Network interfaces & ports
Services inside the builder node use a number of ports for communication.
External Ports
Ports open for connections from outside the TDX instance.
Must be public
| Port | Protocol | Service | Use |
|---|---|---|---|
| 5544 | TCP (HTTPS) | orderflow-proxy | Receive orderflow from builder nodes and Flashbots. |
| 9000 | TCP/UDP | Lighthouse | Consensus network peering. |
| 30303 | TCP | Reth | Execution network peering. |
Selective access
| Port | Protocol | Service | Use |
|---|---|---|---|
| 443 | TCP (HTTPS) | HAProxy for orderflow-proxy | Orderflow from operator, users, wallets, etc. |
| 7936 | TCP (HTTPS/aTLS) | cvm-proxy | aTLS attested channel to serve local TLS certificate. |
| 3535 | TCP (HTTP) | system-api | Admin interface for configuration and logs. |
| 14192 | TCP | SSH | SSH access to the instance (disabled by default, toggle through System API action). |
Internal Ports
Ports open to requests from inside the TDX instance only.
| Port | Protocol | Service | Use |
|---|---|---|---|
| 14727 | TCP (HTTP) | orderflow-proxy | Serving GET /cert REST API which is used by cvm-proxy on port 7936. |
| 3443 | TCP (HTTP) | orderflow-proxy | User orderflow, via HAProxy on port 443. |
| 7937 | TCP (HTTP) | cvm-proxy | Proxy for requests to Flashbots infra (BuilderHub) using client-aTLS-attestation. Used to retrieve secrets and configuration, a list of peers, and for services to register their public keys. |
| 8645 | TCP | rbuilder | JSON-RPC API (requests are sent from orderflow-proxy). |
| 6069 | TCP | rbuilder | Prometheus telemetry. |
| 6070 | TCP | rbuilder | Redacted telemetry and health check |
| 6148 | TCP | bidding-service | Used by rbuilder for bidding |
| 3500 | TCP | Lighthouse | REST HTTP API |
| 9001 | TCP | Reth | Metrics, used by local Prometheus |
| 8545 | TCP | Reth | JSON-RPC API (used by rbuilder, orderflow-proxy) |
| 8546 | TCP/WS | Reth | |
| 8551 | TCP | Reth | Engine API (used by Lighthouse) |
| 9100 | TCP | node-exporter | System utilization metrics (cpu load, memory usage, etc) for Prometheus. |
Firewall Configuration
On the firewall, these ports should be opened up for either private or public access:
| Port | Service | Open to | Used for |
|---|---|---|---|
| 5544 | Orderflow Proxy | Public | Receive orderflow from other nodes and Flashbots. |
| 9000 | Lighthouse | Public | Consensus network peering |
| 30303 | Reth | Public | Execution network peering |
| 443 | Orderflow Proxy (via HAProxy) | Operator, optionally for users | Receive orderflow from operator, users, wallets. |
| 7936 | cvm-proxy | Operator, optionally for users | Serve the local TLS certificate through an attested channel (aTLS). |
| 3535 | System Api | Operator | Admin interface |
| 14192 | SSH | Operator | SSH access to the instance |