Skip to main content
Solved

Best practice for working out FME_SERVER_PORT_POOL range

  • April 15, 2026
  • 6 replies
  • 106 views
anryan
Contributor
Forum|alt.badge.img+7

Hi all,

I have a fault tolerant deployment of FME Flow 2026.1 in our private AWS account. Our security team requires us to limit the number of ports to be opened between WebUI/Core and Engine hosts (eg. least privilege).

Is there a best practice rule/formula in calculating the number of ports required to be opened depending on the number of engines per host and the number of hosts in your deployment and the starting port number? Thanks

Example:

3 engines / host and 2 hosts = 6 engines

Is there a redundant factor that needs to be applied? eg. 2 times

Therefore 3 engines x 2 hosts x 2 redundant factor = 12 TCP ports are required.

The starting port number should be from 50000

 

fmeFlowConfig.txt

FME_SERVER_PORT_POOL=50000-50011

Best answer by rylanatsafe

@anryan On the FMEFlowJobSubmitter/Automations side, your understanding is mostly correct. Jobs submitted via FMEFlowJobSubmitter or triggered by Automations are still processed through the standard FME Flow job queue and executed by available engines.

The nuance is that when using FMEFlowJobSubmitter (with Submission Mode “In Sequence”), the parent job can submit additional “child” jobs that run on “sub-engines” (documentation reference). That said, this doesn’t create additional capacity… the total concurrency is still bounded by the number of licensed engines.

So the formula could probably be simplified to (number of licensed engines × 2) + a small buffer for each Flow Core in the deployment.

(And I mentioned Automations only because workspace nodes could trigger these same workspaces with FMEFlowJobSubmitter).

 

On the ephemeral ports question, they should be constrained using the FME_SERVER_PORT_POOL setting. It should not be in addition to.

      6 replies

      hkingsbury
      Celebrity
      Forum|alt.badge.img+70
      • hkingsburyCelebrity
      • Celebrity
      • April 16, 2026

      I’m assuming you’ve seen this document? FME Flow Ports

      In there they use an example of a 50 port range, but to your point, don’t specify if there should be a minimum based on your setup.

      @rylanatsafe any insight you or someone else has in this space?

      anryan
      Contributor
      Forum|alt.badge.img+7
      • anryanContributor
      • Author
      • Contributor
      • April 16, 2026

      I’m assuming you’ve seen this document? FME Flow Ports

      In there they use an example of a 50 port range, but to your point, don’t specify if there should be a minimum based on your setup.

      @rylanatsafe any insight you or someone else has in this space?

      Yes, I have looked at this document on the ports

      rylanatsafe
      Safer
      Forum|alt.badge.img+14
      • rylanatsafeSafer
      • Safer
      • April 27, 2026

      Thanks for the tag, ​@hkingsbury !

      @anryan this is a great question…

      There isn't a single published formula for this as port pool sizing tends to depend on workload, but a useful starting point is to size the pool for the total number of engines plus wiggle room for child jobs or subprocesses, e.g. spawned by FMEFlowJobSubmitter and Automations, and a few ports for any Core processes that could also pull from the pool.

      Something roughly like (total engines × 2) + (expected concurrent child jobs × 2) + a small buffer would be a reasonable starting point.

      If you need more guidance, I’d suggest opening a ticket with our support team.

       

       

        anryan
        Contributor
        Forum|alt.badge.img+7
        • anryanContributor
        • Author
        • Contributor
        • April 27, 2026

        @ryanatsafe Thank you for this information. Greatly appreciated.

        Question on spawned by FMEFlowJobSubmitter and Automations - I thought these would just be from the ports that have been registered by core to the engine and those workspaces would be processed via the standard job queue mechanism?

         

        I have another question extending from this enquiry. I’ve been told from our Safe distributor who has been in communication with Safe as well, that there are random ephemeral ports additional to these server port pool and therefore restricting the firewall rules and in my case AWS security group rules can’t be done as per the FME Flow Ports documentation. Is this the case? Thanks

        rylanatsafe
        Safer
        Forum|alt.badge.img+14
        • rylanatsafeSafer
        • Safer
        • Best Answer
        • April 28, 2026

        @anryan On the FMEFlowJobSubmitter/Automations side, your understanding is mostly correct. Jobs submitted via FMEFlowJobSubmitter or triggered by Automations are still processed through the standard FME Flow job queue and executed by available engines.

        The nuance is that when using FMEFlowJobSubmitter (with Submission Mode “In Sequence”), the parent job can submit additional “child” jobs that run on “sub-engines” (documentation reference). That said, this doesn’t create additional capacity… the total concurrency is still bounded by the number of licensed engines.

        So the formula could probably be simplified to (number of licensed engines × 2) + a small buffer for each Flow Core in the deployment.

        (And I mentioned Automations only because workspace nodes could trigger these same workspaces with FMEFlowJobSubmitter).

         

        On the ephemeral ports question, they should be constrained using the FME_SERVER_PORT_POOL setting. It should not be in addition to.

          anryan
          Contributor
          Forum|alt.badge.img+7
          • anryanContributor
          • Author
          • Contributor
          • April 28, 2026

          @rylanatsafe Awesome. Thanks again for the explanation. Our Cyber team will have happy with this as we’re following the least privilege/access model, etc.

            Community Stats

            32,545
            Posts
            123,579
            Replies
            40,792
            Members
            Terms & ConditionsAccessibility statement
            A product of
            Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.