Network configuration

This page describes how to configure critical network ports on an Aerospike Database.

Aerospike Database’s network configuration section sets up critical network ports to be used by other nodes, applications, and tools. The following table describes the ports used by Aerospike Database and cross-datacenter replication (XDR).

Name	Default port	Description
service	3000	Application, tools, and remote XDR use the service port for database operations and cluster state.
fabric	3001	Intra-cluster communication port. Replica writes, migrations, and other node-to-node communications use the fabric port.
mesh heartbeat	3002	Heartbeat protocol ports form and maintain the cluster. Only one heartbeat port may be configured. Mesh heartbeat and fabric should run on the same NIC.
multicast heartbeat	9918	Heartbeat protocol ports are used to form and maintain the cluster. Only one heartbeat port may be configured.
admin	3003	A dedicated admin port for continuous access by the monitoring stack exporter, as well as emergency access to unresponsive nodes using asadm and asinfo.

Verify that all application and XDR nodes can communicate to the service port on all Aerospike nodes, and that each node can communicate over the configured heartbeat and fabric ports.

Note

The telnet-compatible info port 3003 was removed in Database 8.1.0. Use the admin port instead.

Configure network sections

The network section of the Aerospike configuration file requires the following sections:

• service
• fabric
• heartbeat
• admin

To isolate fabric (inter-node replication, migration) and heartbeat from service traffic or XDR traffic, add an address distinct from the service address to the heartbeat and fabric sections.

Note

For information on how to configure the heartbeat section, see heartbeat configuration which defines the interface for intra-cluster communications.

The service section

The following table describes each configuration item in the service section.

Configuration item	Description
address	Interfaces or IP addresses to bind and listen to. Multiple IP addresses are allowed.
access-address	Interfaces or IP addresses to publish for clients, typically clients within the same subnet or datacenter.
alternate-access-address	Interfaces or IP addresses to publish for clients that can’t connect to access-address interfaces or IP addresses. If the items specified here are actual interfaces and not mapped over NAT, then the corresponding address configuration must be specified unless address any is set. Clients requiring the alternate-access-address to be returned must request it by specifying useServicesAlternate in their client policy.
access-port	When configured, this port is published to the clients. Requires port forwarding to be set up when the value is different than the port.
alternate-access-port	When configured and the client specifies useServicesAlternate in the client policy, this port is published to the clients. Requires port forwarding to be set up when the value is different than the port.

Example 1: Service section configuration

Host with 2 network interfaces, x.x.x.x and y.y.y.y, with x.x.x.x for clients within the same subnet/DC (private IP) and y.y.y.y for clients in a different subnet/DC (public IP). The IP address y.y.y.y is not mapped over NAT:

service {
    address x.x.x.x
    address y.y.y.y
    access-address x.x.x.x
    alternate-access-address y.y.y.y
}

The access-address x.x.x.x prevents the y.y.y.y IP to also be broadcast. If access-address is not specified, all IPs specified as address are published or broadcast.

Example 2: Service section configuration

If the y.y.y.y IP is mapped over NAT:

service {
    address x.x.x.x
    access-address x.x.x.x
    alternate-access-address y.y.y.y
}

Or, as address is published by default when not overwritten through access-address:

service {
    address x.x.x.x
    alternate-access-address y.y.y.y
}

Example 3: Service section configuration

This alternate configuration works in most cases: setting address to any binds to all available interfaces, then publishes the specific access-address and alternate-access-address.

service {
    address any
    access-address x.x.x.x
    alternate-access-address y.y.y.y
}

Fabric section configuration examples

To isolate intra-cluster communication traffic from regular client traffic, specify an address different from the service section for the fabric and heartbeat sections. By default, they are set to any.

fabric {
  address any
  port 3001   # Intra-cluster communication port (migrates, replication, etc).
}

Admin section

The following table describes each configuration item in the optional admin section.

Configuration item	Description
port	Port that is not secured (non-TLS) at which the server listens for admin client connections.
address	IP address at which the server listens (binds) for non-secure (non-TLS) admin connections.
tls-authenticate-client	false: Only client authenticating the server. any: Two-way (mutual) authentication, both client and server need to be authenticated. user-defined: Two-way (mutual) authentication along with subject validation.
tls-port	TLS-enabled port where the server listens for admin client connections.
tls-name	Specifies which TLS parameters to use for the given context TLS connections.
tls-address	IP address where the server listens (binds) for secured (TLS) admin connections.
disable-localhost	When set to true, the service will not listen on localhost.

Example configuration:

network {
  admin {
    port 3003
    address any
    tls-port 3004
    tls-name asd_node
    tls-address any
    tls-authenticate-client any
    disable-localhost false
  }
}

You can use the admin port to remove an unresponsive node. See Ejecting an unresponsive node using asadm and the admin port.

More information

• Configure the heartbeat section.
• Configure Rack awareness to enable Aerospike to support top-of-rack switch failure.
• Configure Aerospike Database.