["\u003cp\u003eSynchronizer, UDCA, Apigee Connect, Prometheus, and fluentd components use outbound connections to communicate with Apigee Services or Google Cloud, while the MART also uses outbound connections to connect to Google Cloud for authorization.\u003c/p\u003e\n"],["\u003cp\u003eTwo-way communication between the Apigee Connect and Apigee Services, which use port TCP/443 over TLS, handles management data flow, but firewall configuration for inbound connectivity is not needed due to the connection initiation from Apigee Connect.\u003c/p\u003e\n"]]],[],null,["# Secure ports usage\n\n| You are currently viewing version 1.14 of the Apigee hybrid documentation. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nUnderstanding which ports the hybrid runtime plane uses is important for enterprise\nimplementations. This section describes the ports used for secure communications within the\nruntime plane as well as external ports used for communications with external services.\n\nInternal connections\n--------------------\n\nCommunication between the runtime plane and management plane is secured with TLS 1-way and OAuth\n2.0. Individual services use different protocols, depending on which service they are communicating\nwith.\n\nThe certificates used for intra-component communication are generated by Apigee's certificate\nmanager. You do not have to provide a certificate or manage it.\n\nThe following image shows the ports and communications channels within the hybrid runtime\nplane:\n\nThe following table describes the ports and communications channels within the hybrid runtime\nplane:\n\nExternal connections\n--------------------\n\nTo appropriately configure your network firewall, you should know the inbound and outbound ports\nused by hybrid to communicate with external services.\n\nThe following image shows the ports used for external communications with the hybrid runtime\nplane:\n\nThe following table describes the ports used for external communications with the hybrid runtime\nplane:\n\nYou should not allow external connections for specific IP addresses associated with\n`*.googleapis.com`. The IP addresses can change since the domain currently resolves to\nmultiple addresses."]]
