Network Requirements
Understand the network connectivity requirements for all DB Audit deployment modes. This guide covers ports, protocols, firewall rules, and bandwidth planning for SaaS, on-premise, and air-gapped environments.
Deployment Modes Overview
SaaS
Fully managed by DB Audit. Collectors send events to our cloud over HTTPS.
On-Premise
Self-hosted in your data center or private cloud. All components run on your infrastructure.
Air-Gapped
Fully isolated deployment with zero external connectivity. Designed for classified and regulated environments.
SaaS Deployment Network Matrix
In the SaaS deployment model, the collector runs in your environment and sends events to DB Audit Cloud over HTTPS. Only outbound HTTPS (port 443) connectivity is required to the internet.
| Source | Destination | Port | Protocol | Direction | Purpose |
|---|---|---|---|---|---|
| Collector | api.dbaudit.ai | 443 | HTTPS | Outbound | Event streaming |
| Collector | Databases | varies | TCP/TLS | Internal | Audit log collection |
| Users | app.dbaudit.ai | 443 | HTTPS | Outbound | Web interface |
| Collector | DNS | 53 | UDP/TCP | Outbound | Name resolution |
| Collector | NTP | 123 | UDP | Outbound | Time sync |
On-Premise Network Matrix
On-premise deployments keep all traffic internal to your network. No outbound internet access is required for core functionality. Optional external access may be needed for Helm chart repositories and container image updates.
| Source | Destination | Port | Protocol | Direction | Purpose |
|---|---|---|---|---|---|
| Collector | Databases | varies | TCP/TLS | Internal | Audit log collection |
| Collector | MinIO/S3 | 9000 | TCP/TLS | Internal | Audit storage |
| Collector | Redis | 6379 | TCP | Internal | Caching/queuing |
| UI | Collector API | 8080 | TCP/TLS | Internal | Management |
| Users | UI/Ingress | 443 | HTTPS | Inbound | Web interface |
| Prometheus | Collector | 9090 | HTTP | Internal | Metrics |
| Collector | SMTP | 587 | TCP/TLS | Internal | Alert emails |
| Collector | SIEM | varies | TCP/TLS | Internal | Event forwarding |
| Collector | LDAP/AD | 636 | LDAPS | Internal | Authentication |
Optional External Connectivity
On-premise deployments may optionally require outbound access to a Helm chart repository and container registry for pulling updates. These connections can be replaced by manual image imports for stricter environments. See the On-Premise Deployment Guide for details.
Air-Gapped Network Matrix
Air-gapped deployments operate with zero external network connections. All services, including DNS, NTP, and authentication, must be provided internally. This mode is designed for classified, regulated, and high-security environments.
Zero External Connections Required
All connections in the air-gapped deployment are strictly internal. There are no external DNS lookups, no external NTP synchronization, and no license phone-home mechanisms. DB Audit operates fully offline once deployed.
| Source | Destination | Port | Protocol | Direction | Purpose |
|---|---|---|---|---|---|
| Collector | Databases | varies | TCP/TLS | Internal | Audit log collection |
| Collector | MinIO/S3 | 9000 | TCP/TLS | Internal | Audit storage |
| Collector | Redis | 6379 | TCP | Internal | Caching/queuing |
| UI | Collector API | 8080 | TCP/TLS | Internal | Management |
| Users | UI/Ingress | 443 | HTTPS | Inbound | Web interface |
| Prometheus | Collector | 9090 | HTTP | Internal | Metrics |
| Collector | Internal SMTP | 587 | TCP/TLS | Internal | Alert emails |
| Collector | Internal SIEM | varies | TCP/TLS | Internal | Event forwarding |
| Collector | Internal LDAP/AD | 636 | LDAPS | Internal | Authentication |
| Collector | Internal NTP | 123 | UDP | Internal | Time sync |
Internal NTP Required
Deploy a local NTP server (e.g., chrony) for time synchronization across collector nodes.
Offline Updates
Container images and Helm charts are imported via physical media or secure transfer. No registry access needed.
Database Ports Reference
Quick reference for default database ports. The collector connects to these ports to read native audit logs. Always use TLS where supported.
| Database | Default Port | Protocol | TLS Support |
|---|---|---|---|
| PostgreSQL | 5432 | TCP | Yes (ssl) |
| MySQL | 3306 | TCP | Yes (ssl-mode) |
| SQL Server | 1433 | TCP | Yes (encrypt) |
| MongoDB | 27017 | TCP | Yes (tls) |
| Oracle | 1521 | TCP | Yes (TCPS) |
| MariaDB | 3306 | TCP | Yes (ssl) |
| Redis | 6379 | TCP | Yes (TLS) |
| Cassandra | 9042 | TCP | Yes |
| Snowflake | 443 | HTTPS | Always |
| BigQuery | 443 | HTTPS | Always |
These are default ports. Your databases may be configured to use non-standard ports. Check your database configuration and update firewall rules accordingly.
Firewall Rule Templates
Example firewall rules for common configurations. Adapt the IP ranges and ports to match your environment.
iptables - Linux firewall rules
# Allow collector to reach databases
iptables -A OUTPUT -p tcp -d 10.0.1.0/24 --dport 5432 -j ACCEPT
iptables -A OUTPUT -p tcp -d 10.0.1.0/24 --dport 3306 -j ACCEPT
# Allow collector to reach MinIO
iptables -A OUTPUT -p tcp -d 10.0.2.10 --dport 9000 -j ACCEPT
# Allow inbound to UI
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow metrics scraping
iptables -A INPUT -p tcp -s 10.0.3.0/24 --dport 9090 -j ACCEPT
# Block all other outbound (air-gapped)
iptables -A OUTPUT -j DROPNetworkPolicy - Kubernetes network isolation
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dbaudit-collector
namespace: dbaudit
spec:
podSelector:
matchLabels:
app: dbaudit-collector
policyTypes:
- Ingress
- Egress
ingress:
# Allow Prometheus scraping
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- port: 9090
protocol: TCP
# Allow UI access
- from:
- podSelector:
matchLabels:
app: dbaudit-ui
ports:
- port: 8080
protocol: TCP
egress:
# Allow database connections
- to:
- ipBlock:
cidr: 10.0.1.0/24
ports:
- port: 5432
protocol: TCP
- port: 3306
protocol: TCP
# Allow MinIO
- to:
- podSelector:
matchLabels:
app: minio
ports:
- port: 9000
protocol: TCP
# Allow Redis
- to:
- podSelector:
matchLabels:
app: redis
ports:
- port: 6379
protocol: TCP
# Allow DNS
- to: []
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCPFor a comprehensive set of network policies including egress restrictions and namespace isolation, see the Security Hardening Guide.
Bandwidth Estimation
Plan your network capacity based on expected audit event volume. Each audit event averages approximately 1 KB in size before compression.
| Event Rate | Bandwidth (uncompressed) | Daily Volume (uncompressed) |
|---|---|---|
| 100 events/sec | ~100 KB/s | ~8.6 GB/day |
| 1,000 events/sec | ~1 MB/s | ~86 GB/day |
| 10,000 events/sec | ~10 MB/s | ~860 GB/day |
| 50,000 events/sec | ~50 MB/s | ~4.3 TB/day |
Compression
DB Audit compresses events in transit, reducing bandwidth by approximately 70%. Actual savings depend on event content.
Local Buffering
The collector buffers events locally during network interruptions. Events are synced automatically when connectivity resumes, ensuring zero data loss.