Cloud Controller Network Communications

This topic describes Cloud Controller internal network communication paths with other Elastic Runtime components.

Inbound Communications

The following table lists network communication paths that are inbound to the Cloud Controller.

Source VM Destination VM Port Transport Layer Protocol App Layer Protocol Security and Authentication
cloud_controller cloud_controller (Routing API) 443 TCP HTTPS OAuth 2.0
diego_brain cloud_controller 9022 TCP HTTP Basic authentication
diego_brain (SSH Proxy) cloud_controller 9022 TCP HTTP OAuth 2.0
diego_cell (Rep) cloud_controller 9022 TCP HTTP None
diego_database (BBS) cloud_controller 9022 TCP HTTP Basic authentication
doppler (Syslog Drain Binder) cloud_controller 9023 TCP HTTPS Mutual TLS
loggregator_trafficcontroller cloud_controller 443 TCP HTTPS OAuth 2.0
router cloud_controller 9022 TCP HTTP OAuth 2.0

Outbound Communications

The following table lists network communication paths that are outbound from the Cloud Controller.

Source VM Destination VM Port Transport Layer Protocol App Layer Protocol Security and Authentication
cloud_controller diego_brain (Nsync) 8787 TCP HTTP None
cloud_controller diego_brain (Stager) 8888 TCP HTTP None
cloud_controller diego_brain (TPS Listener) 1518 TCP HTTP None
cloud_controller mysql_proxy* 3306 TCP MySQL MySQL authentication**
cloud_controller nfs_server or other blobstore 4443 TCP HTTPS TLS and basic authentication
cloud_controller uaa 8443 TCP HTTPS OAuth 2.0 or none
cloud_controller (Route Registrar) nats 4222 TCP NATS Basic authentication
cloud_controller (Routing API) diego_database (Locket) 8891 TCP HTTPS Mutual TLS
cloud_controller_worker mysql_proxy* 3306 TCP MySQL MySQL authentication**
cloud_controller_worker nfs_server or other blobstore 4443 TCP HTTPS TLS and basic authentication
clock_global mysql_proxy* 3306 TCP MySQL MySQL authentication**

*Applies only to deployments where internal MySQL is selected as the database.

**MySQL authentication uses the MySQL native password method.

The destination depends on your file storage or blobstore configuration.

The authentication method depends on the type of request.

Consul Communications

ERT components call out to Consul for service discovery. For more information, see Consul Network Communications.

Create a pull request or raise an issue on the source for this page in GitHub