Network
The OTH Software Stack must be able to receive and send traffic to and from the Internet, as specified in the following tables:
Inbound traffic to the frontend or kubernetes ingres:
| Scope | Port | Protocol | Additional info |
|---|---|---|---|
| 0.0.0.0/0 | 80 | TCP | |
| 0.0.0.0/0 | 443 | TCP | |
| 52.30.207.215/32 52.31.90.17/32 |
22 | TCP | Optional The OTH technical staff needs this access during OTH assisted installation, upgrades and debugging. If preferred, this can be replaced with SSH access through a VPN solution of the customers choice. |
Inbound traffic to the application server:
| Scope | Port | Protocol | Additional info |
|---|---|---|---|
| 80 | TCP | The frontend sends traffic to the traefik proxy running on the application server. | |
| 52.30.207.215/32 52.31.90.17/32 |
22 | TCP | Optional The OTH technical staff needs this access during OTH assisted installation, upgrades and debugging. If preferred, this can be replaced with SSH access through a VPN solution of the customers choice. |
Outbound traffic from app server or inside the kubernetes cluster:
| Scope | Port | Protocol | Additional info |
|---|---|---|---|
| 0.0.0.0/0 | 443 | TCP | |
| x.x.x.x/32 | 3306 | TCP | MariaDB endpoint |
| x.x.x.x/32 | 5671,5672, 15761,15762 |
TCP | RabbitMQ endpoint |
| x.x.x.x/32 | 9000 | TCP | Minio service, if used in place of S3 |
x.x.x.x should be replaced with the IP address of the respective endpoint.
Indbound traffic to the storage server - if used:
| Scope | Port | Protocol | Additional info |
|---|---|---|---|
| x.x.x.x/32 | 3306 | TCP | MariaDB endpoint |
| x.x.x.x/32 | 5671,5672, 15761,15762 |
TCP | RabbitMQ endpoint |
| x.x.x.x/32 | 9000 | TCP | Minio service, if used in place of S3 |
x.x.x.x should be replaced with the IP address of the app server(s).
Depending on features selection for the installation, the following must be accessible from the application server:
| Outgoing | Port | Protocol | Mandatory/Optional | Feature |
|---|---|---|---|---|
| fcm.googleapis.com | 443 | HTTPS | Mandatory for Android | Notifications |
| gateway.push.apple.com | 2195,2196,5223 | TCP | Mandatory for IOS | Notifications |
| api.twilio.com | 443 | HTTPS | Optional | SMS Gateway Service |
| platform.vidyo.io | 443 | TCP/UDP | Optional | Video Service |
For detailed and more granular whitelisting the Vidyo service in network, see https://support.vidyocloud.com/hc/en-us/articles/217700717-VidyoCloud-Firewall-Information-for-Connecting-Clients-Endpoints#VidyoWorks%20PaaS%C2%A0(api.vidyocloud.com)
Further Scopes, Ports and Protocols for outbound traffic may be needed if utilizing external logging facilities and other services, but that is beyond the scope for this manual.
Domain name, node hostnames and DNS resolution
The application node must be able to resolve to the solutions Fully Qualified Domain Name (FQDN) in dns.
If your solution is reached by https://mytelehealth-solution.com, the application nodes must be able to resolve and reach this endpoint, which should be pointing to the load-balancer node(s) public facing IP address.
The application node and database node should likewise be resolvable internally on the nodes - more information on this can be found in the platform operation section of this guide.
Domain name and SSL certificates
The customer must provide its own FQDN and matching SSL/TLS certificate for the solution. The certificate should be in PEM format.
To create a valid certificate file for use with the haproxy, it must be one file containing the following in this order
server private key, server certificate, CA intermediate certificate,root CA certificate.
Administrative access for OTH technical staff
During installation, upgrades and debugging sessions, the OTH technical staff may need SSH access to the solution for any kind of assistance needed by the customer. This should be done by SSH from the above described IP address to the load-balancer node, and the application nodes and database node should be reachable from the load-balancer node by SSH. SSH to the load-balancer could be done through a VPN solution or a SSH bastion Jump-server instead.