HCP Self Hosted Worker Whitelist

I’m testing using a self hosted HCP worker. The documentation says to open port 9202 to the world. As part of our security processes we are unable to have this. Is there a list of the servers or ranges to open to please?



1 Like

Hi @r1ddl3 port 9202 on the worker should be available for clients to connect to in order to allow session creation. So depending on where your end-users are connecting from, you could whitelist those IP addresses/CIDR blocks on your firewall.

The worker makes outbound connections to the HCP control plane so port 9202 need not be opened to the HCP control plane.

Copying the network requirements from this link

The following ports should be available:

  • Clients must have access to the Controller’s api port (default 9200)
  • Clients must have access to the Worker’s port (default 9202)
  • Workers must have access to the Controller’s cluster port (default 9201)
  • Workers must have a route and port access to the hosts defined within the system in order to provide connectivity

Good morning. I just wanted to validate a bit about your env, before answering. If you’re using HCP boundary, then you could just use HCP managed workers for ingress and then run a self-managed worker in your network for egress. Using this setup, you won’t have to open any ports on your network; since the egress self-managed worker will “phone home” which eliminates any need to open a port.