LATEST VERSION: v1.1 - RELEASE NOTES
Pivotal Container Service v1.1

Firewall Ports and Protocols Requirements for vSphere with NSX-T

Page last updated:

This topic describes the firewall ports and protocols requirements for using Pivotal Container Service (PKS) on vSphere with NSX-T integration.

In environments with strict inter-network access control policies, firewalls often require conduits to pass communication between system components on a different network or allow interfacing with external systems such as with enterprise applications or the public Internet.

For PKS, the recommendation is to disable security policies that filter traffic between the networks supporting the system. When that is not an option, refer to the following table, which identifies the flows between system components in a typical PKS deployment.

Source Component Destination Component Destination Protocol Destination Port Service
Application User K8s Cluster Worker Nodes TCP 30000-32767 k8s nodeport
Application User K8s Load-Balancers TCP/UDP varies varies
Application User K8s Ingress-Controllers TCP/UDP varies varies
Cloud Foundry BOSH Director Domain Name Server UDP 53 dns
Cloud Foundry BOSH Director vCenter Server TCP 443 https
Cloud Foundry BOSH Director vSphere ESXI Mgmt. vmknic TCP 443 https
Compilation Job VMs Domain Name Server UDP 53 dns
Developer Harbor Private Image Registry TCP 4443 notary
Developer Harbor Private Image Registry TCP 443 https
Developer Harbor Private Image Registry TCP 80 http
Developer K8s Cluster Master/Etcd Nodes TCP 8443 uaa auth
Developer K8sCluster Worker Nodes TCP 30000-32767 k8s nodeport
Developer K8s Load-Balancers TCP/UDP varies varies
Developer K8s Ingress-Controllers TCP/UDP varies varies
Domain Name Server vCenter Server UDP 1433 ms-sql-server
Harbor Private Image Registry Domain Name Server UDP 53 dns
Harbor Private Image Registry Public CVE Source Database TCP 443 https
Harbor Private Image Registry Public CVE Source Database TCP 80 http
K8s Cluster Master/Etcd Nodes Cloud Foundry BOSH Director TCP 4222 bosh nats server
K8s Cluster Master/Etcd Nodes Cloud Foundry BOSH Director TCP 25250 bosh blobstore
K8s Cluster Master/Etcd Nodes Domain Name Server UDP 53 dns
K8s Cluster Master/Etcd Nodes NSX Manager Server TCP 443 https
K8s Cluster Master/Etcd Nodes vCenter Server TCP 443 https
K8s Cluster Worker Nodes Cloud Foundry BOSH Director TCP 4222 bosh nats server
K8s Cluster Worker Nodes Cloud Foundry BOSH Director TCP 25250 bosh blobstore
K8s Cluster Worker Nodes Domain Name Server UDP 53 dns
K8s Cluster Worker Nodes Harbor Private Image Registry TCP 8853 bosh dns health
K8s Cluster Worker Nodes Harbor Private Image Registry TCP 443 https
K8s Cluster Worker Nodes NSX Manager Server TCP 443 https
K8s Cluster Worker Nodes vCenter Server TCP 443 https
NSX Controllers Network Time Server UDP 123 ntp
NSX Edge Management NSX Edge TEP vNIC UDP 3784 bfd
NSX Manager Server Domain Name Server UDP 53 dns
NSX Manager Server SFTP Backup Server TCP 22 ssh
Operator Harbor Private Image Registry TCP 443 https
Operator Harbor Private Image Registry TCP 80 http
Operator K8s Load-Balancers TCP 80 http
Operator NSX Manager Server TCP 443 https
Operator PCF Operations Manager TCP 22 ssh
Operator PCF Operations Manager TCP 443 https
Operator PCF Operations Manager TCP 80 http
Operator PKS Controller TCP 8443 uaa auth
Operator PKS Controller TCP 9021 pks api server
Operator vCenter Server TCP 443 https
Operator vCenter Server TCP 80 http
Operator vSphere ESXI Mgmt. vmknic TCP 22 ssh
PCF Operations Manager Domain Name Server UDP 53 dns
PCF Operations Manager K8s Cluster Worker Nodes TCP 22 ssh
PCF Operations Manager Network Time Server UDP 123 ntp
PCF Operations Manager vCenter Server TCP 443 https
PCF Operations Manager vSphere ESXI Mgmt. vmknic TCP 443 https
PKS Controller Domain Name Server UDP 53 dns
PKS Controller K8s Cluster Master/Etcd Nodes TCP 8443 uaa auth
PKS Controller NSX Manager Server TCP 443 https
PKS Controller vCenter Server TCP 443 https
vCenter Server Domain Name Server UDP 53 dns
vCenter Server Network Time Server UDP 123 ntp
vCenter Server vSphere ESXI Mgmt. vmknic TCP 8080 vsanvp
vCenter Server vSphere ESXI Mgmt. vmknic TCP 9080 io filter storage
vCenter Server vSphere ESXI Mgmt. vmknic TCP 443 https
vCenter Server vSphere ESXI Mgmt. vmknic TCP 902 ideafarm-door

Note: You have the option to expose containerized applications, running in a Kubernetes cluster, for external consumption through various ports and methods. You can enable external access to applications by way of Kubernetes NodePorts, load-balancers, and ingress. Enabling access to applications through Kubernetes load-balancers and ingress controller types allow for specific port and protocol designations, while NodePort offers the least control and dynamically allocates ports from a pre-defined range of ports.


Please send any feedback you have to pks-feedback@pivotal.io.

Create a pull request or raise an issue on the source for this page in GitHub