Required Ports

When you are creating a security group, you need to enable the following ports:

In a production environment it is recommended to use the HTTPS port instead of the HTTP port.

Port#	Port Description	Suggestions for Access Restrictions
Common Ports
22	SSH port. Clients will use this port to ssh into the EC2 instance.	Open to outside access
Private PaaS Instance
9443	HTTPS port to access the WSO2 Private PaaS Management Console.	Open to outside access
9763	HTTP port to access the WSO2 Private PaaS Management Console.	Open to outside access
9444	Management console port to BAM server.	Open to outside access
8291	GitBlit HTTP port. This port is optional as it is only needed if GitBlit is used.	Open to outside access
8443	GitBlit HTTPS port. This port is optional as it is only needed if GitBlit is used.	Open to outside access
8140	Puppet Master port.	Open to outside access
3306	MySQL port.	Open to outside access
7711	Cartridge agents publish statistics to CEP. If CEP and BAM are both being used, then you need to enable port offset in one of the products.	Open to outside access
7711	Carbon products publish logs to BAM. If CEP and BAM are both being used, then you need to enable port offset in one of the products.	Open to outside access
61616	ActiveMQ port	Open to outside access
Carbon Cartridge Instances
80, 8280	Load Balancer HTTP proxy port.	Open to outside access
443, 8243	Load Balancer HTTPS proxy port.	Open to outside access
9443	HTTPS port to access the Management Console.	Open to outside access
9763	HTTP port to access the Management Console.	Open to outside access
4000	Hazlecast port for clustering products.	Restricted internal access
8280	HTTP port for Pass-Through transport of ESB or APIM.	Open to outside access
8243	HTTPS port for Pass-Through transport of ESB or APIM.	Open to outside access

If all the instances are fronted by Load Balancer then only the Load Balancer port needs to be open to outside access and all other ports can be restricted to internal access.