MAAS communcation


In multi-region/rack clusters (i.e. HA clusters), all machine communication with MAAS is proxied through rack controllers, including HTTP metadata, DNS, syslog and APT (proxying via Squid). Note that in single-region/rack clusters, the region controller manages communication.

Proxying through rack controllers is useful in environments where communication between machines and region controllers is restricted.

MAAS creates an internal DNS domain, not manageable by the user, and a special DNS resource for each subnet that is managed by MAAS. Each subnet includes all rack controllers that have an IP on that subnet. Booting machines use the subnet DNS resource to resolve the rack controller available for communication. If multiple rack controllers belong to the same subnet, MAAS uses a round-robin algorithm to balance the load across multiple rack controllers. This ensures that machines always have a rack controller.

Machines use this internal domain for HTTP metadata queries, APT (proxying via Squid), and Syslog. DNS queries, PXE booting, and NTP polls use IP addresses.

The rack controller installs and configures bind as a forwarder. All machines communicate via the rack controller directly.

Note: Zone management and maintenance still happen within the region controller.


Each rack controller must be able to initiate TCP connections on the following ports:

Port(s) Description
5240 HTTP communication with each region controller. Note that port 80 is typically used in high-availability environments. See MAAS HA.
5241 - 5247 Reserved for internal MAAS services.
5248 Reserved for rack HTTP communication.
5250 - 5270 Reserved for region workers (RPC).


The rack controller installs nginx, which serves as a proxy and as an HTTP server, binding to port 5248. Machines contact the metadata server via the rack controller.


See Syslog for more information about MAAS syslog communication as well as how to set up a remote syslog server.