# 07 - Private Network Port Matrisi

Bu dosya test ve prod ortamlarinda Hetzner private network icinde acilmasi gereken portlari tanimlar. Public internete acik portlar sadece `22/tcp`, `80/tcp`, `443/tcp` olacaktir. Vault `8200/tcp` public acilmayacak.

Bu matris Terraform Hetzner firewall ve Ansible UFW kurallari icin kaynak kabul edilmelidir.

## Network PlanI

### Test

| Subnet | CIDR | Amac |
| --- | --- | --- |
| App/Swarm | `10.10.10.0/24` | `iklim-app-01` |
| DB | `10.10.20.0/24` | `test-db-01` |

### Prod

| Subnet | CIDR | Amac |
| --- | --- | --- |
| App/Swarm | `10.20.10.0/24` | `iklim-app-01/02/03` |
| DB | `10.20.20.0/24` | `prod-db-01/02/03` |

## Public Ingress Standardi

Tum ortamlar icin public ingress:

| Port | Protocol | Kaynak | Hedef | Zorunluluk |
| --- | --- | --- | --- | --- |
| `22` | TCP | Admin IP/CIDR | Tum node'lar | SSH yonetim |
| `80` | TCP | Internet | Gateway entrypoint | HTTP / ACME redirect |
| `443` | TCP | Internet | Gateway entrypoint | HTTPS |

Public olarak acilmayacak kritik portlar:

| Port | Servis |
| --- | --- |
| `8200/tcp` | Vault |
| `5432/tcp` | PostgreSQL |
| `27017/tcp` | MongoDB |
| `6379/tcp` | Redis |
| `5672/tcp`, `15672/tcp`, `61613/tcp`, `15674/tcp` | RabbitMQ |
| `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` | Docker Swarm |
| `9180/tcp` | APISIX Admin API |
| `9090/tcp` | Prometheus |
| `3000/tcp` | Grafana |

## Docker Swarm Private Portlari

Docker Swarm node'lari arasinda zorunlu portlar:

| Port | Protocol | Kaynak | Hedef | Aciklama |
| --- | --- | --- | --- | --- |
| `2377` | TCP | Swarm node'lari | Swarm manager node'lari | Swarm control plane / join |
| `7946` | TCP | Tum Swarm node'lari | Tum Swarm node'lari | Node discovery / gossip |
| `7946` | UDP | Tum Swarm node'lari | Tum Swarm node'lari | Node discovery / gossip |
| `4789` | UDP | Tum Swarm node'lari | Tum Swarm node'lari | Overlay VXLAN data path |

Testte bu portlar fiilen tek Swarm node icin gerekli olsa da ileride worker eklemeyi kolaylastirmak icin app subnet icinde tanimlanabilir.

Prod'da `10.20.10.0/24` app/swarm subnet icinde bu portlar tum `iklim-app-*` node'lari arasinda acik olmalidir.

Kaynak: Docker overlay network dokumani, https://docs.docker.com/engine/network/drivers/overlay/

## Uygulama ve Infra Servis Private Portlari

Bu portlar public acilmayacak. Sadece private network veya Docker overlay icinde gerekli kaynaklardan erisime izin verilecek.

| Port | Protocol | Servis | Kaynak | Hedef | Not |
| --- | --- | --- | --- | --- | --- |
| `8200` | TCP | Vault API/UI | Swarm app node'lari / runner | Vault service/node | Public kapali. Runtime servisleri Vault'a private/overlay uzerinden erismeli |
| `6379` | TCP | Redis | Swarm app node'lari | Redis service/node | Public kapali |
| `5672` | TCP | RabbitMQ AMQP | Swarm app node'lari | RabbitMQ service/node | Public kapali |
| `15672` | TCP | RabbitMQ Management | Admin CIDR veya private ops | RabbitMQ service/node | Public kapali; tercihen VPN/bastion |
| `61613` | TCP | RabbitMQ STOMP | Gerekli app node'lari | RabbitMQ service/node | Public kapali |
| `15674` | TCP | RabbitMQ Web STOMP | Gerekli app/gateway node'lari | RabbitMQ service/node | Public kapali |
| `2379` | TCP | etcd client | APISIX service/node | etcd service/node | Public kapali |
| `2380` | TCP | etcd peer | etcd cluster node'lari | etcd cluster node'lari | Tek replica ise gerekmeyebilir; cluster olursa gerekli |
| `9180` | TCP | APISIX Admin API | Admin CIDR veya private ops | APISIX service/node | Public kapali |
| `9090` | TCP | Prometheus UI/API | Admin CIDR veya private ops | Prometheus service/node | Public kapali |
| `3000` | TCP | Grafana UI | Admin CIDR veya private ops | Grafana service/node | Public kapali |

Mevcut `docker-stack-infra.yml` bazi servisleri host mode ile publish ediyor olabilir. Hetzner firewall public ingress'i kapatsa bile private ingress kararini bu tablo belirler.

## DB Node Portlari

DB altyapisi manuel kurulacagi icin kesin cluster teknolojisi bu dokumanin disindadir. Yine de firewall icin varsayilan portlar asagidadir.

### PostgreSQL / PostGIS (Patroni + etcd)

Prod ortami Patroni + etcd ile yonetilen PostgreSQL kullanir. Test ortaminda tek node oldugu icin replication ve HA portlari gerekmez.

| Port | Protocol | Kaynak | Hedef | Not |
| --- | --- | --- | --- | --- |
| `5432` | TCP | App/Swarm subnet | PostgreSQL node'lari (Patroni yonetimli) | Uygulama JDBC — tum node'lara baglanir, driver primary'i bulur |
| `5432` | TCP | DB subnet | PostgreSQL node'lari | Patroni replication (pg_basebackup ve wal streaming) |
| `8008` | TCP | DB subnet | PostgreSQL node'lari | Patroni REST API — leader election, saglik kontrolu |
| `2379` | TCP | DB subnet | etcd node'lari | etcd client — Patroni → etcd erisimi |
| `2380` | TCP | DB subnet | etcd node'lari | etcd peer — etcd cluster icindeki raft protokolu |

### MongoDB

| Port | Protocol | Kaynak | Hedef | Not |
| --- | --- | --- | --- | --- |
| `27017` | TCP | App/Swarm subnet | MongoDB node/replica set endpoint | Uygulama DB baglantisi |
| `27017` | TCP | DB subnet | MongoDB replica set node'lari | Replica set internal trafik |

Ileride sharding yapilirsa `27018/27019` gibi ek MongoDB rolleri gundeme gelebilir; bu asamada acilmayacak.

## Test Private Kurallari

Test ortaminda minimum:

| Kaynak | Hedef | Portlar |
| --- | --- | --- |
| `10.10.10.0/24` | `10.10.10.0/24` | `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` |
| `10.10.10.0/24` | `10.10.20.0/24` | `5432/tcp`, `27017/tcp` |
| `10.10.10.0/24` | `10.10.10.0/24` | `8200/tcp`, `6379/tcp`, `5672/tcp`, `61613/tcp`, `15674/tcp` |
| Admin CIDR veya VPN | `10.10.10.0/24` | `15672/tcp`, `9180/tcp`, `9090/tcp`, `3000/tcp` |

Testte DB node tek oldugu icin DB subnet icindeki PostgreSQL/MongoDB replication portlari aktif kullanilmayabilir.

## Prod Private Kurallari

Prod ortaminda minimum (Patroni + etcd dahil):

App subnet (swarm firewall) — kendi icindeki trafik:

| Kaynak | Hedef | Portlar |
| --- | --- | --- |
| `10.20.10.0/24` | `10.20.10.0/24` | `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` (Swarm) |
| `10.20.10.0/24` | `10.20.10.0/24` | `8200/tcp`, `6379/tcp`, `5672/tcp`, `61613/tcp`, `15674/tcp`, `2379/tcp` (uygulama servisleri) |
| Admin CIDR veya VPN | `10.20.10.0/24` | `15672/tcp`, `9180/tcp`, `9090/tcp`, `3000/tcp` |

App → DB trafigi (swarm firewall'da ilgili kural bulunmaz; db firewall'da izin verilir):

| Kaynak | Hedef | Portlar |
| --- | --- | --- |
| `10.20.10.0/24` | `10.20.20.0/24` | `5432/tcp`, `27017/tcp` (DB erisimi) |
| `10.20.10.0/24` | `10.20.20.0/24` | `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` (Swarm — DB worker join) |

DB subnet (db firewall) — DB node'lari arasi trafik:

| Kaynak | Hedef | Portlar |
| --- | --- | --- |
| `10.20.20.0/24` | `10.20.20.0/24` | `5432/tcp`, `27017/tcp` (DB replication) |
| `10.20.20.0/24` | `10.20.20.0/24` | `2379/tcp`, `2380/tcp` (etcd client/peer) |
| `10.20.20.0/24` | `10.20.20.0/24` | `8008/tcp` (Patroni REST API) |

DB → App trafigi (swarm firewall'da izin verilir):

| Kaynak | Hedef | Portlar |
| --- | --- | --- |
| `10.20.20.0/24` | `10.20.10.0/24` | `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` (Swarm — manager portlari) |

## Kabul Kriterleri

- Public firewall `8200/tcp` acmaz.
- DB portlari public acik degildir.
- Swarm portlari sadece private app/swarm subnet icinde aciktir.
- App/Swarm subnet DB subnet'e sadece gerekli DB portlarindan erisir.
- DB subnet app subnet'e genis yetkiyle acilmaz.
- Admin UI portlari public yerine admin CIDR/VPN/private ops ile sinirlandirilir.