Routing Network Communications

This topic describes the internal network communication paths of the routing subsystem with other Pivotal Application Service (PAS) components.

HTTP Routing

The following table lists network communication paths for HTTP routing.

Source VM Destination VM Port Transport Layer Protocol App Layer Protocol Security and Authentication
diego_cell (local Route Emitter) nats 4222 TCPs NATS Basic authentication
Load balancer router (Gorouter) 80 TCP HTTP None
Load balancer router (Gorouter) 443 TCP HTTPS TLS
router (Gorouter) nats 4222 TCP NATS Basic authentication
router (Gorouter) System components Varies TCP Varies None
router (Gorouter) App containers Varies TCP Varies Optional TLS
haproxy router (Gorouter) 80 TCP HTTP None
haproxy router (Gorouter) 443 TCP HTTPS TLS
Load balancer haproxy 80 TCP HTTP None
Load balancer haproxy 443 TCP HTTPS TLS

TCP Routing (Optional)

The following table lists network communication paths for TCP routing.

Source VM Destination VM Port Transport Layer Protocol App Layer Protocol Security and Authentication
cloud_controller cloud_controller (Routing API)* 443 TCP HTTPS TLS and OAuth 2.0
cloud_controller (Routing API) diego_database (Locket) 8891 TCP HTTPS Mutual TLS
cloud_controller (Routing API) mysql_proxy 3306 TCP MySQL MySQL authentication**
cloud_controller (Routing API) uaa 8443 TCP HTTPS TLS
diego_brain (global TCP Emitter) cloud_controller (Routing API) 3000 TCP HTTP OAuth 2.0
diego_brain (global TCP Emitter) uaa 8443 TCP HTTPS TLS
diego_cell (local Route Emitter) cloud_controller (Routing API) 3000 TCP HTTP OAuth 2.0
diego_cell (local Route Emitter) uaa 8443 TCP HTTPS TLS
Load balancer tcp_router 1024-65535 TCP TCP None
router (Gorouter) cloud_controller (Routing API) 3000 TCP HTTP OAuth 2.0
router (Gorouter) uaa 8443 TCP HTTPS TLS
tcp_router cloud_controller (Routing API) 3000 TCP HTTP OAuth 2.0
tcp_router uaa 8443 TCP HTTPS TLS

* This communication happens through a load balancer and a Gorouter. Requests are received by Routing API on port 3000.

You can use this port range to configure the port in the PAS tile.

** MySQL authentication uses the MySQL native password method.

Service Mesh (Optional)

The following table lists network communication paths for service mesh.

Source VM Destination VM Port Transport Layer Protocol App Layer Protocol Security and Authentication
cloud_controller (cloud_controller_ng) istio_control (copilot) 9001 TCP GRPC Mutual TLS
istio_control (copilot) diego_database (bbs) 8889 TCP HTTP Mutual TLS
istio_control(pilot-discovery) istio_control (copilot) 9009 TCP GRPC Mutual TLS
istio_router (envoy) App Containers Varies TCP HTTP/HTTPS Optional TLS
istio_router(envoy) istio_control(pilot-discovery) 15010 TCP GRPC None
Load balancer istio_router (envoy) 80 TCP HTTP None
Load balancer istio_router (envoy) 443 TCP HTTPS TLS
Load balancer (health_check) istio_router (envoy) 8002 TCP HTTP None
route_syncer (cc_route_syncer) istio_control (copilot) 9001 TCP GRPC Mutual TLS
route_syncer (cc_route_syncer) mysql_proxy* 3306 TCP MySQL MySQL authentication*
n/a (admin) istio_router (envoy) 8001 TCP HTTP None
n/a (for envoy secure GRPC communication) istio_control(pilot-discovery) 15012 TCP GRPC Mutual TLS
n/a (for HTTP discovery service) istio_control(pilot-discovery) 8080 TCP HTTP None
n/a (for pilot’s self-monitoring) istio_control(pilot-discovery) 9093 TCP HTTP None

*Applies only to deployments where internal MySQL is selected as the database.

BOSH DNS Communications

By default, PAS components and app containers look up services using the BOSH DNS service discovery mechanism. To support this lookup, BOSH Director colocates a BOSH DNS server on every deployed VM. For more information, see BOSH DNS Network Communications.