MySQL Guide to Ports

There could be from one to over ten ports used within your MySQL ecosystem.  It really depends on what you have enabled, which components you are using, how your applications connect, and other characteristics of your environment.

From a security point, these ports need to be opened just wide enough to allow the various components  that should communicate to talk while blocking out anything else trying to hack its way in – the goal being to enforce the security principle of “least privilege”.  Obviously, what you should not do is open everything to get things working, only to discover later you have left yourself entirely exposed and hacked.  Don’t be “That Admin or DBA”.

Of course, how you block and open ports with proper ingress and egress rules depends on your environment – where you have various tools firewalls, VPNs, Operating Systems capabilities, etc.  With some of our installation packages, our goal is to be secure by default as well as usability, and we will assist, but typically only for the most core ports.  For example, the MySQL Windows installer will add rules to the Windows firewall, or the Linux packages add rules to SELinux or AppArmor.

However for less common, optional, or external product specific ports, we do not open them up for you in our packages, so you will need to do this yourself in those cases. With commands like the one for SELinux like

semanage port -a -t mysqld_port_t -p tcp <port open to mysqld>

Anyway, for this blog the goal is just port awareness, so I just wanted to list them out to make sure they are known and understood relative to

  1. What they are
  2. What uses them
  3. When they are used
  4. Is the communication encrypted by default (Yes in most cases)
  5. Limiting access

This reference applies to MySQL 5.7 and 8.0

Visually it looks something like this. 
This is NOT a full reference – the tables below provide the full reference.

MySQL Ports Diagram
MySQL Ports (CLICK TO EXPAND IMAGE)

Or for all the details see

And a handy MySQL PORT quick reference table

MySQL Ports

TechnologyDefault PortSSL|Enc Def.Required
Client - Server Connections
(msql client, connectors, mysqldump, mysqlpump)
MySQL Client to Server - MySQL Protocol – 33063306/tcpYY unless just using 33060
MySQL Client to Server – New X Protocol – 3306033060/tcpYY unless just using 3306
MySQL Shell
MySQL Client to Server - MySQL Protocol – 33063306/tcpYY unless just using 33060
MySQL Client to Server – New X Protocol – 3306033060/tcpYY unless just using 3306
For checks, from Shell to GR server during InnoDB cluster configuration.33061/tcpYY if running InnoDB Cluster
MySQL Workbench
MySQL Client to Server - MySQL Protocol – 33063306/tcpYOptional - pick at least 1
MySQL Client to Server – New X Protocol – 3306033060/tcpYOptional - pick at least 1
Connects via SSH Tunnel22/tcpYOptional - pick at least 1
Client - Router Connections -
MySQL Client Any SQL to Router - MySQL Protocol6446/tcpInheritedRequired if Router provides RW access
MySQL Client ReadOnly SQL to Router - MySQL Protocol6447/tcp""Required if Router provides ReadOnly access
MySQL Router to Server - MySQL Protocol3306/tcp""Required
MySQL Client Any API calls to Router – New X Protocol – 330606448/tcp""Required if Router provides RW access
MySQL Client ReadOnly Calls to Router – New X Protocol – 330606449/tcp""Required if Router provides ReadOnly access
MySQL Router to Server – New X Protocol – 3306033060/tcp""Required
High Availability
MySQL Group Replication internal communications port - 3306133061/tcpYY
MySQL Replication3306/tcpYY
External Authentication *
MySQL Enterprise Authentication - LDAP *389/tcpYOnly if using External Authentication to LDAP. Also supports use of SASL
MySQL Enterprise Authentication - AD *389/tcpYOnly if using External Authentication to LDAP
Key Management (for TDE, Keyring Functions, etc) *
KMIP - used with Oracle Key Vault, Gemalto KeySecure, Thales Vormetric key management server, Fornetix Key Orchestration *Varies, See key manager/vault specific documentation.YOnly required if TDE is using a KMIP server
Key Services - AWS KMS *443/tcpYOnly required if TDE is using AWS KMS
MEB backup
Communicate to Local Instance3306/tcp YOptional - can connect with tcp|socket|pipe|memory
If Innodb Cluster/Group Replication3306/tcpYRequired for InnoDB Cluster Backup
Oracle Object Store443/tcpYOptional
AWS S3443/tcpYOptional
Backup to Media Manager (SBT API) *Varies - See backup media manager specific documentationVendor dependentOptional
Reference to MySQL Ecosystem and Ports

So that’s my reference  to MySQL Ports. I certainly hope its of value.

Thank you for using MySQL !

 

Leave a Reply