Firewall Ports and Protocols Requirements for Enterprise PKS Management Console
Page last updated:
Warning: VMware Enterprise PKS v1.7 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
Firewalls and security policies are used to filter traffic and limit access in environments with strict inter-network access control policies.
Apps frequently require the ability to pass internal communication between system components on different networks and require one or more conduits through the environment’s firewalls. Firewall rules are also required to enable interfacing with external systems such as with enterprise apps or apps and data on the public Internet.
For Enterprise PKS, is is recommended to disable security policies that filter traffic between the networks supporting the system. To secure the environment and grant access between system components with Enterprise PKS, use one of the following methods:
- Enable access to apps through standard Kubernetes load-balancers and ingress
controller types. This enables you to designate specific ports and protocols as a firewall conduit.
- Enable access using the NSX-T load balancer and ingress. This enables you to configure external addresses and ports that are automatically mapped and resolved to internal/local addresses and ports.
If you are unable to implement your security policy using these methods, refer to the table below, which identifies the flows between the system components in an Enterprise PKS Management Console deployment.
Notes: The Source Component is IP address of the Enterprise PKS Management Console appliance VM.
In a standard Enterprise PKS deployment, it is assumed that Ops Manager and BOSH are already deployed before you deploy Enterprise PKS. This is not the case with Enterprise PKS deployments from the management console, in which you do not know the IP addresses in the deployment network that will be assigned to PKS API VM, BOSH VM, and Ops Manager VM. As a consequence, it is recommended to create a firewall rule that allows access by the management console appliance VM to the entire deployment subnet.
|Source Component||Destination Component||Destination Protocol||Destination Port||Service|
|Management Console Appliance VM||All System Components||TCP||22||ssh|
|Management Console Appliance VM||All System Components||TCP||80||http|
|Management Console Appliance VM||All System Components||TCP||443||https|
|Management Console Appliance VM||Cloud Foundry BOSH Director||TCP||25555||bosh director rest api|
|Management Console Appliance VM||DNS validation for Ops Manager||TCP||53||netcat|
|Management Console Appliance VM||Kubernetes Cluster API Server - LB VIP||TCP||8443||httpsca|
|Management Console Appliance VM||Pivotal Cloud Foundry Operations Manager||TCP||22||ssh|
|Management Console Appliance VM||Pivotal Cloud Foundry Operations Manager||TCP||443||https|
|Management Console Appliance VM||PKS Controller||TCP||9021||pks api server|
|Management Console Appliance VM||vCenter Server||TCP||443||https|
Please send any feedback you have to firstname.lastname@example.org.