Firewall Ports and Protocols Requirements for Enterprise PKS Management Console

Page last updated:

Firewalls and security policies are used to filter traffic and limit access in environments with strict inter-network access control policies.

Apps frequently require the ability to pass internal communication between system components on different networks and require one or more conduits through the environment’s firewalls. Firewall rules are also required to enable interfacing with external systems such as with enterprise apps or apps and data on the public Internet.

For Enterprise PKS, is is recommended to disable security policies that filter traffic between the networks supporting the system. To secure the environment and grant access between system components with Enterprise PKS, use one of the following methods:

  • Enable access to apps through standard Kubernetes load-balancers and ingress controller types. This enables you to designate specific ports and protocols as a firewall conduit.
  • Enable access using the NSX-T load balancer and ingress. This enables you to configure external addresses and ports that are automatically mapped and resolved to internal/local addresses and ports.

If you are unable to implement your security policy using these methods, refer to the table below, which identifies the flows between the system components in an Enterprise PKS Management Console deployment.

Notes: The Source Component is IP address of the Enterprise PKS Management Console appliance VM.

In a standard Enterprise PKS deployment, it is assumed that Ops Manager and BOSH are already deployed before you deploy Enterprise PKS. This is not the case with Enterprise PKS deployments from the management console, in which you do not know the IP addresses in the deployment network that will be assigned to PKS API VM, BOSH VM, and Ops Manager VM. As a consequence, it is recommended to create a firewall rule that allows access by the management console appliance VM to the entire deployment subnet.

Source Component Destination Component Destination Protocol Destination Port Service
Management Console Appliance VM All System Components TCP 22 ssh
Management Console Appliance VM All System Components TCP 80 http
Management Console Appliance VM All System Components TCP 443 https
Management Console Appliance VM Cloud Foundry BOSH Director TCP 25555 bosh director rest api
Management Console Appliance VM DNS validation for Ops Manager TCP 53 netcat
Management Console Appliance VM Kubernetes Cluster API Server - LB VIP TCP 8443 httpsca
Management Console Appliance VM Pivotal Cloud Foundry Operations Manager TCP 22 ssh
Management Console Appliance VM Pivotal Cloud Foundry Operations Manager TCP 443 https
Management Console Appliance VM PKS Controller TCP 9021 pks api server
Management Console Appliance VM vCenter Server TCP 443 https

Please send any feedback you have to pks-feedback@pivotal.io.