ICON P-Rep Operation AMA


ICON P-Rep Operation AMA

Hello there, this is ICON Team!

It is nice to announce that we are going to have a regular AMA for the P-Rep Candidates every week. We will standby at telegram channel on every Monday UTC 07:00 to UTC 08:00 to answer every question for us. If you can’t make it on time, please leave a comment on the following post. We will also answer those questions.

Leave a comment on this post: ICON P-Rep Operation AMA
Join the telegram for the AMA: https://t.me/joinchat/H33WtRIOelpmVW2JExULOQ


Thank you for your time and appreciate all the hard work that is going on behind the scenes with engineers pulling 100 hour weeks.

A question that has come a couple times is what are the necessary routing rules for P-Reps to Citizen nodes.

My understanding is that we will be building a DDoS rate limiting nginx auto-scaling layer in front of the P-Rep nodes which are only serving traffic over 7100/9000 to two separate whitelists of peers. The citizen nodes on the other hand need to be open to the world on 9000 and can be run in an auto-scaling group behind a load balancer or just exposed and registered individually.

The real question is, can P-Reps then only to talk to it’s own Citizen node and can lock down 9000 between their security groups so P-Reps don’t expose 9000 to anyone else? This is where I think I am wrong because I just finally dug into Block42’s work and reread the docs. It seems the converse of this is the Citizen is not needed at all but that doesn’t seem true. So how exactly does the Citizen connect to the P-Rep?

This has not been my focus but another one of our engineers. I will put together further network maps and start a cleaner thread later backed with terraform code to codify any answer.

Some other questions as an aside, they can wait for next weeks AMA.

  • Are you planning on moving traffic from L4 to L7 and what can P-Reps do to help / prepare?
  • Are you going to release the Dockerfiles for P-Rep soon? Insight would love to decouple and distribute as Ansible playbooks.
  • How can P-Reps help more in TestNets with delivering logs or building tooling that could help
  • Would you like a script that runs a TestNet with however many nodes you want and an agent installed on each node that you can run system updates across the network to test different application releases on even in CI and have all logs / metrics piped to Elasticsearch and Prometheus? Not blowing smoke, honestly wondering if that is something you want. Insight can do that soon with buy-in.

Thanks again for your time and sorry for long post.


Big part of this just got answered in the main Telegram. There is an ENDPOINT_URL environment variable for the P-Rep node that should be pointed to the citizen on 9000. All nodes start off as citizen and then move to P-Rep.

“So all nodes just operate as a citizen node at the first time.”
“After your node has been elected, your node will be converted to P-Rep node.”
- BongAn Ha

Also the P-Rep can be connected with up to 60 citizen nodes.


But why would I connect a P-Rep to a citizen? The P-Rep still needs to have connection to the outside world because it communicates on port 7100 with other P-Reps. Is this just to take off the load on 9000 off the P-Rep?

They say there is no explicit citizen docker image, it’s the same as the P-Rep image because if the P-Rep is not in Top 22, it’s a citizen. So that means we can just use the P-Rep image for the citizens?


The P-Rep node needs to communicate with only other main preps for both 7100 and 9000 port and can be limited to them. The 9000 port of citizen node can be used by everybody. Same P-Rep image is for citizen node.