Skip to content

Sawtooth Services


An application running on a Kubernetes cluster must be explicitly exposed in order to be accessed from outside of the cluster. This is especially true in the case of cloud environments such as AWS.

General documentation on how to expose Kubernetes applications may be found in the Kubernetes documentation where there is a nice tutorial as well.

Here we provide specific guidance on how to expose services of a Sextant-managed Sawtooth deployment, specifically on an AWS-hosted Kubernetes cluster, whether EKS-based or not.


These examples assume that you have deployed a Sawtooth network called test-network in namespace test-namespace.

You can view the services currently defined using this command substituting test-namespace for your Sawtooth namespace.

kubectl get svc --namespace=test-namespace

Sawtooth REST API

Conveniently a Sextant-deployed Sawtooth network already contains a basic service for the Sawtooth Rest API. Since this API is conventional HTTP, a traditional load balancer will do. Therefore you can use this command.


Don't forget to substitute test-network and test-namespace for your Sawtooth network name and namespace respectively.

kubectl expose service test-network-rest-api --name=test-network-rest-api-lb \
--port=8008 --target-port=8008 --type=LoadBalancer --namespace=test-namespace

Return to Overview

Grafana and Influxdb

Similar to the REST API the grafana and influxdb instances deployed with Sawtooth each already has a service defined. Therefore you can use these commands.


Don't forget to substitute test-network and test-namespace for your Sawtooth network name and namespace respectively.

kubectl expose service grafana --name=test-network-grafana-lb --port=3000 \
--target-port=3000 --type=LoadBalancer --namespace=test-namespace
kubectl expose service influxdb --name=test-network-influxdb-lb --port=8086 \
--target-port=8086 --type=LoadBalancer --namespace=test-namespace


The influxdb instance currently deployed is not particularly secure, so exposing the influxdb to the outside world should be discouraged. Any load balancer exposing the influxdb should use strict firewall (security group) rules to tighten up access control. We plan to address this in a future Sextant release but for now, we do not recommend exposing the influxdb.

Return to Overview

Sawtooth Validator Network

The Sawtooth validator network itself is a somewhat different than the other services and protocols. Validators must connect to each other directly and not be mediated via any load balancing. In order to prepare for this, a Sextant-deployed Sawtooth network uses the direct hostPort 8800 on each of the nodes (similar to a NodePort).

In addition, due to some limitations in Sawtooth 1.1, each validator must address other validators using the same name that the target validator uses to refer to itself (the value of its --endpoint argument). Doing otherwise can create some instability in the network. On AWS each validator refers to itself via its internal network name, e.g. In order to use a node as an external seed the this name must resolve via DNS to the ip actually used to connect to the target validator. However outside of AWS or even a given VPC these *.compute.internal hostnames do not resolve normally. Two mechanisms are available to resolve this.

Option 1

If one part of the network is outside of AWS, then effectively the network is passing through NAT. In this case, the best solution is to sync up the hostnames on the connecting side to how the receiving side sees itself. In order to address this /etc/hosts entries or equivalent must be made for each of the target hosts on the source network mapping the target host's name to its public ip address.

Option 2

VPC Peering. If the two portions of the network are both on AWS and do not have overlapping CIDRs then you can peer the two VPC's and enable DNS resolution between the two VPC's. This will allow both VPC's to communicate directly and resolve their *.compute.internal hostnames.

Finally, AWS networks are closed to most traffic from the outside world by default. In order to connect directly to the validator hosts at all the relevant security groups for the k8s worker nodes must be opened on port 8800. Peered VPC's still require individual security group configurations.

Return to Overview