Why does my port scan show more open ports than expected?

If you perform a port scan on an endpoint for a Code Engine component, the result includes more open network ports than expected.

For incoming connections that use HTTP, the transport layer security (TLS) aspects are managed automatically by Code Engine outside of the application code. In particular, Code Engine uses Cloud Internet Services (CIS) in IBM Cloud, which is based on CloudFlare, as the intrusion prevention system (IPS) for DNS and DDOS protection on Layer 4. In other words, the TCP/IP connection that is established on the IPS is owned and managed by Cloudflare.

Code Engine exposes only ports 443 (HTTPS) and 80 (HTTP) for application endpoints on Layer 3, Layer 4, and Layer 7. As a result, any other ports, which are opened by Cloudflare, are not being used or routed to the application. If your scanning tool reports open ports, other than 443 and 80, then the scanning tool is scanning the Cloudflare IP and not the Code Engine application endpoint.

To resolve this issue, consider blocking your network traffic on ports other than 80 and 443. For more information, see Cloudflare documentation

Cloudflare has a large infrastructure and resolves IP addresses depending on the client location to serve traffic worldwide. To learn about IP ranges for Cloudflare, see Cloudflare documentation - IP ranges.

To learn about immediate DDOS protection for Code Engine applications, see DDoS protection.