Firewall Ports and Protocols Requirements for vSphere without NSX-T
Page last updated:
This topic describes the firewall ports and protocols requirements for using VMware Enterprise PKS on vSphere.
Firewalls and security policies are used to filter traffic and limit access in environments with strict inter-network access control policies.
Apps frequently require the ability to pass internal communication between system components on different networks and require one or more conduits through the environment’s firewalls. Firewall rules are also required to enable interfacing with external systems such as with enterprise apps or apps and data on the public Internet.
For Enterprise PKS, VMware recommends that you disable security policies that filter traffic between the networks supporting the system. With Enterprise PKS you should enable access to apps through standard Kubernetes load-balancers and ingress controller types. This enables you to designate specific ports and protocols as a firewall conduit.
For information on ports and protocol requirements for vSphere with NSX-T, see Firewall Ports and Protocols Requirements for vSphere with NSX-T
If you are unable to implement your security policy using the methods described above, refer to the following table, which identifies the flows between system components in a typical Enterprise PKS deployment.
Note: To control which groups access deploying and scaling your organization’s Enterprise PKS-deployed Kubernetes clusters, configure your firewall settings as described on the Operator –> PKS API server lines below.
Enterprise PKS Ports and Protocols
The following tables list ports and protocols required for network communications between Enterprise PKS v1.5.0 and later, and vSphere 6.7 and later.
Enterprise PKS Users Ports and Protocols
The following table lists ports and protocols used for network communication between Enterprise PKS user interface components.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
|---|---|---|---|---|
| Admin/Operator Console | All System Components | TCP | 22 | ssh |
| Admin/Operator Console | All System Components | TCP | 80 | http |
| Admin/Operator Console | All System Components | TCP | 443 | https |
| Admin/Operator Console | BOSH Director | TCP | 25555 | bosh director rest api |
| Admin/Operator Console | Ops Manager | TCP | 22 | ssh |
| Admin/Operator Console | Ops Manager | TCP | 443 | https |
| Admin/Operator Console | PKS Controller | TCP | 9021 | pks api server |
| Admin/Operator Console | vCenter Server | TCP | 443 | https |
| Admin/Operator Console | vCenter Server | TCP | 5480 | vami |
| Admin/Operator Console | vSphere ESXI Hosts Mgmt. vmknic | TCP | 902 | ideafarm-door |
| Admin/Operator and Developer Consoles | Harbor Private Image Registry | TCP | 80 | http |
| Admin/Operator and Developer Consoles | Harbor Private Image Registry | TCP | 443 | https |
| Admin/Operator and Developer Consoles | Harbor Private Image Registry | TCP | 4443 | notary |
| Admin/Operator and Developer Consoles | Kubernetes App Load-Balancer Svc | TCP/UDP | Varies | varies with apps |
| Admin/Operator and Developer Consoles | Kubernetes Cluster API Server -LB VIP | TCP | 8443 | httpsca |
| Admin/Operator and Developer Consoles | Kubernetes Cluster Ingress Controller | TCP | 80 | http |
| Admin/Operator and Developer Consoles | Kubernetes Cluster Ingress Controller | TCP | 443 | https |
| Admin/Operator and Developer Consoles | Kubernetes Cluster Worker Node | TCP/UDP | 30000-32767 | kubernetes nodeport |
| Admin/Operator and Developer Consoles | PKS Controller | TCP | 8443 | httpsca |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes App Load-Balancer Svc | TCP/UDP | Varies | varies with apps |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes Cluster Ingress Controller | TCP | 80 | http |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes Cluster Ingress Controller | TCP | 443 | https |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes Cluster Worker Node | TCP/UDP | 30000-32767 | kubernetes nodeport |
Enterprise PKS Core Ports and Protocols
The following table lists ports and protocols used for network communication between core Enterprise PKS components.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
|---|---|---|---|---|
| All System Components | Corporate Domain Name Server | TCP/UDP | 53 | dns |
| All System Components | Network Time Server | UDP | 123 | ntp |
| All System Components | vRealize LogInsight | TCP/UDP | 514/1514 | syslog/tls syslog |
| All System Control Plane Components | AD/LDAP Directory Server | TCP/UDP | 389/636 | ldap/ldaps |
| Ops Manager | Admin/Operator Console | TCP | 22 | ssh |
| Ops Manager | BOSH Director | TCP | 6868 | bosh agent http |
| Ops Manager | BOSH Director | TCP | 8443 | httpsca |
| Ops Manager | BOSH Director | TCP | 8844 | credhub |
| Ops Manager | BOSH Director | TCP | 25555 | bosh director rest api |
| Ops Manager | Harbor Private Image Registry | TCP | 22 | ssh |
| Ops Manager | Kubernetes Cluster Master/Etcd Node | TCP | 22 | ssh |
| Ops Manager | Kubernetes Cluster Worker Node | TCP | 22 | ssh |
| Ops Manager | PKS Controller | TCP | 22 | ssh |
| Ops Manager | PKS Controller | TCP | 8443 | httpsca |
| Ops Manager | vCenter Server | TCP | 443 | https |
| Ops Manager | vSphere ESXI Hosts Mgmt. vmknic | TCP | 443 | https |
| BOSH Director | vCenter Server | TCP | 443 | https |
| BOSH Director | vSphere ESXI Hosts Mgmt. vmknic | TCP | 443 | https |
| BOSH Compilation Job VM | BOSH Director | TCP | 4222 | bosh nats server |
| BOSH Compilation Job VM | BOSH Director | TCP | 25250 | bosh blobstore |
| BOSH Compilation Job VM | BOSH Director | TCP | 25923 | health monitor daemon |
| BOSH Compilation Job VM | Harbor Private Image Registry | TCP | 443 | https |
| BOSH Compilation Job VM | Harbor Private Image Registry | TCP | 8853 | bosh dns health |
| PKS Controller | BOSH Director | TCP | 4222 | bosh nats server |
| PKS Controller | BOSH Director | TCP | 8443 | httpsca |
| PKS Controller | BOSH Director | TCP | 25250 | bosh blobstore |
| PKS Controller | BOSH Director | TCP | 25555 | bosh director rest api |
| PKS Controller | BOSH Director | TCP | 25923 | health monitor daemon |
| PKS Controller | Kubernetes Cluster Master/Etcd Node | TCP | 8443 | httpsca |
| PKS Controller | PKS Database VM | TCP | 3306 | pks db proxy |
| PKS Controller | PKS API VM | TCP | 13306 | pks db migration errand |
| PKS Controller | vCenter Server | TCP | 443 | https |
| Harbor Private Image Registry | BOSH Director | TCP | 4222 | bosh nats server |
| Harbor Private Image Registry | BOSH Director | TCP | 25250 | bosh blobstore |
| Harbor Private Image Registry | BOSH Director | TCP | 25923 | health monitor daemon |
| Harbor Private Image Registry | IP NAS Storage Array | TCP | 111 | nfs rpc portmapper |
| Harbor Private Image Registry | IP NAS Storage Array | TCP | 2049 | nfs |
| Harbor Private Image Registry | Public CVE Source Database | TCP | 443 | https |
| kube-system pod/telemetry-agent | PKS Controller | TCP | 24224 | fluentd out_forward |
| Kubernetes Cluster Master/Etcd Node | BOSH Director | TCP | 4222 | bosh nats server |
| Kubernetes Cluster Master/Etcd Node | BOSH Director | TCP | 25250 | bosh blobstore |
| Kubernetes Cluster Master/Etcd Node | BOSH Director | TCP | 25923 | health monitor daemon |
| Kubernetes Cluster Master/Etcd Node | Kubernetes Cluster Master/Etcd Node | TCP | 2379 | etcd clent |
| Kubernetes Cluster Master/Etcd Node | Kubernetes Cluster Master/Etcd Node | TCP | 2380 | etcd server |
| Kubernetes Cluster Master/Etcd Node | Kubernetes Cluster Master/Etcd Node | TCP | 8443 | httpsca |
| Kubernetes Cluster Master/Etcd Node | Kubernetes Cluster Master/Etcd Node | TCP | 8853 | bosh dns health |
| Kubernetes Cluster Master/Etcd Node | Kubernetes Cluster Worker Node | TCP | 4194 | cadvisor |
| Kubernetes Cluster Master/Etcd Node | Kubernetes Cluster Worker Node | TCP | 10250 | kubelet api |
| Kubernetes Cluster Master/Etcd Node | Kubernetes Cluster Worker Node | TCP | 31194 | cadvisor |
| Kubernetes Cluster Master/Etcd Node | PKS Controller | TCP | 8443 | httpsca |
| Kubernetes Cluster Master/Etcd Node | PKS Controller | TCP | 8853 | bosh dns health |
| Kubernetes Cluster Master/Etcd Node | vCenter Server | TCP | 443 | https |
| Kubernetes Cluster Worker Node | BOSH Director | TCP | 4222 | bosh nats server |
| Kubernetes Cluster Worker Node | BOSH Director | TCP | 25250 | bosh blobstore |
| Kubernetes Cluster Worker Node | BOSH Director | TCP | 25923 | health monitor daemon |
| Kubernetes Cluster Worker Node | Harbor Private Image Registry | TCP | 443 | https |
| Kubernetes Cluster Worker Node | Harbor Private Image Registry | TCP | 8853 | bosh dns health |
| Kubernetes Cluster Worker Node | IP NAS Storage Array | TCP | 111 | nfs rpc portmapper |
| Kubernetes Cluster Worker Node | IP NAS Storage Array | TCP | 2049 | nfs |
| Kubernetes Cluster Worker Node | Kubernetes Cluster Master/Etcd Node | TCP | 8443 | httpsca |
| Kubernetes Cluster Worker Node | Kubernetes Cluster Master/Etcd Node | TCP | 8853 | bosh dns health |
| Kubernetes Cluster Worker Node | Kubernetes Cluster Master/Etcd Node | TCP | 10250 | kubelet api |
| pks-system pod/cert-generator | PKS Controller | TCP | 24224 | fluentd out_forward |
| pks-system pod/fluent-bit | PKS Controller | TCP | 24224 | fluentd out_forward |
VMware Ports and Protocols
The following tables list ports and protocols required for network communication between VMware components.
VMware Virtual Infrastructure Ports and Protocols
The following table lists ports and protocols used for network communication between VMware virtual infrastructure components.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
|---|---|---|---|---|
| vCenter Server | vSphere ESXI Hosts Mgmt. vmknic | TCP | 443 | https |
| vCenter Server | vSphere ESXI Hosts Mgmt. vmknic | TCP | 8080 | http alt |
| vCenter Server | vSphere ESXI Hosts Mgmt. vmknic | TCP | 9080 | io filter storage |
| vSphere ESXI Hosts Mgmt. vmknic | vCenter Server | UDP | 902 | ideafarm-door |
| vSphere ESXI Hosts Mgmt. vmknic | vCenter Server | TCP | 9084 | update manager |
| vSphere ESXI Hosts Mgmt. vmknic | vSphere ESXI Hosts Mgmt. vmknic | TCP | 8182 | vsphere ha |
| vSphere ESXI Hosts Mgmt. vmknic | vSphere ESXI Hosts Mgmt. vmknic | UDP | 8182 | vsphere ha |
| vSphere ESXI Hosts vMotion vmknic | vSphere ESXI Hosts vMotion vmknic | TCP | 8000 | vmotion |
| vSphere ESXI Hosts IP Storage vmknic | IP NAS Storage Array | TCP | 111 | nfs rpc portmapper |
| vSphere ESXI Hosts IP Storage vmknic | IP NAS Storage Array | TCP | 2049 | nfs |
| vSphere ESXI Hosts IP Storage vmknic | IP NAS Storage Array | TCP | 3260 | iscsi |
| vSphere ESXI Hosts vSAN vmknic | vSphere ESXI Hosts vSAN vmknic | TCP | 2233 | vsan transport |
| vSphere ESXI Hosts vSAN vmknic | vSphere ESXI Hosts vSAN vmknic | UDP | 12321 | unicast agent |
| vSphere ESXI Hosts vSAN vmknic | vSphere ESXI Hosts vSAN vmknic | UDP | 12345 | vsan cluster svc |
| vSphere ESXI Hosts vSAN vmknic | vSphere ESXI Hosts vSAN vmknic | UDP | 23451 | vsan cluster svc |
| vSphere ESXI Hosts TEP vmknic | vSphere ESXI Hosts TEP vmknic | UDP | 3784 | bfd |
| vSphere ESXI Hosts TEP vmknic | vSphere ESXI Hosts TEP vmknic | UDP | 3785 | bfd |
| vSphere ESXI Hosts TEP vmknic | vSphere ESXI Hosts TEP vmknic | UDP | 6081 | geneve |
VMware Optional Integration Ports and Protocols
The following table lists ports and protocols used for network communication between optional VMware integrations.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
|---|---|---|---|---|
| Admin/Operator Console | vRealize Operations Manager | TCP | 443 | https |
| vRealize Operations Manager | Kubernetes Cluster API Server -LB VIP | TCP | 8443 | httpsca |
| vRealize Operations Manager | PKS Controller | TCP | 8443 | httpsca |
| vRealize Operations Manager | Kubernetes Cluster API Server -LB VIP | TCP | 8443 | httpsca |
| Admin/Operator Console | vRealize LogInsight | TCP | 443 | https |
| Kubernetes Cluster Ingress Controller | vRealize LogInsight | TCP | 9000 | ingestion api |
| Kubernetes Cluster Master/Etcd Node | vRealize LogInsight | TCP | 9000 | ingestion api |
| Kubernetes Cluster Master/Etcd Node | vRealize LogInsight | TCP | 9543 | ingestion api -tls |
| Kubernetes Cluster Worker Node | vRealize LogInsight | TCP | 9000 | ingestion api |
| Kubernetes Cluster Worker Node | vRealize LogInsight | TCP | 9543 | ingestion api -tls |
| PKS Controller | vRealize LogInsight | TCP | 9000 | ingestion api |
| Admin/Operator and Developer Consoles | Wavefront SaaS APM | TCP | 443 | https |
| kube-system pod/wavefront-proxy | Wavefront SaaS APM | TCP | 443 | https |
| kube-system pod/wavefront-proxy | Wavefront SaaS APM | TCP | 8443 | httpsca |
| pks-system pod/wavefront-collector | PKS Controller | TCP | 24224 | fluentd out_forward |
| Admin/Operator Console | vRealize Network Insight Platform | TCP | 443 | https |
| Admin/Operator Console | vRealize Network Insight Proxy | TCP | 22 | ssh |
| vRealize Network Insight Proxy | Kubernetes Cluster API Server -LB VIP | TCP | 8443 | httpsca |
| vRealize Network Insight Proxy | PKS Controller | TCP | 8443 | httpsca |
| vRealize Network Insight Proxy | PKS Controller | TCP | 9021 | pks api server |
Please send any feedback you have to pks-feedback@pivotal.io.