A network port is a communications channel between two computers. Each port is generally bound to a specific service on the computer (with some exceptions) which will answer or direct the traffic.
Ports work at Layer 4 of the Open Systems Intercommunication (OSI) model, often called the transport layer. Only these transport layer protocols such as TCP and UDP can determine destination ports for packets, since protocols at other OSI layers aren't port-aware. However, this has little-to-no impact on overall networking as networking protocols and transport protocols are almost always used together.
How do network ports work?
Across applications and the greater internet, certain port numbers (ranging from 0 to 65535) are standardized and reserved for different purposes. And while tens of thousands ports do exist, not all are commonly used. Here are some notable port numbers:
Port 80 – HTTP traffic
Port 443 – Encrypted HTTPS traffic, while supporting services like DNS over HTTPS
Port 53 – Domain Name System (DNS) traffic, powering both DNS lookup and DNS resolution across the internet
Ports 20 and 21 – File Transfer Protocol (FTP) which allows file transfers between clients and servers
Port 22 – Supports Secure Shell (SSH) communications, which is one of multiple tunneling protocols enabling remote logins and file transfers between machines
Port 587 – Replacing port 25 in common use, this supports encrypted SMTP communication (unlike its predecessor).
Port 123 – Supports the Network Time Protocol (NTP), letting computer clocks sync and therefore supporting authentication (and ensuring users wake up on time).
Port 3389 – Supports the Remote Desktop Protocol (RDP), letting users connect remotely to their desktops from other devices.
Ports also introduce security risks. Services can be listening on unexpected ports (for example, a database server that should only be accessible locally can listen everywhere) or approved services can have security issues (like an attacker asking for a configuration file). For this reason, blocking unused ports is often recommended, and many network firewalls can help thwart potential attackers by disabling these entry points.
Load balancers can also be the only servers exposed to the public internet, and thus select which services external users may access (and leverage web application firewalls and similar security layers) to help defeat opportunistic attackers. While misconfigurations can prevent crucial traffic from passing through, a smart blocking strategy can sidestep this issue.
How does HAProxy handle network ports?
The HAProxy configuration contains one or more bind lines which define which IP address and port combinations HAProxy will listen on (along with options such as encryption). From these bind lines HAProxy will inspect the traffic against its configuration, which can be used to send traffic headed to one port to multiple services. HAProxy can even inspect client HTTPS traffic and distribute it amongst different backend pools.
Port management and configuration are central to HAProxy load balancing, as these directly impact the flow of traffic through the load balancer — including log message forwarding. To learn about port specification and binds within HAProxy, check out our frontends documentation.
