Node Deployment Requirements

The Hedera Mainnet is currently comprised of permissioned consensus nodes operated by the Hedera Council.

Last updated 10 days ago

Was this helpful?

Node Deployment Requirements

The Hedera Mainnet is currently comprised of permissioned consensus nodes operated by the Hedera Council.

This guide outlines the technical requirements, system setup, and network configuration for members to deploy and operate their permissioned consensus node on the Hedera Mainnet. All requirements aim to ensure consistency and performance across the network.

Note: This documentation applies only to permissioned consensus nodes operated by Hedera Council Members. It does not cover Hedera’s transition to a permissionless network.

Minimum Node Platform Requirements

The overall performance of the Hedera Mainnet is currently constrained by the lowest-performing node in the network. To maintain consistent performance across all Council nodes, a set of minimum hardware, connectivity, and hosting requirements has been established for this initial permissioned phase.

Action: To ensure compliance with these requirements, submit your proposed node hardware, connectivity, and hosting specifications to Hedera for review before making any purchases via devops@hashgraph.com.

CPU

Architecture: X86/X64 (Intel Xeon or AMD EPYC)
Cores: 24 cores / 48 threads
Benchmarks:
- Geekbench 6 single-core:
  - Minimum: ≥ 1000
  - Recommended: ≥ 1500
- Passmark single-thread:
  - Minimum: ≥ 2300 (required for Mainnet)
  - Recommended: ≥ 2800

Memory

Minimum: 256GB DDR4 ECC Registered DIMM (PC4-21300 2666MHz)
Recommended: 320 GB+ DDR4 ECC (PC4-25600 3200MHz)

Storage

General Guidelines: It is recommended to configure a 240 GB SSD in RAID 1 for the root volume (/) and mount additional volumes for usable storage during installation. If RAID is not available, assign all storage to root.

Minimum Requirements/Recommendations ⬇

Minimum: 5TB NVMe SSD (usable)
Recommended:
- OS: 2 × 240GB SSD (RAID 1)
- Data: 2 × NVMe drives (7.5TB RAID 0) or 4× in RAID 10 array

Performance: If mounted to root volume, the root volume must meet these requirements. If provisioned via RAID, the RAID array should meet these requirements:

Sequential Write: 2,000–3,000 MB/s
Sequential Read: 3,000–6,200 MB/s
Random Read (sync): 250k–1M IOPS
Random Write (sync): 100k–170k IOPS
Avg. Latency: ≤ 200µs

📁 Note: Nodes must pass the Hedera performance test suite at installation time.

Network Connectivity

Sustained bandwidth: ≥ 1Gbps (via 1/10Gb Ethernet)

Node Operating System & Tools

Supported OS

Supported Linux Distributions (64-bit, LTS only):
- Ubuntu 22.04 LTS
- Red Hat Enterprise Linux (RHEL) 8 and 9
- Oracle Linux 8 and 9
Supported kernel versions:
- 6.2.0
- 6.1.2
- 6.0.16
- 5.15.86

🧩 Node Software ⬇

The following software components must be installed and configured on your node host to ensure proper participation in the Hedera Mainnet. All installations must follow the minimum version requirements and path conventions.

🐳 Docker & Containerization:

Component

Version

Notes

Docker Engine

20.10.6

Must be deployed with root privileges.

Docker Compose

1.29.2

Required for managing multi-container deployments.

Privileged Containers

Optional

If disabled, host machine must run the Havege Daemon.

Havege Daemon

1.9.14

Needed only if privileged containers are disabled.

IPTables Support

Linux kernel 3.10+

Required for Docker networking.

🔐 System Utilities:

Component

Required Version

Purpose

HashDeep

4.4

Used for update integrity verification.

Bindplane Collector

4+

Required for node software log monitoring

JQ CLI

1.5+

JSON parser utility used in scripts and CLI workflows.

GNU CoreUtils

8.00+

Provides essential Unix command-line tools.

cURL CLI

7.58.0+

Used for API communication and health checks.

InCron Daemon

0.5.12+

Enables file-system-triggered automation (e.g., network upgrades).

Rsync CLI

3.0.0+

Required for network-wide upgrade file synchronization.

📁 Note: Ensure all command-line tools are installed in your system's global $PATH and are accessible to the node admin user.

⚙️ Node Management Tools:

Component

Version

Configuration Requirements

Node Mgmt Tools

0.1.0+

Must be installed at /opt/hgcapp/node-mgmt-tools

Path must be writable and executable by hgcadmin user

📁 Note: The Node Mgmt Tools bundle includes essential scripts for update operations, log rotation, and status health checks.

System User Accounts

Node Software Account (Mandatory):

Attribute

Value

Username

hedera

Unix UID

2000

Group Specification

hedera (GID 2000)

Secondary Group

admin or wheel

Permissions

Full access to the entire /opt/hgcappfolder

Proxy Server Requirements

A proxy is required to expose the node’s public APIs.

Minimum Proxy Specifications:

CPU: 2-core X86/X64
Memory: 4GB RAM
Storage: 100GB SSD
Network: 200Mbps sustained, static IP

Software:

Docker container (provided by Hedera) with pre-configured HAProxy

Network Configuration

🌐 Node Connectivity ⬇

✅ Network Bandwidth

Minimum: 1 Gbps sustained internet connection (not burstable).
Recommended: Unmetered bandwidth to ensure uninterrupted sync and consensus participation.

🔐 Network Isolation & IP Requirements

Deployed within a dedicated, isolated DMZ (Demilitarized Zone) network
Configured with a firewall to allow connectivity only with Hedera consensus nodes
Node must have a static IP address

📁 Note: Fully Qualified Domain Names (FQDNs) are not supported.

📡 Port Configuration

The following ports must be configured for public internet access unless otherwise stated:

Port

Protocol

Direction

Description

50111

TCP

Ingress

gRPC (public) API access

50211

TCP

Ingress

Gossip protocol

50212

TCP

Ingress

TLS-encrypted Gossip protocol

80

TCP

Egress only

OS package repository connectivity

443

TCP

Egress only

Secure package & system update access

123

UDP

Ingress/Egress

Time sync via NTP pool

🛡️ Proxy Connectivity ⬇

✅ Internet Bandwidth

Required: 200 Mbps sustained connection

📡 Port Configuration

Port

Protocol

Direction

Purpose

50211

TCP

Ingress

Gossip protocol

50212

TCP

Ingress

TLS-encrypted gossip

80

TCP

Egress only

OS package repository

443

TCP

Egress only

Secure updates

🔀 Interface Bonding (Optional) ⬇

If you plan to use interface bonding (NIC bonding) to increase reliability or performance, note the following:

✅ Supported Configurations

Only Layer 2 bonding is supported:

Mode 1 (Active-Backup):
- Uses one active NIC at a time
- Automatically switches to backup if the active NIC fails
Mode 4 (LACP – 802.3ad Active/Active):
- Uses Link Aggregation Control Protocol
- Requires switch support
- Provides load balancing and redundancy

❌ Not Supported

Layer 3 Policy-Based Routing (PBR) with dual-pathways is not supported, due to the use of mutual TLS in the Hedera network.

⚠️ Mutual TLS depends on consistent IP-level paths; Layer 3 routing can disrupt this, leading to connection failures.

Hosting Requirements

To ensure high availability, security, and operational consistency, all nodes must be hosted in accordance with the following standards:

✅ Hosting Facility Standards

Must use a Tier 1 Data Center with high availability and redundancy.
The facility should be compliant with industry security standards:
- SSAE 16 / SSAE 18
- SOC 2 Type 2

🔒 Security & Compliance

Facilities must implement industry-standard physical and logical security controls.
Regular audits and certifications (must be available on request).

⚠️ Redundancy Across Council

Hedera aim to avoid using the same hosting providers across multiple Council Members to minimize systemic risk and improve geographic and provider diversity.

Contacts

For questions or approval of infrastructure plans, contact:

📧 devops@hashgraph.com

Next Steps

PreviousMainnet Consensus Nodes NextFAQ

Last updated 10 days ago

Was this helpful?

Note: This documentation applies only to permissioned consensus nodes operated by Hedera Council Members. It does not cover Hedera’s transition to a permissionless network.

Minimum Node Platform Requirements

CPU

Architecture: X86/X64 (Intel Xeon or AMD EPYC)
Cores: 24 cores / 48 threads
Benchmarks:
- Geekbench 6 single-core:
  - Minimum: ≥ 1000
  - Recommended: ≥ 1500
- Passmark single-thread:
  - Minimum: ≥ 2300 (required for Mainnet)
  - Recommended: ≥ 2800

Memory

Minimum: 256GB DDR4 ECC Registered DIMM (PC4-21300 2666MHz)
Recommended: 320 GB+ DDR4 ECC (PC4-25600 3200MHz)

Storage

Minimum Requirements/Recommendations ⬇

Minimum: 5TB NVMe SSD (usable)
Recommended:
- OS: 2 × 240GB SSD (RAID 1)
- Data: 2 × NVMe drives (7.5TB RAID 0) or 4× in RAID 10 array

Performance: If mounted to root volume, the root volume must meet these requirements. If provisioned via RAID, the RAID array should meet these requirements:

Sequential Write: 2,000–3,000 MB/s
Sequential Read: 3,000–6,200 MB/s
Random Read (sync): 250k–1M IOPS
Random Write (sync): 100k–170k IOPS
Avg. Latency: ≤ 200µs

📁 Note: Nodes must pass the Hedera performance test suite at installation time.

Network Connectivity

Sustained bandwidth: ≥ 1Gbps (via 1/10Gb Ethernet)

Node Operating System & Tools

Supported OS

Supported Linux Distributions (64-bit, LTS only):
- Ubuntu 22.04 LTS
- Red Hat Enterprise Linux (RHEL) 8 and 9
- Oracle Linux 8 and 9
Supported kernel versions:
- 6.2.0
- 6.1.2
- 6.0.16
- 5.15.86

🧩 Node Software ⬇

🐳 Docker & Containerization:

Component

Version

Notes

Docker Engine

20.10.6

Must be deployed with root privileges.

Docker Compose

1.29.2

Required for managing multi-container deployments.

Privileged Containers

Optional

If disabled, host machine must run the Havege Daemon.

Havege Daemon

1.9.14

Needed only if privileged containers are disabled.

IPTables Support

Linux kernel 3.10+

Required for Docker networking.

Information: Havege Daemon enhances the system’s entropy pool and is only necessary if container privilege escalation is disabled in your environment.

🔐 System Utilities:

Component

Required Version

Purpose

HashDeep

4.4

Used for update integrity verification.

Bindplane Collector

4+

Required for node software log monitoring

JQ CLI

1.5+

JSON parser utility used in scripts and CLI workflows.

GNU CoreUtils

8.00+

Provides essential Unix command-line tools.

cURL CLI

7.58.0+

Used for API communication and health checks.

InCron Daemon

0.5.12+

Enables file-system-triggered automation (e.g., network upgrades).

Rsync CLI

3.0.0+

Required for network-wide upgrade file synchronization.

📁 Note: Ensure all command-line tools are installed in your system's global $PATH and are accessible to the node admin user.

⚙️ Node Management Tools:

Component

Version

Configuration Requirements

Node Mgmt Tools

0.1.0+

Must be installed at /opt/hgcapp/node-mgmt-tools

Path must be writable and executable by hgcadmin user

📁 Note: The Node Mgmt Tools bundle includes essential scripts for update operations, log rotation, and status health checks.

System User Accounts

Node Software Account (Mandatory):

Attribute

Value

Username

hedera

Unix UID

2000

Group Specification

hedera (GID 2000)

Secondary Group

admin or wheel

Permissions

Full access to the entire /opt/hgcappfolder

Proxy Server Requirements

A proxy is required to expose the node’s public APIs.

Minimum Proxy Specifications:

CPU: 2-core X86/X64
Memory: 4GB RAM
Storage: 100GB SSD
Network: 200Mbps sustained, static IP

Software:

Docker container (provided by Hedera) with pre-configured HAProxy

Network Configuration

🌐 Node Connectivity ⬇

✅ Network Bandwidth

Minimum: 1 Gbps sustained internet connection (not burstable).
Recommended: Unmetered bandwidth to ensure uninterrupted sync and consensus participation.

🔐 Network Isolation & IP Requirements

Deployed within a dedicated, isolated DMZ (Demilitarized Zone) network
Configured with a firewall to allow connectivity only with Hedera consensus nodes
Node must have a static IP address

📁 Note: Fully Qualified Domain Names (FQDNs) are not supported.

📡 Port Configuration

The following ports must be configured for public internet access unless otherwise stated:

Port

Protocol

Direction

Description

50111

TCP

Ingress

gRPC (public) API access

50211

TCP

Ingress

Gossip protocol

50212

TCP

Ingress

TLS-encrypted Gossip protocol

80

TCP

Egress only

OS package repository connectivity

443

TCP

Egress only

Secure package & system update access

123

UDP

Ingress/Egress

Time sync via NTP pool

🛡️ Proxy Connectivity ⬇

✅ Internet Bandwidth

Required: 200 Mbps sustained connection

📡 Port Configuration

Port

Protocol

Direction

Purpose

50211

TCP

Ingress

Gossip protocol

50212

TCP

Ingress

TLS-encrypted gossip

80

TCP

Egress only

OS package repository

443

TCP

Egress only

Secure updates

🔀 Interface Bonding (Optional) ⬇

If you plan to use interface bonding (NIC bonding) to increase reliability or performance, note the following:

✅ Supported Configurations

Only Layer 2 bonding is supported:

Mode 1 (Active-Backup):
- Uses one active NIC at a time
- Automatically switches to backup if the active NIC fails
Mode 4 (LACP – 802.3ad Active/Active):
- Uses Link Aggregation Control Protocol
- Requires switch support
- Provides load balancing and redundancy

❌ Not Supported

Layer 3 Policy-Based Routing (PBR) with dual-pathways is not supported, due to the use of mutual TLS in the Hedera network.

⚠️ Mutual TLS depends on consistent IP-level paths; Layer 3 routing can disrupt this, leading to connection failures.

Hosting Requirements

To ensure high availability, security, and operational consistency, all nodes must be hosted in accordance with the following standards:

✅ Hosting Facility Standards

Must use a Tier 1 Data Center with high availability and redundancy.
The facility should be compliant with industry security standards:
- SSAE 16 / SSAE 18
- SOC 2 Type 2

🔒 Security & Compliance

Facilities must implement industry-standard physical and logical security controls.
Regular audits and certifications (must be available on request).

⚠️ Redundancy Across Council

Hedera aim to avoid using the same hosting providers across multiple Council Members to minimize systemic risk and improve geographic and provider diversity.

Contacts

For questions or approval of infrastructure plans, contact:

📧 devops@hashgraph.com

Next Steps

For detailed guidance on deploying and onboarding your Hedera Mainnet node, please see the .