Information on ports to be opened between Master Server and Hosts

Rancher 1.x
1

I am trying to setup Rancher in AWS as below.

Rancher Master Server Security Group Rules:
Inbound 8080 (0.0.0.0/0) - For Agent communication
Outbound - 80, 443

Rancher Hosts Security Group Rules:
Inbound - 22 ( ssh login from a particular host)
Outbound - 80, 443 and 8080

I am adding the hosts as ‘Custom Hosts’ i.e. installing the Rancher Agent on the host machine manually. The hosts has been installed with Docker already. The agent is getting installed successfully hosts and it also shows up in Rancher Master Server.

Pls clarify the below queries.

  1. Looking into the document, it mentions about UDP ports 4500 & 500. I suppose this is required for communication between Rancher Hosts only. These ports between Rancher Master Server & Rancher Hosts are not required to be open.

  2. With the above security groups in place for Rancher Hosts, how does Rancher Master Server communicates with the agent. There are no inbound ports opened at rancher hosts security group. It seems to be working in my setup but curious to know how the communication happens between Master Server & Hosts.

2

Ports are described here: https://docs.rancher.com/rancher/v1.5/en/hosts/custom/

3

Thanks for the reply. I have seen this page before but I appreciate if you can answer to my specific queries.

4

Yes, 500 and 4500 are for IPSec between hosts.

The host (agent) opens an outbound connection to the master/server, not the other way around.

3 Likes
5

Thanks for the confirmation on IPSec.

When the agent is being installed manually on the host, the connection is established from agent to master which is clear ( as seen by outobund 8080 opened in host and inbound 8080 opened in Master Server )

When a container is being launched from the Rancher Master Server onto a host, how does it work ?. With my setup, there are no inbound connections to the host (agent). How does the Master Server communicates with the agent when any action is done using the UI ?

6

Again the host opens the connection to the server, never the other way around. It’s a websocket that allows bidirectional communication and stays open forever (or reconnects).