Network port requirements and connectivity verification

Lists the network port numbers and their respective protocols used by Cloudera Observability and dependent services.

Communication between Cloudera Observability and your Workload clusters is through Telemetry Publisher, which requires network communication with Network Load Balancer and the Cloudera Observability S3 bucket in the Cloudera Observability framework.

Telemetry Publisher collects and sends diagnostic information about job and query processes from your Workload clusters to Cloudera Observability. It communicates with Cloudera Observability, and its S3 bucket through Network Load Balancer using the Hypertext Transfer Protocol Secure (HTTPS) and the Transport Layer Security (TLS) protocols.

The following table lists the Network Load Balancer and the Cloudera Observability S3 bucket host names and the port numbers that must be enabled for service-to-service network communication between Telemetry Publisher and Cloudera Observability:

Table 1. Network Port Numbers
Port Number Host Name
443 Host names for a US-based Control Plane cloud region:
  • dbusapi.us-west-1.sigma.altus.cloudera.com
  • cloudera-dbus-prod.s3.us-west-2.amazonaws.com
443 Host names for a EU-based Control Plane cloud region:
  • dbusapi.eu-1.cdp.cloudera.com
  • mow-prod-eu-central-1-sigmadbus-dbus.s3.eu-central-1.amazonaws.com
443 Host names for a AP-based Control Plane cloud region:
  • dbusapi.ap-1.cdp.cloudera.com
  • mow-prod-ap-southeast-2-sigmadbus-dbus.s3.ap-southeast-2.amazonaws.com

Network connectivity between Telemetry Publisher and Cloudera Observability verification

Cloudera recommends verifying access from Telemetry Publisher to Network Load Balancer and the Cloudera Observability S3 bucket on port 443, by running the following commands for your cloud region:
  • For a US-based Control Plane cloud region, run:
    curl -v https://dbusapi.us-west-1.sigma.altus.cloudera.com:443
    curl -v https://cloudera-dbus-prod.s3.amazonaws.com:443
  • For a EU-based Control Plane cloud region, run:
    curl -v https://dbusapi.eu-1.cdp.cloudera.com:443
    curl -v https://mow-prod-eu-central-1-sigmadbus-dbus.s3.eu-central-1.amazonaws.com:443
  • For a AP-based Control Plane cloud region, run:
    curl -v https://dbusapi.ap-1.cdp.cloudera.com:443
    curl -v https://mow-prod-ap-southeast-2-sigmadbus-dbus.s3.ap-southeast-2.amazonaws.com:443
Where, the -v option outputs the results in the terminal, which enables you to verify that the network port is open. For example, the following image shows that a successful connection was established after running the curl command for the US-based Control Plane cloud region with the cloudera-dbus host name.

Public key and CA certificate verification

Cloudera recommends that you verify that the public keys and CA certificates, for both DBUS and S3 URLs, are present in the Telemetry Publisher truststore by running the following command for your cloud region:
  • For a US-based Control Plane cloud region, run:
    openssl s_client -connect dbusapi.us-west-1.sigma.altus.cloudera.com:443 -showcerts
    openssl s_client -connect cloudera-dbus-prod.s3.us-west-2.amazonaws.com:443 -showcerts
  • For a EU-based Control Plane cloud region, run:
    openssl s_client -connect dbusapi.eu-1.cdp.cloudera.com:443 -showcerts
    openssl s_client -connect mow-prod-eu-central-1-sigmadbus-dbus.s3.eu-central-1.amazonaws.com:443 -showcerts
  • For a AP-based Control Plane cloud region, run:
    openssl s_client -connect dbusapi.ap-1.cdp.cloudera.com:443 -showcerts
    openssl s_client -connect mow-prod-ap-southeast-2-sigmadbus-dbus.s3.ap-southeast-2.amazonaws.com:443 -showcerts

You can import a certificate from another truststore file to your truststore file with the keytool utility, by running the following command:

keytool -importkeystore -srckeystore cacerts -srcstorepass changeit -destkeystore truststore -deststorepass truststore_password 
Where,
  • truststore, is the destination truststore file name.
  • truststore_password, is the password that opens the destination truststore file.