Firewall Ports and Protocols Requirements for vSphere without NSX-T

Page last updated:

This topic describes the firewall ports and protocols requirements for using Pivotal Container Service (PKS) on vSphere.

Firewalls and security policies are used to filter traffic and limit access in environments with strict inter-network access control policies.

Apps frequently require the ability to pass internal communication between system components on different networks and require one or more conduits through the environment’s firewalls. Firewall rules are also required to enable interfacing with external systems such as with enterprise apps or apps and data on the public Internet.

For PKS, Pivotal recommends that you disable security policies that filter traffic between the networks supporting the system. With PKS you should enable access to apps through standard Kubernetes load-balancers and ingress controller types. This enables you to designate specific ports and protocols as a firewall conduit.

For information on ports and protocol requirements for vSphere with NSX-T, see Firewall Ports and Protocols Requirements for vSphere with NSX-T

If you are unable to implement your security policy using the methods described above, refer to the following table, which identifies the flows between system components in a typical PKS deployment.

Note: To control which groups access deploying and scaling your organization’s Enterprise PKS-deployed Kubernetes clusters, configure your firewall settings as described on the Operator –> PKS API server lines below.

PKS Ports and Protocols

The following tables list ports and protocols required for network communications between PKS v1.3.6 and later, and vSphere 6.7 and later.

PKS Users Ports and Protocols

The following table lists ports and protocols used for network communication between PKS user interface components.

Source Component Destination Component Destination Protocol Destination Port Service
Admin/Operator Console All System Components TCP 22 ssh
Admin/Operator Console All System Components TCP 80 http
Admin/Operator Console All System Components TCP 443 https
Admin/Operator Console Cloud Foundry BOSH Director TCP 25555 bosh director rest api
Admin/Operator Console Pivotal Cloud Foundry Operations Manager TCP 22 ssh
Admin/Operator Console Pivotal Cloud Foundry Operations Manager TCP 443 https
Admin/Operator Console PKS Controller TCP 9021 pks api server
Admin/Operator Console vCenter Server TCP 443 https
Admin/Operator Console vCenter Server TCP 5480 vami
Admin/Operator Console vSphere ESXI Hosts Mgmt. vmknic TCP 902 ideafarm-door
Admin/Operator and Developer Consoles Harbor Private Image Registry TCP 80 http
Admin/Operator and Developer Consoles Harbor Private Image Registry TCP 443 https
Admin/Operator and Developer Consoles Harbor Private Image Registry TCP 4443 notary
Admin/Operator and Developer Consoles Kubernetes App Load-Balancer Svc TCP/UDP Varies varies with apps
Admin/Operator and Developer Consoles Kubernetes Cluster API Server -LB VIP TCP 8443 httpsca
Admin/Operator and Developer Consoles Kubernetes Cluster Ingress Controller TCP 80 http
Admin/Operator and Developer Consoles Kubernetes Cluster Ingress Controller TCP 443 https
Admin/Operator and Developer Consoles Kubernetes Cluster Worker Node TCP/UDP 30000-32767 kubernetes nodeport
Admin/Operator and Developer Consoles PKS Controller TCP 8443 httpsca
All User Consoles (Operator, Developer, Consumer) Kubernetes App Load-Balancer Svc TCP/UDP Varies varies with apps
All User Consoles (Operator, Developer, Consumer) Kubernetes Cluster Ingress Controller TCP 80 http
All User Consoles (Operator, Developer, Consumer) Kubernetes Cluster Ingress Controller TCP 443 https
All User Consoles (Operator, Developer, Consumer) Kubernetes Cluster Worker Node TCP/UDP 30000-32767 kubernetes nodeport

PKS Core Ports and Protocols

The following table lists ports and protocols used for network communication between core PKS components.

Source Component Destination Component Destination Protocol Destination Port Service
All System Components Corporate Domain Name Server TCP/UDP 53 dns
All System Components Network Time Server UDP 123 ntp
All System Components vRealize LogInsight TCP/UDP 514/1514 syslog/tls syslog
All System Control Plane Components AD/LDAP Directory Server TCP/UDP 389/636 ldap/ldaps
Pivotal Cloud Foundry Operations Manager Admin/Operator Console TCP 22 ssh
Pivotal Cloud Foundry Operations Manager Cloud Foundry BOSH Director TCP 6868 bosh agent http
Pivotal Cloud Foundry Operations Manager Cloud Foundry BOSH Director TCP 8443 httpsca
Pivotal Cloud Foundry Operations Manager Cloud Foundry BOSH Director TCP 8844 credhub
Pivotal Cloud Foundry Operations Manager Cloud Foundry BOSH Director TCP 25555 bosh director rest api
Pivotal Cloud Foundry Operations Manager Harbor Private Image Registry TCP 22 ssh
Pivotal Cloud Foundry Operations Manager Kubernetes Cluster Master/Etcd Node TCP 22 ssh
Pivotal Cloud Foundry Operations Manager Kubernetes Cluster Worker Node TCP 22 ssh
Pivotal Cloud Foundry Operations Manager PKS Controller TCP 22 ssh
Pivotal Cloud Foundry Operations Manager PKS Controller TCP 8443 httpsca
Pivotal Cloud Foundry Operations Manager vCenter Server TCP 443 https
Pivotal Cloud Foundry Operations Manager vSphere ESXI Hosts Mgmt. vmknic TCP 443 https
Cloud Foundry BOSH Director vCenter Server TCP 443 https
Cloud Foundry BOSH Director vSphere ESXI Hosts Mgmt. vmknic TCP 443 https
BOSH Compilation Job VM Cloud Foundry BOSH Director TCP 4222 bosh nats server
BOSH Compilation Job VM Cloud Foundry BOSH Director TCP 25250 bosh blobstore
BOSH Compilation Job VM Cloud Foundry BOSH Director TCP 25923 health monitor daemon
BOSH Compilation Job VM Harbor Private Image Registry TCP 443 https
BOSH Compilation Job VM Harbor Private Image Registry TCP 8853 bosh dns health
PKS Controller Cloud Foundry BOSH Director TCP 4222 bosh nats server
PKS Controller Cloud Foundry BOSH Director TCP 8443 httpsca
PKS Controller Cloud Foundry BOSH Director TCP 25250 bosh blobstore
PKS Controller Cloud Foundry BOSH Director TCP 25555 bosh director rest api
PKS Controller Cloud Foundry BOSH Director TCP 25923 health monitor daemon
PKS Controller Kubernetes Cluster Master/Etcd Node TCP 8443 httpsca
PKS Controller vCenter Server TCP 443 https
Harbor Private Image Registry Cloud Foundry BOSH Director TCP 4222 bosh nats server
Harbor Private Image Registry Cloud Foundry BOSH Director TCP 25250 bosh blobstore
Harbor Private Image Registry Cloud Foundry BOSH Director TCP 25923 health monitor daemon
Harbor Private Image Registry IP NAS Storage Array TCP 111 nfs rpc portmapper
Harbor Private Image Registry IP NAS Storage Array TCP 2049 nfs
Harbor Private Image Registry Public CVE Source Database TCP 443 https
kube-system pod/telemetry-agent PKS Controller TCP 24224 fluentd out_forward
Kubernetes Cluster Master/Etcd Node Cloud Foundry BOSH Director TCP 4222 bosh nats server
Kubernetes Cluster Master/Etcd Node Cloud Foundry BOSH Director TCP 25250 bosh blobstore
Kubernetes Cluster Master/Etcd Node Cloud Foundry BOSH Director TCP 25923 health monitor daemon
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Master/Etcd Node TCP 2379 etcd clent
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Master/Etcd Node TCP 2380 etcd server
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Master/Etcd Node TCP 8443 httpsca
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Master/Etcd Node TCP 8853 bosh dns health
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Worker Node TCP 4194 cadvisor
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Worker Node TCP 10250 kubelet api
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Worker Node TCP 31194 cadvisor
Kubernetes Cluster Master/Etcd Node PKS Controller TCP 8443 httpsca
Kubernetes Cluster Master/Etcd Node PKS Controller TCP 8853 bosh dns health
Kubernetes Cluster Master/Etcd Node vCenter Server TCP 443 https
Kubernetes Cluster Worker Node Cloud Foundry BOSH Director TCP 4222 bosh nats server
Kubernetes Cluster Worker Node Cloud Foundry BOSH Director TCP 25250 bosh blobstore
Kubernetes Cluster Worker Node Cloud Foundry BOSH Director TCP 25923 health monitor daemon
Kubernetes Cluster Worker Node Harbor Private Image Registry TCP 443 https
Kubernetes Cluster Worker Node Harbor Private Image Registry TCP 8853 bosh dns health
Kubernetes Cluster Worker Node IP NAS Storage Array TCP 111 nfs rpc portmapper
Kubernetes Cluster Worker Node IP NAS Storage Array TCP 2049 nfs
Kubernetes Cluster Worker Node Kubernetes Cluster Master/Etcd Node TCP 8443 httpsca
Kubernetes Cluster Worker Node Kubernetes Cluster Master/Etcd Node TCP 8853 bosh dns health
Kubernetes Cluster Worker Node Kubernetes Cluster Master/Etcd Node TCP 10250 kubelet api
pks-system pod/cert-generator PKS Controller TCP 24224 fluentd out_forward
pks-system pod/fluent-bit PKS Controller TCP 24224 fluentd out_forward

VMWare Ports and Protocols

The following tables list ports and protocols required for network communication between VMware components.

VMWare Virtual Infrastructure Ports and Protocols

The following table lists ports and protocols used for network communication between VMware virtual infrastructure components.

Source Component Destination Component Destination Protocol Destination Port Service
vCenter Server vSphere ESXI Hosts Mgmt. vmknic TCP 443 https
vCenter Server vSphere ESXI Hosts Mgmt. vmknic TCP 8080 http alt
vCenter Server vSphere ESXI Hosts Mgmt. vmknic TCP 9080 io filter storage
vSphere ESXI Hosts Mgmt. vmknic vCenter Server UDP 902 ideafarm-door
vSphere ESXI Hosts Mgmt. vmknic vCenter Server TCP 9084 update manager
vSphere ESXI Hosts Mgmt. vmknic vSphere ESXI Hosts Mgmt. vmknic TCP 8182 vsphere ha
vSphere ESXI Hosts Mgmt. vmknic vSphere ESXI Hosts Mgmt. vmknic UDP 8182 vsphere ha
vSphere ESXI Hosts vMotion vmknic vSphere ESXI Hosts vMotion vmknic TCP 8000 vmotion
vSphere ESXI Hosts IP Storage vmknic IP NAS Storage Array TCP 111 nfs rpc portmapper
vSphere ESXI Hosts IP Storage vmknic IP NAS Storage Array TCP 2049 nfs
vSphere ESXI Hosts IP Storage vmknic IP NAS Storage Array TCP 3260 iscsi
vSphere ESXI Hosts vSAN vmknic vSphere ESXI Hosts vSAN vmknic TCP 2233 vsan transport
vSphere ESXI Hosts vSAN vmknic vSphere ESXI Hosts vSAN vmknic UDP 12321 unicast agent
vSphere ESXI Hosts vSAN vmknic vSphere ESXI Hosts vSAN vmknic UDP 12345 vsan cluster svc
vSphere ESXI Hosts vSAN vmknic vSphere ESXI Hosts vSAN vmknic UDP 23451 vsan cluster svc
vSphere ESXI Hosts TEP vmknic vSphere ESXI Hosts TEP vmknic UDP 3784 bfd
vSphere ESXI Hosts TEP vmknic vSphere ESXI Hosts TEP vmknic UDP 3785 bfd
vSphere ESXI Hosts TEP vmknic vSphere ESXI Hosts TEP vmknic UDP 6081 geneve

VMWare Optional Integration Ports and Protocols

The following table lists ports and protocols used for network communication between optional VMware integrations.

Source Component Destination Component Destination Protocol Destination Port Service
Admin/Operator Console vRealize Operations Manager TCP 443 https
vRealize Operations Manager Kubernetes Cluster API Server -LB VIP TCP 8443 httpsca
vRealize Operations Manager PKS Controller TCP 8443 httpsca
vRealize Operations Manager Kubernetes Cluster API Server -LB VIP TCP 8443 httpsca
Admin/Operator Console vRealize LogInsight TCP 443 https
Kubernetes Cluster Ingress Controller vRealize LogInsight TCP 9000 ingestion api
Kubernetes Cluster Master/Etcd Node vRealize LogInsight TCP 9000 ingestion api
Kubernetes Cluster Master/Etcd Node vRealize LogInsight TCP 9543 ingestion api -tls
Kubernetes Cluster Worker Node vRealize LogInsight TCP 9000 ingestion api
Kubernetes Cluster Worker Node vRealize LogInsight TCP 9543 ingestion api -tls
PKS Controller vRealize LogInsight TCP 9000 ingestion api
Admin/Operator and Developer Consoles Wavefront SaaS APM TCP 443 https
kube-system pod/wavefront-proxy Wavefront SaaS APM TCP 443 https
kube-system pod/wavefront-proxy Wavefront SaaS APM TCP 8443 httpsca
pks-system pod/wavefront-collector PKS Controller TCP 24224 fluentd out_forward
Admin/Operator Console vRealize Network Insight Platform TCP 443 https
Admin/Operator Console vRealize Network Insight Proxy TCP 22 ssh
vRealize Network Insight Proxy Kubernetes Cluster API Server -LB VIP TCP 8443 httpsca
vRealize Network Insight Proxy PKS Controller TCP 8443 httpsca
vRealize Network Insight Proxy PKS Controller TCP 9021 pks api server

Please send any feedback you have to pks-feedback@pivotal.io.