Port Matrix
Complete port and protocol requirements for Chatty AI deployment.
User-Facing Ports (Required)
| Port | Protocol | Service | Purpose | Exposed To |
|---|---|---|---|---|
| 443 | HTTPS | Nginx | Main application access | Users |
| 80 | HTTP | Nginx | Redirect to HTTPS | Users |
| 8000 | HTTP | Nginx | Additional service port | Users |
Portainer Edge Agent Ports (If Using Portainer)
| Port | Protocol | Service | Purpose | Direction |
|---|---|---|---|---|
| 443 | HTTPS | Portainer Server | API communication | Outbound to vendor |
| 8000 | WebSocket | Portainer Server | Management tunnel | Outbound to vendor |
Important: Customer must allow outbound to vendor Portainer Server (e.g., portainer.chatty-ai.ai:443 and :8000)
Internal Container Ports (NOT Exposed)
These ports are internal to Docker network only:
| Port | Service | Purpose | Exposed |
|---|---|---|---|
| 5432 | PostgreSQL | Database | ❌ Internal only |
| 6333 | Qdrant | Vector database | ❌ Internal only |
| 8080 | Chatty AI | Application | ❌ Via Nginx only |
| 3001 | Chatty AI | WebSocket | ❌ Via Nginx only |
| 9099 | Pipelines | AI pipelines | ❌ Internal only |
| 5678 | n8n | Workflows | ❌ Via Nginx only |
| 5555 | Databases AI | NL to SQL | ❌ Internal only |
| 8080 | Databases Engine | Query engine | ❌ Internal only |
| 8000 | Databases Ibis | Data transform | ❌ Internal only |
| 3000 | Databases UI | Database UI | ❌ Via Nginx only |
External Connectivity (Outbound)
| Destination | Port | Protocol | Purpose | Required |
|---|---|---|---|---|
| LLM Endpoint | 443 | HTTPS | AI model inference | ✅ Yes |
| Portainer Server | 443, 8000 | HTTPS/WS | Management (if Portainer) | ⚠️ If using Portainer |
| LDAP Server | 389/636 | LDAP/LDAPS | Authentication (if configured) | ⚠️ If using LDAP |
| SSO Provider | 443 | HTTPS | Authentication (if configured) | ⚠️ If using SSO |
| DNS Server | 53 | DNS | Name resolution | ✅ Yes |
Firewall Rules Summary
Customer Firewall - Inbound
# Allow user access
allow from user_networks to chatty_server port 443 proto tcp
allow from user_networks to chatty_server port 80 proto tcp
allow from user_networks to chatty_server port 8000 proto tcp
# Allow admin SSH (optional, restrict by IP)
allow from admin_ips to chatty_server port 22 proto tcp
Customer Firewall - Outbound
# Required: LLM endpoint
allow from chatty_server to llm.chatty-ai.ai port 443 proto tcp
# Required if using Portainer
allow from chatty_server to portainer.chatty-ai.ai port 443 proto tcp
allow from chatty_server to portainer.chatty-ai.ai port 8000 proto tcp
# Required: DNS
allow from chatty_server to dns_servers port 53 proto udp
# Optional: LDAP (if configured)
allow from chatty_server to ldap_server port 389 proto tcp
allow from chatty_server to ldap_server port 636 proto tcp
# Optional: SSO (if configured)
allow from chatty_server to sso_provider port 443 proto tcp
Security Notes
- Never expose internal ports (PostgreSQL, Qdrant, etc.) directly to network
- All user traffic goes through Nginx reverse proxy
- Portainer Edge Agent only needs outbound - no inbound management ports
- Database ports must remain internal to Docker network only
- Use VPN for admin SSH access (recommended)