Ports & Protocols
Fixed listener ports and conditional protocol dependencies used by the Neuwerk.
This page documents the listener ports and fixed protocol dependencies operators should expect from the Neuwerk.
It does not attempt to enumerate policy-controlled application egress, because that surface is intentionally defined by operator policy and destination systems rather than a static built-in port list.
Default Listener Surfaces
These are the primary ports the Neuwerk binds by default.
| Surface | Default Bind | Proto | Direction | Purpose |
|---|---|---|---|---|
| Management HTTPS | management-ip:8443 | TCP | Inbound to Neuwerk | Web UI, HTTP API, /health, /ready |
| Metrics | management-ip:8080 | TCP | Inbound to Neuwerk | Plain HTTP /metrics endpoint |
| DNS proxy | management-ip:53 | UDP, TCP | Inbound to Neuwerk | Policy-aware DNS proxy for hostname-based enforcement |
Notes:
--http-bindchanges the management HTTPS bind address.--metrics-bindchanges the metrics listener bind address.- DNS no longer has a separate
--dns-listenflag. It always binds onmanagement-ip:53.
Cluster Ports
When cluster mode is enabled, two additional listener ports are used.
| Surface | Default Bind | Proto | Direction | Purpose |
|---|---|---|---|---|
| Cluster RPC | 127.0.0.1:9600 by default | TCP | East-west between cluster nodes | Raft replication plus policy, auth, integration, and wiretap gRPC services |
| Cluster join | 127.0.0.1:9601 by default | TCP | Joining node to seed node | Bootstrap and cluster enrollment |
Operational notes:
--cluster-bindcontrols the main cluster RPC bind.--cluster-join-binddefaults tocluster-bind + 1.--cluster-advertisecontrols the address published to peers.- The main cluster RPC listener uses mTLS.
- The join listener is a separate bootstrap path used before the node has normal cluster credentials.
Internal-Only Service Ports
These ports exist for implementation reasons and are not intended as operator-facing APIs.
| Surface | Default Bind | Proto | Direction | Purpose |
|---|---|---|---|---|
| TLS intercept service | internal port 15443 | TCP | Internal to host / dataplane-service path | Active HTTP-over-TLS interception runtime |
| Service lane subnet | 169.254.255.1/30 local with peer 169.254.255.2 | IPv4 link-local | Internal only | Steering between dataplane and service runtime |
Mode-specific behavior:
- soft-mode deployments use kernel steering and bind the intercept listener on
0.0.0.0:15443 - DPDK deployments use the service-lane path and shared intercept demux instead
Outbound Dependencies
These are not long-lived listeners, but they are fixed protocol dependencies created by the runtime.
| Destination | Proto | Direction | When Required | Notes |
|---|---|---|---|---|
| Configured DNS upstreams | UDP, TCP 53 | Outbound from Neuwerk | Always | Set by --dns-upstream |
| Intercepted HTTPS origins | TCP, usually 443 | Outbound from Neuwerk | Only when tls.mode: intercept rules are active | The runtime opens a fresh upstream TLS session to the original destination |
| DHCP server | UDP 67 from client port 68 | Outbound and return inbound | When dataplane config is DHCP-derived | Used for dataplane addressing/bootstrap |
Conditional Encapsulation Ports
Overlay traffic is only present when encapsulation is enabled.
| Mode | Default Port(s) | Proto | Direction | Notes |
|---|---|---|---|---|
| Geneve | 6081 | UDP | Bidirectional between dataplane peers | Used when --encap geneve |
| VXLAN | 10800 | UDP | Bidirectional between dataplane peers | Default --encap vxlan port |
| VXLAN internal/external split | 10800 internal, 10801 external | UDP | Bidirectional between dataplane peers | Used when separate internal/external VNI settings are configured |
All of these can be overridden with the --encap-udp-port* flags.
DPDK-Specific Probe Ports
In DPDK mode, the dataplane contains a special health-probe path.
| Probe | Port | Proto | Direction | Notes |
|---|---|---|---|---|
| Generic dataplane health probe | 8080 | TCP | Inbound to dataplane IP | SYN/SYN-ACK style health path |
| GCP backend probe compatibility | 80 | TCP | Inbound to dataplane IP | Only accepted from recognized GCP health-checker source ranges |
These are dataplane behaviors, not control-plane HTTP listeners.
Management Port Defaults And Overrides
Default values from the current CLI/runtime:
- management HTTPS defaults to
<management-ip>:8443 - metrics defaults to
<management-ip>:8080 - cluster RPC defaults to
127.0.0.1:9600 - cluster join defaults to
127.0.0.1:9601 - TLS intercept runtime uses
15443
The metrics listener has an extra guardrail: binding it to a public address requires
metrics.allow_public_bind: true in the runtime config.
Security And Exposure Notes
8443is the main operator-facing HTTPS surface and should usually be reachable from trusted admins and automation only.8080serves Prometheus-style metrics over plain HTTP, not HTTPS.53is part of the hostname-policy path and should be reachable from managed clients that are expected to use Neuwerk DNS.9600and9601should only be reachable between Neuwerk nodes participating in cluster formation.15443and the169.254.255.0/30service lane are internal plumbing, not external service endpoints.
What Is Not Fixed
These traffic classes are intentionally not listed as static ports:
- policy-controlled application egress from clients behind the Neuwerk
- Kubernetes integration API server ports, because they come from each configured
api_server_url - cloud-provider control-plane API traffic, because those destinations are provider-specific and not hard-coded here
Related Pages
- DNS Handling
- TLS Interception
- HTTP API