PSaaS Appliance Infrastructure Requirements: IP/Domain and Port List
The PSaaS Appliance requires certain ports within the cluster to be open and able to access each other, as well as selected external sites.
Between Cluster Nodes
When possible, instances within a cluster should have full connectivity to each other so that you do not need to introduce new firewall rules if Auth0 adds new features. However, since this isn't possible in every environment, the following table lists the ports that are required to be open and accessible to other PSaaS Appliance instances in the same cluster:
|9001||Rate Limiting||Yes||Required if rate limiting is used|
|8721||Webtask Logging/Control||Yes||Required for logging and debugging|
|8701||Webtask Logging/Control||Yes||Required for logging and debugging|
|9200, 9300-9400||Elastic Search||Yes||Required for Elastic Search|
|3000||Grafana instrumentation||No||Required if you are using Grafana instrumentation|
|22||Maintenance||No||Enables maintenance tasks to be done between nodes|
|ICMP||Healthcheck||No||Allows healthchecks between nodes|
Auth0 strives to keep these IP addresses stable, though this is not a given. From time to time, Auth0 may add IP addresses or additional servers. During updates and metrics, you must allow your PSaaS Appliance instances to connect to these addresses.
|All||Inbound||Your load balancer IP address (often on internal network)||80/(443 or 4443)||For clusters with more than one node, a load balancer is required for resiliency and performance||Yes|
|Webtask||Outbound||Your load balancer IP address (often on internal network)||443||Allows rules, webtasks, and extensions to call back to Auth0 endpoints||Yes|
|Command Line Interface||Inbound and Outbound||CLI Applications (often on the internal network)||10121||Allows use of the PSaaS Appliance Command Line Interface||No|
|Updates||Outbound||apt-mirror.it.auth0.com (220.127.116.11)||443||Provides update packages for PSaaS Appliance instances||Yes|
|Updates||Outbound||docker.it.auth0.com (18.104.22.168)||443||Provides updates for PSaaS Appliance Docker Packages||Yes|
|Web extensions, Hooks, and Management Dashboard||Outbound||cdn.auth0.com||443||Required to run web extensions and Hooks; also required for admins to browse to the Management Dashboard||Yes|
|Examples||Outbound||github.com||443||Source to download and repackage example applications||No|
|Usage & Telemetry||Outbound||app-gateway.it.auth0.com (22.214.171.124)||443||Provides usage and telemetry statistics||Yes|
|Maintenance||Inbound||Jump Host||22||Allows access to PSaaS Appliance instances for support purposes||No|
|Healthcheck||Inbound||Monitoring Endpoint||9110||Allows access to Healthcheck endpoints||No|
|DNS||Inbound and Outbound||Local domain servers||53||Required by the PSaaS Appliance to resolve host names internal and external to your environment||Yes|
|SMTP||Outbound||SMTP Server(s)||25/587||Allows sending of emails from the Appliance||No|
- If you are using social providers for logins, the cluster must be able to connect to the social providers' endpoints.
- The Jump Host IP is stable and provided at the time of setup.