Firewall Ports and Protocols Requirements
Page last updated:
This topic describes the firewall ports and protocols requirements for using Pivotal Container Service (PKS) on vSphere with NSX-T integration.
In environments with strict inter-network access control policies, firewalls often require conduits to pass communication between system components on a different network or allow interfacing with external systems such as with enterprise applications or the public Internet.
For PKS, we recommend that you disable security policies that filter traffic between the networks supporting the system. When that is not an option, refer to the following table, which identifies the flows between system components in a typical PKS deployment.
Note: You must set the communication path in your firewall settings to accomodate how you elect to control what groups have access to deploy and scale PKS-deployed Kubernetes clusters in your organization. In this case, mirror the settings on the lines below for the Operator –> PKS API server.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
|---|---|---|---|---|
| Application User | NSX-T Load Balancers | TCP/UDP | varies | varies |
| Application User | NSX-T Ingress Controllers | TCP/UDP | varies | varies |
| Cloud Foundry BOSH Director | Domain Name Server | UDP | 53 | dns |
| Cloud Foundry BOSH Director | vCenter Server | TCP | 443 | https |
| Cloud Foundry BOSH Director | vSphere ESXI Mgmt. vmknic | TCP | 443 | https |
| Compilation Job VMs | Domain Name Server | UDP | 53 | dns |
| Developer | Harbor Private Image Registry | TCP | 4443 | notary |
| Developer | Harbor Private Image Registry | TCP | 443 | https |
| Developer | Harbor Private Image Registry | TCP | 80 | http |
| Developer | K8s Cluster Master/Etcd Nodes | TCP | 8443 | uaa auth |
| Developer | NSX-T Load Balancers | TCP/UDP | varies | varies |
| Developer | NSX-T Ingress Controllers | TCP/UDP | varies | varies |
| Domain Name Server | vCenter Server | UDP | 1433 | ms-sql-server |
| Harbor Private Image Registry | Domain Name Server | UDP | 53 | dns |
| Harbor Private Image Registry | Public CVE Source Database | TCP | 443 | https |
| Harbor Private Image Registry | Public CVE Source Database | TCP | 80 | http |
| K8s Cluster Master/Etcd Nodes | Cloud Foundry BOSH Director | TCP | 4222 | bosh nats server |
| K8s Cluster Master/Etcd Nodes | Cloud Foundry BOSH Director | TCP | 25250 | bosh blobstore |
| K8s Cluster Master/Etcd Nodes | Domain Name Server | UDP | 53 | dns |
| K8s Cluster Master/Etcd Nodes | NSX Manager Server | TCP | 443 | https |
| K8s Cluster Master/Etcd Nodes | vCenter Server | TCP | 443 | https |
| K8s Cluster Worker Nodes | Cloud Foundry BOSH Director | TCP | 4222 | bosh nats server |
| K8s Cluster Worker Nodes | Cloud Foundry BOSH Director | TCP | 25250 | bosh blobstore |
| K8s Cluster Worker Nodes | Domain Name Server | UDP | 53 | dns |
| K8s Cluster Worker Nodes | Harbor Private Image Registry | TCP | 8853 | bosh dns health |
| K8s Cluster Worker Nodes | Harbor Private Image Registry | TCP | 443 | https |
| K8s Cluster Worker Nodes | NSX Manager Server | TCP | 443 | https |
| K8s Cluster Worker Nodes | vCenter Server | TCP | 443 | https |
| NSX Controllers | Network Time Server | UDP | 123 | ntp |
| NSX Edge Management | NSX Edge TEP vNIC | UDP | 3784 | bfd |
| NSX Manager Server | Domain Name Server | UDP | 53 | dns |
| NSX Manager Server | SFTP Backup Server | TCP | 22 | ssh |
| Operator | Harbor Private Image Registry | TCP | 443 | https |
| Operator | Harbor Private Image Registry | TCP | 80 | http |
| Operator | NSX-T Load Balancers | TCP/UDP | varies | varies |
| Operator | NSX Manager Server | TCP | 443 | https |
| Operator | PCF Operations Manager | TCP | 22 | ssh |
| Operator | PCF Operations Manager | TCP | 443 | https |
| Operator | PCF Operations Manager | TCP | 80 | http |
| Operator | PKS API Server | TCP | 8443 | uaa auth |
| Operator | PKS API Server | TCP | 9021 | pks api server |
| Operator | vCenter Server | TCP | 443 | https |
| Operator | vCenter Server | TCP | 80 | http |
| Operator | vSphere ESXI Mgmt. vmknic | TCP | 22 | ssh |
| PCF Operations Manager | Domain Name Server | UDP | 53 | dns |
| PCF Operations Manager | K8s Cluster Worker Nodes | TCP | 22 | ssh |
| PCF Operations Manager | Network Time Server | UDP | 123 | ntp |
| PCF Operations Manager | vCenter Server | TCP | 443 | https |
| PCF Operations Manager | vSphere ESXI Mgmt. vmknic | TCP | 443 | https |
| PKS API Server | Domain Name Server | UDP | 53 | dns |
| PKS API Server | K8s Cluster Master/Etcd Nodes | TCP | 8443 | uaa auth |
| PKS API Server | NSX Manager Server | TCP | 443 | https |
| PKS API Server | vCenter Server | TCP | 443 | https |
| vCenter Server | Domain Name Server | UDP | 53 | dns |
| vCenter Server | Network Time Server | UDP | 123 | ntp |
| vCenter Server | vSphere ESXI Mgmt. vmknic | TCP | 8080 | vsanvp |
| vCenter Server | vSphere ESXI Mgmt. vmknic | TCP | 9080 | io filter storage |
| vCenter Server | vSphere ESXI Mgmt. vmknic | TCP | 443 | https |
| vCenter Server | vSphere ESXI Mgmt. vmknic | TCP | 902 | ideafarm-door |
You have the option to expose containerized applications, running in a Kubernetes cluster, for external consumption through various ports and methods.
You can enable external access to applications by way of NSX and non-NSX load balancers and ingress. Enabling access to applications through standard Kubernetes load-balancers and ingress controller types allow for specific port and protocol designations, while the NAT function offered through NSX-T will allow external addresses and ports to be automatically mapped and resolved to internal/local addresses and ports.
The NodePort Service type is not supported for PKS deployments on vSphere with NSX-T. Only
type:LoadBalancer and Services associated with Ingress rules are supported on vSphere
with NSX-T.
Please send any feedback you have to pks-feedback@pivotal.io.