Prerequisites

Network Requirements

This section describes the ports that must be open on each NextGen Gateways node. These open ports allow communication between managed resources, the NextGen Gateways, and the OpsRamp cloud.

1. Enable Communication (Mandatory)

You must refer to the Whitelisted IP document and ensure all required IPs are enabled to secure and uninterrupted communication between the OpsRamp Gateway and OpsRamp SaaS.

2. Inbound Connectivity

Name	Description	Protocol	Port
SSH	To access NextGen Gateways and agent consoles on the node from OpsRamp cloud.	TCP	22
Agents	(Optional). Accept connections from agents if agents are configured to connect to the OpsRamp cloud using the NextGen Gateways embedded squid proxy.	TCP	3128
SNMP Traps	SNMP traps from managed devices are sent to the NextGen Gateway IP address—typically the node IP in single-node deployments. In High Availability (HA) setups, use the Load Balancer IP address instead.	UDP	162
Syslog messages	Syslog messages from managed devices are sent to the NextGen Gateway IP address—typically the node IP in single-node deployments. In High Availability (HA) setups, use the Load Balancer IP address instead.	TCP/UDP	514

Understanding on SNMP Traps, Syslogs, and Squid Proxy Inbound IP Addresses

The inbound IP address for services such as SNMP traps, Syslogs, and the Squid proxy depends on the deployment architecture of the Nextgen Gateway and the underlying infrastructure setup:

1. OpsRamp-Provided ISO/OVA Deployments

Single-node cluster (default setup):
- All inbound traffic for SNMP traps, Syslogs, and the Squid proxy listens directly on the node’s IP address.
Multi-node cluster:
- A dedicated load balancer IP address is automatically allocated:
  - One shared IP for SNMP traps and Syslogs
  - A separate IP for the Squid proxy

This ensures traffic is properly routed to the respective services across the cluster.

2. Custom or Bring-Your-Own Kubernetes (BYOK) Clusters

If you are using your own Kubernetes cluster instead of the OpsRamp-provided ISO/OVA:

The inbound IP allocation depends entirely on how you’ve configured the Kubernetes Services, particularly:
- Whether you’re using LoadBalancer, NodePort, or Ingress resources.
- How your external load balancer (e.g., MetalLB, cloud-native LB) is set up to route traffic.

3. Managed Kubernetes Clusters (e.g., EKS, AKS, GKE)

In managed Kubernetes environments:

The Service type LoadBalancer is typically used for SNMP, Syslogs, and Squid proxy services
IP addresses are automatically provisioned by the cloud provider’s load balancer infrastructure
The actual public or private IP address depends on:
- The Kubernetes Service configuration
- The networking mode (e.g., VPC-native, public vs private subnet)
- Any internal or external LoadBalancerClass defined in your cloud setup

⚠️ It is essential to ensure firewall and security group rules allow ingress on the expected ports for SNMP Traps (usually UDP 162), Syslogs (UDP/TCP 514), and Squid (default HTTP 3128) depending on your use case.

3. Outbound Connectivity

Name	Description	Protocol	Port
vProbe	Connect to the OpsRamp cloud platform using the public IP addresses.	TCP	443
DNS	To resolve address *.api.opsramp.com.	TCP	53
NTP	Network time protocol is used for clock synchronization using the public IP addresses.	UDP	123

Understanding on Outbound Traffic from the NextGen Gateway

Outbound traffic from the Nextgen Gateway refers to all communication initiated by the gateway toward customer-managed infrastructure and devices. This includes - but is not limited to:

Discovery of network devices, servers, and applications
Monitoring data collection (e.g., SNMP polling, WMI queries, API calls, etc.)
Performance metric collection and status polling

Essentially, this is how the gateway reaches out to pull data from customer-managed assets.

IP Behavior in Multi-Node Cluster

In a multi-node Kubernetes cluster, the gateway pod (which performs discovery and monitoring) is scheduled dynamically across available nodes. This has direct implications for outbound traffic:

Outbound traffic from the gateway will originate from the node’s IP where the gateway pod is currently running.
In case of:
- Pod restart
- Node failure
- Cluster rescheduling

The gateway pod may move to a different node, changing the source IP for outbound connections.

OpsRamp Recommendation

To ensure uninterrupted data collection and monitoring:
OpsRamp strongly recommends whitelisting all node IP addresses in the Kubernetes cluster within the customer’s:

Perimeter firewall
Internal firewalls (if any)
End device access control lists (ACLs), security groups, etc.

This ensures that regardless of where the gateway pod is scheduled, it can consistently initiate outbound connections to customer infrastructure without being blocked.

Additional Considerations

In cloud-based or managed Kubernetes clusters, source IP behavior may depend on:
- Network plugins (e.g., Calico, Cilium, AWS VPC CNI)
- Whether NAT gateways, egress proxies, or egress load balancers are in use
If outbound NAT or proxying is in place, you may need to:
- Whitelist the egress IP or NAT gateway IP instead of each node
- Ensure source IP preservation if devices enforce strict ACLs
For environments with network segmentation or zero trust, ensure:
- Routing and firewall rules allow each node to access the required device subnets and ports
- DNS resolution is functional from all nodes (if hostname-based targets are used)

Summary

Deployment Type	Outbound Traffic Source	Whitelisting Required
Single Node Cluster	Node IP (static)	Whitelist the node IP
Multi-Node Cluster	Any Node IP in the cluster	Whitelist all node IPs
Managed K8s (EKS, GKE, AKS)	Depends on CNI and NAT setup	Whitelist NAT IP / All worker node IPs

Inbound Rules for k3 Nodes

Note

If you are using the OpsRamp-provided ISO/OVA, ensure the following ports are whitelisted. If you are not using ISO/OVA, you can ignore this section.

Protocol	Port	Source	Destination	Description
TCP	2379-2380	All nodes	All nodes	Required only for high availability (HA) deployments using embedded etcd.
TCP	6443	All nodes	All nodes	K3s supervisor and Kubernetes API server.
UDP	8472	All nodes	All nodes	Required only for Flannel VXLAN networking.
TCP	10250	All nodes	All nodes	Kubelet metrics collection and monitoring.

Server Requirements

This section describes the hardware requirements to monitor the resources as per different capacity categories.

Capacity (Node-Level Configuration)

Number of Managed Resources	Required Rerver Capacity
Up to 100 resources	4 CPU cores, 8 GB RAM / 60 GB Disk / 1 NIC
Up to 500 resources	8 CPU cores, 16 GB RAM / 60 GB Disk / 1 NIC
Greater than 500 resources at a single site	Deploy multiple Gateways

Note

Capacity values are approximate and can vary depending on various factors, such as template frequency, resource type, network protocol, and the type of metrics.

Default Memory Limits for OpsRamp Containers

By default, if you do not customize memory limits during deployment, the OpsRamp Bootstrap Tool applies predefined memory limits to each container, regardless of the actual resource capacity of the host node. These default limits are:

vProbe: 4 GB
Postgres: 1 GB
Native Bridge: 500 MB
Squid: 500 MB

These defaults are designed to ensure baseline performance and stability but may need adjustment depending on your environment and available resources. If you wish to customize memory limits during the registration process, please refer to the Registering NextGen Gateway Document.

Container Memory Allocation Guidelines

Allocated Node RAM	vprobe	Postgres	Nativebridge	Squid	Redis + OS + Other System Overhead
8 GB	4 GB	1 GB	500 MB	500 MB	~2 GB
16 GB	8–10 GB	2 GB	1 GB	1 GB	~2–4 GB

Tip

When 16 GB RAM is available, vprobe can be allocated 8 to 10 GB depending on workload and Redis/system overhead.
The remaining memory after allocating to main containers is reserved for:
- Redis POD
- OS-level services
- Logging agents and auxiliary pods

Additional Considerations

If Synthetics or Network Performance Monitoring (NPM) is enabled on this gateway, additional resources should be provisioned based on the specific requirements of those features.