> For the complete documentation index, see [llms.txt](https://mariadb.com/docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mariadb.com/docs/tools/mariadb-ai-rag/deployment/network-and-firewall-requirements.md). # Network and Firewall Requirements {% hint style="info" %} It is recommended to run MariaDB AI RAG on an internal, secured network. Direct public exposure of application or database ports is not recommended. {% endhint %} Before deploying MariaDB AI RAG, ensure that your firewall and network rules allow traffic on all required ports. Proper connectivity between the Docker containers, local services, and external AI providers is essential for the system to function correctly. The following table details the necessary ports and their purposes, following the standard MariaDB deployment format.
Service/ComponentPortProtocolTraffic DirectionPurpose
RAG API8000TCPInboundAPI Access: Main REST API endpoint and Swagger UI documentation.
MCP Server8002TCPInboundAI Gateway: Model Context Protocol endpoint for AI agent and IDE interactions.
MariaDB Server3306TCPOutboundDatabase Access: Native port for relational and vector data storage.
Ollama11434TCPOutboundLocal LLM: API endpoint for local language models (active only with the Ollama profile).
External API Providers443HTTPSOutboundAI Services: Requests to configured providers (OpenAI, Gemini, Voyage, Cohere).
MariaDB Licensing443HTTPSOutboundLicense Validation: Required at startup to fetch public keys for license verification.
{% hint style="info" %} All inbound ports listed are TCP. Ensure your firewall rules explicitly allow TCP traffic for the specified ports within the Docker network (`rag-network`) or from authorized external hosts. {% endhint %} ### Summary of Required Firewall Rules For a standard AI RAG 1.1 deployment, ensure the following rules are in place: * Inbound Access: Allow traffic from user workstations or applications to the RAG API on port `8000` and the MCP Server on port `8002`. * Outbound Access: The host must be able to reach `https://*.mariadb.com` and your configured AI provider endpoints (e.g., `https://generativelanguage.googleapis.com`) on port `443`. * Internal Connectivity: If your MariaDB vector database is hosted on a separate machine, ensure the RAG host can communicate with it on port `3306`. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://mariadb.com/docs/tools/mariadb-ai-rag/deployment/network-and-firewall-requirements.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.