Lnd: If I don't use lncli or gRPC is there a way to prevent the node from opening rpc port?

The REST API is just a proxy in front of the rpc endpoint, so in short, not very easily. However, you could choose to only expose RPC and disable the REST proxy, which would get rid of one port

That being said, I don’t think this is the biggest challenge you’ll face. You’ll run out of memory long before you get anywhere near 21k nodes, unless you have terabytes of RAM too ;)

Also remember that each peer gets its own port, so saving one port from the rpc listener is a drop in the bucket compared to the 10’s or 100’s of peers each node might also have.

Even if it were possible, a few misbehaving, faulty, or resource hungry nodes could bring down serval thousand lightning nodes all at once due to the architecture’s inherent single point of failure :/

Thanks for answering.

Can I control which port numbers are open by the peers?
Where can I learn about this in depth?

I am trying to develop Bitcoin UI, meaning that anyone who knows how to use gmail will know how to use bitcoin/ln (even to the point of being able to create complex bitcoin scripts). So making the setting of lnd nodes transparent to the user is a must.

You should probably test this with 2 clients first before worrying about the 21k as Conner mentioned, the docker getting started instructions actually show you how to connect multiple LND instances to BTCD so you could probably mess around and try out connecting multiple users through different ports.

I'm not sure why a unique port is needed per user but if that is a requirement indeed I would suggest using something else to manage the ports and forward all ports into the same port on the LND instance and instead passing parameters that are user-specific or something.

Check out lnd -h, and also get familiar with whatever firewall software you're using.