Understanding which ports the hybrid runtime plane uses is important for enterprise
implementations. This section describes the ports used for secure communications within the
runtime plane as well as external ports used for communications with external services.
Internal connections
Communication between the runtime plane and management plane is secured with TLS 1-way and OAuth
2.0. Individual services use different protocols, depending on which service they are communicating
with.
The certificates used for intra-component communication are generated by Apigee's certificate
manager. You do not have to provide a certificate or manage it.
The following image shows the ports and communications channels within the hybrid runtime
plane:
The following table describes the ports and communications channels within the hybrid runtime
plane:
Internal Connections
Source
Destination
Protocol/Ports
Security protocol
Description
MART
arrow_right_alt
Cassandra
TCP/9042 TCP/9142
TLS
Sends data for persistence.
Apigee Connect
arrow_right_alt
MART
TCP/8443
TLS
Requests from the management plane go through Apigee Connect. Apigee Connect initiates
the connection.
Default Istio Ingress
arrow_right_alt
Message Processor
TCP/8443
TLS (Apigee-generated, self-signed cert)
Processes incoming API requests.
Message Processor
arrow_right_alt
Cassandra
TCP/9042 TCP/9142
TLS
Sends data for persistence.
Message Processor
arrow_right_alt
fluentd (analytics / logging)
TCP/20001
mTLS
Streams data to the data collection pod.
Cassandra
compare_arrows
Cassandra
TCP/7001
mTLS
Intra-node cluster communications. Note that you can also leave port 7000 open for
firewall configuration as a backup option for potential troubleshooting.
Synchronizer
arrow_right_alt
Cassandra
TCP/9042 TCP/9142
TLS
Sends data for persistence.
Prometheus (metrics)
arrow_right_alt
Cassandra
TCP/7070 (HTTPS)
TLS
Scrapes metrics data from various services.
MART
TCP/8843 (HTTPS)
TLS
Message Processor
TCP/8843 (HTTPS)
TLS
Synchronizer
TCP/8843 (HTTPS)
TLS
UDCA
TCP/7070 (HTTPS)
TLS
Watcher
arrow_right_alt
Default Istio Ingress
TCP/8843
TLS
Makes virtual hosts related changes to configure istio ingress.
External connections
To appropriately configure your network firewall, you should know the inbound and outbound ports
used by hybrid to communicate with external services.
The following image shows the ports used for external communications with the hybrid runtime
plane:
The following table describes the ports used for external communications with the hybrid runtime
plane:
(Optional) Communicates trace information to the Distributed Trace back end service. Configure the
service and protocol in theTraceConfig API.
The back end for Distributed Trace is usually Cloud Trace or Jaeger.
Two-way Connections
Apigee Connect
compare_arrows
Apigee Services
TCP/443
TLS
Communicates management data between the managemennt plane and the Management API for
runtime data (MART) in the runtime plane. Apigee Connect initiates the connection;
connects toapigeeconnect.googleapis.com. Therefore, you
do not need to configure your firewall for inbound connectivity.
Watcher
arrow_right_alt
Google Cloud
TCP/443
OAuth over TLS 1.2
Pulls virtual hosts related changes for an org to configure istio ingress.
* indicates that the port is configurable. Apigee recommends using port 443.
You should not allow external connections for specific IP addresses associated with*.googleapis.com. The IP addresses can change since the domain currently resolves to
multiple addresses.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document outlines the port usage for internal and external communications within the Apigee hybrid runtime plane, detailing which ports are used for secure connections between services.\u003c/p\u003e\n"],["\u003cp\u003eInternal connections within the hybrid runtime plane use a mix of protocols and ports, including TCP 9042/9142 for Cassandra, TCP 8443 for connections to MART and the management plane, and mTLS for communication with fluentd.\u003c/p\u003e\n"],["\u003cp\u003eExternal connections involve both inbound traffic, such as API requests from client apps to the Default Istio Ingress, and outbound traffic, such as the Synchronizer fetching configuration data from Apigee Services via TCP 443.\u003c/p\u003e\n"],["\u003cp\u003eApigee Connect establishes a two-way connection with Apigee Services over TCP 443 for management data, initiated from within the runtime plane, eliminating the need for firewall configuration for inbound connectivity.\u003c/p\u003e\n"],["\u003cp\u003eThe document mentions version 1.6 of Apigee hybrid is end of life and to upgrade to a newer version.\u003c/p\u003e\n"]]],[],null,["# Secure ports usage\n\n| You are currently viewing version 1.6 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nUnderstanding which ports the hybrid runtime plane uses is important for enterprise\nimplementations. This section describes the ports used for secure communications within the\nruntime plane as well as external ports used for communications with external services.\n\nInternal connections\n--------------------\n\nCommunication between the runtime plane and management plane is secured with TLS 1-way and OAuth\n2.0. Individual services use different protocols, depending on which service they are communicating\nwith.\n\nThe certificates used for intra-component communication are generated by Apigee's certificate\nmanager. You do not have to provide a certificate or manage it.\n\nThe following image shows the ports and communications channels within the hybrid runtime\nplane:\n\nThe following table describes the ports and communications channels within the hybrid runtime\nplane:\n\nExternal connections\n--------------------\n\nTo appropriately configure your network firewall, you should know the inbound and outbound ports\nused by hybrid to communicate with external services.\n\nThe following image shows the ports used for external communications with the hybrid runtime\nplane:\n\nThe following table describes the ports used for external communications with the hybrid runtime\nplane:\n\nYou should not allow external connections for specific IP addresses associated with\n`*.googleapis.com`. The IP addresses can change since the domain currently resolves to\nmultiple addresses."]]
