Port Ranges
Each Docker-backed service allocates host ports from a configurable range. When a resource is created (e.g., an RDS instance or a load balancer), Simfra assigns the next available port from the service's range.
Default Port Allocation
| Service | Environment Variable | Default Range | Ports | Purpose |
|---|---|---|---|---|
| DNS (Route53) | SIMFRA_DNS_PORT_RANGE |
10000-10099 | 100 | DNS server containers (UDP/TCP 53 mapped to host) |
| SES SMTP | SIMFRA_SMTP_PORT_RANGE |
10100-10199 | 100 | SMTP server containers for email sending |
| ELBv2 | SIMFRA_ELBV2_PORT_RANGE |
10200-10299 | 100 | Load balancer listener ports |
| API Gateway | SIMFRA_APIGW_PORT_RANGE |
10300-10399 | 100 | HTTP API and REST API endpoints |
| RDS | SIMFRA_RDS_PORT_RANGE |
10400-10499 | 100 | Database server ports (MySQL 3306, PostgreSQL 5432 mapped to host) |
| RDS Proxy | SIMFRA_RDS_PROXY_PORT_RANGE |
10500-10599 | 100 | Connection pooling proxy ports |
| EFS | SIMFRA_EFS_PORT_RANGE |
10600-10699 | 100 | NFS mount target ports |
| Cognito Hosted UI | SIMFRA_COGNITO_AUTH_PORT_RANGE |
10700-10799 | 100 | OAuth2/OIDC login page endpoints |
| CloudFront | SIMFRA_CLOUDFRONT_PORT_RANGE |
10800-10899 | 100 | CDN distribution endpoints |
| ElastiCache | SIMFRA_ELASTICACHE_PORT_RANGE |
10900-10999 | 100 | Redis/Valkey/Memcached server ports |
| Redshift | SIMFRA_REDSHIFT_PORT_RANGE |
11000-11099 | 100 | Redshift cluster endpoints |
| Glue | SIMFRA_GLUE_PORT_RANGE |
11100-11199 | 100 | Glue job execution containers |
| Amazon MQ | SIMFRA_MQ_PORT_RANGE |
11200-11299 | 100 | ActiveMQ/RabbitMQ broker ports |
| MSK (Kafka) | SIMFRA_KAFKA_PORT_RANGE |
11300-11399 | 100 | Kafka broker ports |
| OpenSearch | SIMFRA_OPENSEARCH_PORT_RANGE |
11400-11499 | 100 | OpenSearch REST API ports |
| Directory Service | SIMFRA_DS_PORT_RANGE |
11500-11599 | 100 | Samba AD/LDAP ports |
| DSQL | SIMFRA_DSQL_PORT_RANGE |
11600-11699 | 100 | DSQL PostgreSQL-compatible endpoints |
| CodeCommit | SIMFRA_CODECOMMIT_PORT_RANGE |
11700-11799 | 100 | Git SSH/HTTPS server ports |
| Port Forwarding | SIMFRA_PORT_FORWARD_PORT_RANGE |
11800-11899 | 100 | SSM Session Manager port forwarding |
Total default range: 10000-11899 (1900 ports)
Customizing Ranges
Set any port range environment variable to START-END:
# Move RDS to a higher range with more capacity
export SIMFRA_RDS_PORT_RANGE=20000-20499
# Give ELBv2 more ports for many load balancers
export SIMFRA_ELBV2_PORT_RANGE=30000-30999
Random Port Allocation
Set a range to 0 to let the OS assign random available ports:
export SIMFRA_RDS_PORT_RANGE=0
This avoids conflicts but makes ports unpredictable. Assigned ports are returned in API responses (e.g., the RDS instance endpoint).
Finding Assigned Ports
From API Responses
Most services include the assigned port in their API response:
- RDS:
Endpoint.Portin DescribeDBInstances - ElastiCache:
CacheNodes[].Endpoint.Portin DescribeCacheClusters - ELBv2:
DNSNameresolves to the host with the assigned port - Redshift:
Endpoint.Portin DescribeClusters
From Docker
List Simfra-managed containers and their port mappings:
docker ps --filter "label=simfra.managed=true" --format "table {{.Names}}\t{{.Ports}}"
VPC Isolation and Ports
When SIMFRA_VPC_ISOLATION=true (the default with Docker enabled), port publishing depends on resource visibility:
- Public resources (internet-facing LBs, publicly accessible RDS): Ports are published to the host from the configured range
- Private resources (internal LBs, private RDS, private subnets): No host ports are published. These are only reachable from other containers on the same VPC Docker network
This means private resources do not consume ports from the configured ranges.
Capacity Planning
Each range provides 100 ports by default, supporting up to 100 concurrent resources of that type. If you need more:
# Support up to 500 RDS instances
export SIMFRA_RDS_PORT_RANGE=10400-10899
Ensure ranges do not overlap with each other or with other services on the host.