Web Sites network topology
Applies To: Windows Azure Pack
A complete Web Sites deployment consists of the following five role types. The abbreviations in parentheses are used elsewhere in this document.
Controller (CN)
Management (MN)
FrontEnd (FE)
Publisher (PB)
Worker (WW)
There can be multiple instances of each role type. The connections described and ports listed upon also apply when roles of the same type are added. Thus, the number of connections increases with the addition of each role.
There are supporting systems that may or may not be on separate hosts depending on how the system is deployed. For the purpose of this documentation, it is assumed that they are deployed on separate hosts. They are:
Database (DB)
File Server (FS)
Controller
The controller is responsible for administering all of the web roles. It connects to each of other role types, to the database, and to itself.
Internal listening endpoints (within Windows Azure Pack Web Sites deployment)
| Port | Application/Use | Notes | Communication from |
|---|---|---|---|
| 5985 | WinRM | Used for role instance management | CN (in case the secondary controller is deployed) |
| 5986 | WinRM | Used for role instance management | CN (in case the secondary controller is deployed) |
External listening endpoints
None.
Internal outbound communication
| Port | Application/Use | Notes | Communication to |
|---|---|---|---|
| 445 | SMB | File Server (FS) | |
| 1433 | SQL | Configuration requests and updates | Database Server (DB) |
| 5985 | WinRM | Used for role instance management | Controller (CN), Management (MN), FrontEnd (FE), Publisher (PB), Worker (WW), File Server (FS), Optional |
| 5986 | WinRM | Used for role instance management | Controller (CN), Management (MN), FrontEnd (FE), Publisher (PB), Worker (WW), File Server (FS), Optional |
| 8173 | Web Farm Framework (WFF) Agent | Used for role instance management | Controller (CN), Management (MN), FrontEnd (FE), Publisher (PB), Worker (WW), File Server (FS), Optional |
Management (MN)
The Management role is responsible for the REST interface that is exposed so that the Portal can manage the Web Sites stamp. The Management role communicates with the Database, Controller and File Server roles.
Internal listening endpoints (within Windows Azure Pack: Web Sites deployment)
| Port | Application/Use | Notes | Communication from |
|---|---|---|---|
| 5985 | WinRM | Role instance management | Controller (CN) |
| 5986 | WinRM | Role instance management | Controller (CN) |
| 8173 | Web Farm Framework (WFF) Agent | Used for role instance management | Controller (CN) |
External listening endpoints
| Port | Application/Use |
|---|---|
| 443 | HTTPS - REST API |
Internal outbound communication
| Port | Application/Use | Notes | Communication to |
|---|---|---|---|
| 445 | SMB | Site creation | File Server (FS) |
| 1233 | Certificate Sync Service | Role instance management | FrontEnd (FE) |
| 1433 | SQL | Configuration requests and updates | Databse Server (DB) |
FrontEnd (FE)
The FrontEnd role is the web-accessible endpoint for websites. Its primary purpose is to route the request to the appropriate worker holding the website.
Internal listening endpoints (within Windows Azure Pack: Web Sites deployment)
| Port | Application/Use | Notes | Communication from |
|---|---|---|---|
| 1232 | Credential Cache Flush | WebDeploy and Git Credential updates | Management (MN) |
| 1233 | Certificate Sync Service | Synchronizes certificates across FE roles | Management (MN) |
| 5985 | WinRM | Role instance management | Controller (CN) |
| 5986 | WinRM | Role instance management | Controller (CN) |
| 8173 | Web Farm Framework (WFF) Agent | Used for role instance management | Controller (CN) |
External listening endpoints
| Port | Application/Use | Notes |
|---|---|---|
| 80 | HTTP | HTTP traffic for Web Sites |
| 443 | HTTPS | HTTPS traffic for Web Sites |
| Customer defined port range for VIPs | HTTPS | Optional HTTPS traffic for Web Sites |
Internal outbound communication
| Port | Application/Use | Notes | Communication to |
|---|---|---|---|
| 80 | HTTP | HTTP traffic for Web Sites | Worker (WW) |
| 1433 | SQL | Configuraiton requests and updates | Database Server (DB) |
Publisher (PB)
The Publisher handles customer publication of web sites by protocols such as FTP.
Internal listening endpoints (within Windows Azure Pack: Web Sites deployment)
| Port | Application/Use | Notes | Communication from |
|---|---|---|---|
| 1230 | Credential Cache Flush | FTP credential updates | Management (MN) |
| 1231 | Certificate Sync Service | WebDeploy and Git credential updates | Management (MN) |
| 5985 | WinRM | Role instance management | Controller (CN) |
| 5986 | WinRM | Role instance management | Controller (CN) |
| 8173 | Web Farm Framework (WFF) Agent | Used for role instance management | Controller (CN) |
External listening endpoints
| Port | Application/Use | Notes |
|---|---|---|
| 21 | FTP | FTP control channel |
| 443 | HTTPS | HTTPS traffic for WebDeploy publishing |
| 990 | Implicit FTPS | FTP control channel |
| Ephemeral range for FTP | FTP data connections | FTP control channel |
Internal outbound communication
| Port | Application/Use | Notes | Communication to |
|---|---|---|---|
| 445 | SMB | Site deployment | File Server (FS) |
| 1433 | SQL | Deployment, modifications | Databse Server (DB) |
| 3306 (optional) | MySQL | Deployment, modifications | Database Server (DB) |
Worker (WW)
The Worker (Web Worker) role is responsible for running the web sites themselves. A Web Worker can be deployed as a multitenant system that is capable of supporting multiple customers simultaneously, or it can be reserved for one tenant.
Internal listening endpoints (within Windows Azure Pack: Web Sites deployment)
| Port | Application/Use | Notes | Communication from |
|---|---|---|---|
| 80 | HTTP | HTTP traffic | FrontEnd (FE) |
| 80 | HTTP | Worker management to propagate Database Connection strings | FrontEnd (FE) |
| 5985 | WinRM | Role instance management | Controller (CN) |
| 5986 | WinRM | Role instance management | Controller (CN) |
| 8173 | Web Farm Framework (WFF) Agent | Used for role instance management | Controller (CN) |
Internal outbound communication
| Port | Application/Use | Notes | Communication to |
|---|---|---|---|
| 445 | SMB | Site runtime | File Server (FS), Database Server (DB) |
| 1433 | SQL | Site runtime | Databse Server (DB) |
| 3306 (optional) | MySQL | My runtime | Database Server (DB) |
File Server
Internal listening endpoints (within Windows Azure Pack: Web Sites deployment)
| Port | Application/Use | Notes | Communication from |
|---|---|---|---|
| 445 | SMB | Controller (CN), Management (MN), Publisher (PB), Worker (WW) | |
| 5985 | WinRM | Role instance management (optional for standalone FS) | Controller (CN) |
| 5986 | WinRM | Role instance management (optional for standalone FS) | Controller (CN) |
| 8173 | Web Farm Framework (WFF) Agent | Used for role instance management (optional for standalone FS) | Controller (CN) |
Database
The following list of ports used is based on the installation of a standalone database server using SQLEXPRESS that had no outbound connections. A MySQL database instance will have connections if the web sites being serviced require MySQL.
Internal listening endpoints (within Windows Azure Pack: Web Sites deployment)
| Port | Application/Use | Notes | Communication from |
|---|---|---|---|
| 1433 | TDS (SQL) | Management (MN), FrontEnd (FE), Publisher (PB), Worker (WW) | |
| 3306 | MySQL | Optional dependent on deployment | Publisher (PB), Worker (WW) |