Ports

The concept of a port in Microbus can mean one of two things: a real TCP port, or a virtual emulated port.

Real TCP Ports

Microbus uses actual TCP ports for a few use cases.

The HTTP ingress proxy listens for incoming HTTP requests on one or more TCP ports, by default :8080. A public-facing HTTP ingress proxy in a production setting will most likely be configured to listen on the standard HTTP ports :443 and :80.

Similarly, the SMTP ingress proxy listens on port :25 for incoming SMTP messages.

All microservices connect to the NATS messaging bus, by default on port :4222. Microservice exchange messages with other microservice over this bi-directional multiplexed connection.

Telemetry is pushed to via OpenTelemetry on ports :4317 (gRPC) or :4318 (HTTP) to Grafana. The UI of Grafana is exposed on port :3000 by default.

Emulated Ports

Microservices communicate with each other using an emulation of the HTTP protocol that includes the concept of ports. Real TCP ports are not opened. Rather, the virtual port number is made part of the bus subject on which microservices listen for messages.

By convention, some of these internal ports have a special purpose.

Port :888 is reserved for the control plane.

Port :666 is reserved for trust-root endpoints - operations whose compromise undermines the framework’s security guarantees, such as minting tokens with arbitrary claims (access.token.core.Mint, bearer.token.core.Mint) or executing shell commands on the host (shell.core.Execute). Endpoints on :666 are unconditionally blocked at the HTTP ingress in every deployment mode, and operators grant publish rights on :666 only to a small, explicitly named set of caller bundles via NATS ACLs. Do not place an endpoint on :666 without confirming it meets the trust-root threshold.

Endpoints defined on port :443 or :80 are typically considered public and exposed by the HTTP ingress proxy to external users.

Port :444 is used by convention for endpoints that should remain internal. Any port not exposed by the ingress proxy would serve the same purpose.

Port :417 is the default port used for events.

An endpoint that subscribes on port :0 receives messages on any port.

Port :428 is the default port used for task endpoints of agentic workflows.

In a PROD deployment, the HTTP ingress proxy blocks inbound requests on ports :1 through :1023, except :80 and :443. Ports :666 and :888 are blocked in all deployments.

Backward NATS Subject Structure Short-Circuit Transport Forward