Skip to main content

Building a Scaled Sitecore XP Environment: Networking and Port Strategy

When configuring a Sitecore production environment on VMs (on-prem or cloud), it’s critical to define and open only the necessary network ports between the servers to ensure secure and functional communication between the roles (CM, CD, Solr, SQL, Redis, Identity, etc.).

Below is a breakdown of recommended ports that should be opened between VMs in a scaled Sitecore XP 10.x environment:

🔐 Core Port Recommendations

Source VM                         Target VM                                 Port(s)                 Protocol                    Purpose                                        
CM, CD SQL Server 1433 TCP Sitecore databases
CM, CD Solr 8983 TCP Content Search indexing/querying
CM, CD Redis 6379 TCP Session state caching
CM Identity Server 443 HTTPS Identity authentication
Identity Server CM 443 HTTPS Post-login redirect
CD CM 443 HTTPS Publishing service (if accessed via CM)
Publishing CM CD 443 HTTPS Publishing targets
CM, CD xConnect 443 HTTPS Tracker and analytics
xConnect SQL Server 1433 TCP xDB Collection & Reference databases
CM, CD Reporting DB 1433 TCP Analytics, reports
CM Marketing Automation 443 HTTPS Automation plans, contacts
CM Email Experience Manager (EXM) 443 HTTPS Campaign sending
CM, CD Content Delivery (internal APIs) 443 HTTPS If CD hosts GraphQL / APIs for FE apps
CM CD 443 HTTPS Publishing target access

🧱 Infrastructure-Level Access (Optional)

Source                                 Target                     Port                             Purpose                                    
Admin Workstation All VMs 5985/5986 WinRM / PowerShell remoting
DevOps Agent All VMs 22 / 445 / 5986 Deployments via SSH/WinRM
CM/CD SMTP server 25 / 587 Sending emails (EXM)

📌 Frontend & Public Access

Client (Browser)                 Target             Port             Purpose
Public users CD 443 Site access
Content authors CM 443 Sitecore admin interface

🔍 Notes & Best Practices

  • Use host-based firewalls (Windows Defender Firewall or NSGs in Azure) to restrict traffic between servers.

  • Prefer HTTPS for all internal communications when possible.

  • Secure Redis with a password if exposed across machines.

  • Consider using certificates for xConnect, Solr, and Identity (self-signed or domain CA).

  • Avoid opening SQL or Solr to the public internet.

Labels:

Comments

Post a Comment