Reference: Gateway network ports firewall (#442)

cloudjumpercat · lena-larionova · web-flow · commit 171c1ad39feb · 2025-02-14T14:12:20.000-08:00
* Start revising ports page

Signed-off-by: Diana &lt;75819066+cloudjumpercat@users.noreply.github.com&gt;

* Draft default ports table, add to sources.yaml

Signed-off-by: Diana &lt;75819066+cloudjumpercat@users.noreply.github.com&gt;

* Draft overview paragraph

Signed-off-by: Diana &lt;75819066+cloudjumpercat@users.noreply.github.com&gt;

* Add Network landing page stub

Signed-off-by: Diana &lt;75819066+cloudjumpercat@users.noreply.github.com&gt;

* Adjust upstream service wording

Signed-off-by: Diana &lt;75819066+cloudjumpercat@users.noreply.github.com&gt;

* Apply suggestions from code review

Co-authored-by: lena-larionova &lt;54370747+lena-larionova@users.noreply.github.com&gt;

* Change the sections and make new column in table

Signed-off-by: Diana &lt;75819066+cloudjumpercat@users.noreply.github.com&gt;

* Apply suggestions from code review

Co-authored-by: lena-larionova &lt;54370747+lena-larionova@users.noreply.github.com&gt;

* Add description

* Add if_version note

* set min version to 3.4

---------

Signed-off-by: Diana &lt;75819066+cloudjumpercat@users.noreply.github.com&gt;
Co-authored-by: lena-larionova &lt;54370747+lena-larionova@users.noreply.github.com&gt;
diff --git a/app/_landing_pages/gateway/network.yaml b/app/_landing_pages/gateway/network.yaml
@@ -0,0 +1,33 @@
+metadata:
+  title: "{{site.base_gateway}} networking"
+  content_type: landing_page
+  description: Details {{site.base_gateway}} network, ports, and firewall settings and how to manage them.
+  tags:
+    - security
+    - traffic-control
+  breadcrumbs:
+    - /gateway/
+  related_links:
+    - text: "{{site.base_gateway}} ports"
+      url: /gateway/network-ports-firewall/
+
+rows:
+  - header:
+      type: h1
+      text: "{{site.base_gateway}} network"
+    columns:
+      - blocks:
+          - type: structured_text
+            config:
+              blocks:
+                - type: text
+                  text: |
+                    @todo
+
+                    This is a landing page for all things networks, ports, and firewall for probably both Kong Gateway and Konnect
+                    Can have some conceptual info, but mostly be a collection of cards/links to reference pages and how tos
+
+                    Source pages:
+                    * https://docs.konghq.com/gateway/3.9.x/production/networking/dns-considerations/
+                    * https://docs.konghq.com/gateway/3.9.x/production/networking/cp-dp-proxy/
+                    * https://docs.konghq.com/konnect/network/
diff --git a/app/gateway/network-ports-firewall.md b/app/gateway/network-ports-firewall.md
@@ -1,25 +1,64 @@
 ---
-title: Network, ports, and firewall for {{site.base_gateway}}
+title: "{{site.base_gateway}} ports"
 content_type: reference
 layout: reference
 
 products:
     - gateway
 
-description: placeholder
+min_version:
+  gateway: '3.4'
+
+description: Learn which ports {{site.base_gateway}} uses and how to configure them.
 
 related_resources:
   - text: "Secure {{site.base_gateway}}"
     url: /gateway/security/
+  - text: Proxying with {{site.base_gateway}}
+    url: /gateway/traffic-control/proxying/
+  - text: "{{site.base_gateway}} networking"
+    url: /gateway/network/
 ---
 
-@todo
+{{site.base_gateway}} needs port access for two main types of connections: traffic passing through the proxy and managing the {{site.base_gateway}} via the Admin API.
+
+## Proxy ports
+
+In general, the proxy ports are the *only* ports that should be made available to your clients. Upstream services are accessible via the proxy interface and ports, so make sure that these values only grant the access level you require. 
+
+Your proxy will need have rules added for any HTTP/HTTPS and TCP/TLS stream listeners that you configure. For example, if you want {{site.base_gateway}} to manage traffic on port `4242`, your firewall must allow traffic on that port.
+
+The following are the default proxy ports:
+
+| Port | Protocol | `kong.conf` setting | Description | 
+|---------|---------|------------|------------|
+| `8000` | HTTP     | [`proxy_listen`](/gateway/configuration/#proxy_listen) | Takes incoming HTTP traffic from [Consumers](/gateway/entities/consumer/), and forwards it to upstream services. | 
+| `8443` | HTTPS    | [`proxy_listen`](/gateway/configuration/#proxy_listen) | Takes incoming HTTPS traffic from [Consumers](/gateway/entities/consumer/), and forwards it to upstream services. |
+
+You can also proxy TCP/TLS streams, which is disabled by default. If you want to proxy this traffic, see [`stream_listen` in the Kong configuration reference](/gateway/configuration/) for more information about stream proxy listen options and how to enable it.
+
+## Admin API ports
+
+The Admin API is used to manage {{site.base_gateway}}. You should [prevent unauthorized access](/gateway/secure-the-admin-api/) to these ports in production.
+
+The following are the default ports used by the Admin API:
+
+| Port | Protocol | `kong.conf` setting | Description | 
+|---------|---------|------------|------------|
+| `8001` | HTTP     | [`admin_listen`](/gateway/configuration/#admin_listen) | Listens for Admin API calls from the command line over HTTP. | 
+| `8444` | HTTPS    | [`admin_listen`](/gateway/configuration/#admin_listen) | Listens for Admin API calls from the command line over HTTPS. | 
+
+## Other default ports
+
+In addition to the proxy and Admin API ports, {{site.base_gateway}} listens on the following other ports by default:
+
+| Port | Protocol | `kong.conf` setting | Description | 
+|---------|---------|------------|------------|
+| `8002` | HTTP     | [`admin_gui_listen`](/gateway/configuration/#admin_gui_listen) | Kong Manager (GUI). Listens for HTTP traffic. | 
+| `8445` | HTTPS    | [`admin_gui_listen`](/gateway/configuration/#admin_gui_listen) | Kong Manager (GUI). Listens for HTTPS traffic. | 
+| `8005` | TCP     | [`cluster_listen`](/gateway/configuration/#cluster_listen) | Hybrid mode only. Control plane listens for traffic from data plane nodes. | 
+| `8006` | TCP     | [`cluster_telemetry_listen`](/gateway/configuration/#cluster_telemetry_listen) | Hybrid mode only. Control plane listens for Vitals telemetry data from data plane nodes. | 
+| `8007` | HTTP     | [`status_listen`](/gateway/configuration/#status_listen) | Status listener. Listens for calls from monitoring clients over HTTP. | 
 
-I don't know if reference is the correct format. Maybe a landing page with separate reference pages?
+<!-- port 8007 in the table needs to be marked as if_version gte:3.6.x -->
 
-Possible content:
-* https://docs.konghq.com/gateway/3.9.x/production/networking/firewall/
-* https://docs.konghq.com/gateway/3.9.x/production/networking/dns-considerations/
-* https://docs.konghq.com/gateway/3.9.x/production/networking/cp-dp-proxy/
-* https://docs.konghq.com/konnect/network/
-* https://docs.konghq.com/gateway/latest/production/networking/default-ports/
diff --git a/tools/track-docs-changes/config/sources.yml b/tools/track-docs-changes/config/sources.yml
@@ -251,6 +251,9 @@ app/gateway/routing/index.md:
   - app/_src/gateway/key-concepts/routes/index.md
 app/gateway/manage-kong-conf.md:
   - app/_src/gateway/production/kong-conf.md
+app/gateway/network-ports-firewall.md:
+  - app/_src/gateway/production/networking/default-ports.md
+  - app/_src/gateway/production/networking/firewall.md
 
 # traffic control
 app/gateway/traffic-control/proxy.md:
