Firewall Ports and Protocols Requirements

Page last updated:

This topic describes the firewall ports and protocols requirements for using VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) with Antrea.

If you are using TKGI on vSphere, see one of the follow topics instead:

Overview

Apps frequently require the ability to pass internal communication between system components on different networks.

Firewalls and Kubernetes Pod Security Policy are used to filter traffic and limit access in environments with strict inter-network access control policies and your apps require one or more conduits through a secured environment’s firewalls.

VMware recommends that rather than using a Kubernetes Pod Security Policy to filter traffic between networks and TKGI system components and clusters that you instead enable access to apps through standard Kubernetes load-balancers and ingress controller types. This enables you to designate specific ports and protocols as a firewall conduit.

Consult the following tables when configuring port settings to install or upgrade TKGI or configure a Kubernetes cluster:

Note: To control which groups access deploying and scaling your organization’s Tanzu Kubernetes Grid Integrated Edition-deployed Kubernetes clusters, configure your firewall settings as described on the Operator –> TKGI API server lines below.

TKGI Ports and Protocols

The following tables list ports and protocols required for network communications between Tanzu Kubernetes Grid Integrated Edition v1.5.0 and later, and other components.

TKGI Users Ports and Protocols

The following table lists ports and protocols used for network communication between TKGI user interface components.

Source Component Destination Component Destination Protocol Destination Port Service
Admin/Operator Console All System Components TCP 22 ssh
Admin/Operator Console All System Components TCP 80 http
Admin/Operator Console All System Components TCP 443 https
Admin/Operator Console BOSH Director TCP 25555 bosh director rest api
Admin/Operator Console Ops Manager TCP 22 ssh
Admin/Operator Console Ops Manager TCP 443 https
Admin/Operator Console TKGI Controller TCP 9021 tkgi api server
Admin/Operator and Developer Consoles Harbor Private Image Registry TCP 80 http
Admin/Operator and Developer Consoles Harbor Private Image Registry TCP 443 https
Admin/Operator and Developer Consoles Harbor Private Image Registry TCP 4443 notary
Admin/Operator and Developer Consoles Kubernetes App Load-Balancer Svc TCP/UDP Varies varies with apps
Admin/Operator and Developer Consoles Kubernetes Cluster API Server -LB VIP TCP 8443 httpsca
Admin/Operator and Developer Consoles Kubernetes Cluster Ingress Controller TCP 80 http
Admin/Operator and Developer Consoles Kubernetes Cluster Ingress Controller TCP 443 https
Admin/Operator and Developer Consoles Kubernetes Cluster Worker Node TCP/UDP 30000-32767 kubernetes nodeport
Admin/Operator and Developer Consoles TKGI Controller TCP 8443 httpsca
All User Consoles (Operator, Developer, Consumer) Kubernetes App Load-Balancer Svc TCP/UDP Varies varies with apps
All User Consoles (Operator, Developer, Consumer) Kubernetes Cluster Ingress Controller TCP 80 http
All User Consoles (Operator, Developer, Consumer) Kubernetes Cluster Ingress Controller TCP 443 https
All User Consoles (Operator, Developer, Consumer) Kubernetes Cluster Worker Node TCP/UDP 30000-32767 kubernetes nodeport

TKGI Core Ports and Protocols

The following table lists ports and protocols used for network communication between core TKGI components.

Source Component Destination Component Destination Protocol Destination Port Service
All System Components Corporate Domain Name Server TCP/UDP 53 dns
All System Components Network Time Server UDP 123 ntp
All System Control Plane Components AD/LDAP Directory Server TCP/UDP 389/636 ldap/ldaps
Ops Manager Admin/Operator Console TCP 22 ssh
Ops Manager BOSH Director TCP 6868 bosh agent http
Ops Manager BOSH Director TCP 8443 httpsca
Ops Manager BOSH Director TCP 8844 credhub
Ops Manager BOSH Director TCP 25555 bosh director rest api
Ops Manager Harbor Private Image Registry TCP 22 ssh
Ops Manager Kubernetes Cluster Master/Etcd Node TCP 22 ssh
Ops Manager Kubernetes Cluster Worker Node TCP 22 ssh
Ops Manager TKGI Controller TCP 22 ssh
Ops Manager TKGI Controller TCP 8443 httpsca
BOSH Compilation Job VM BOSH Director TCP 4222 bosh nats server
BOSH Compilation Job VM BOSH Director TCP 25250 bosh blobstore
BOSH Compilation Job VM BOSH Director TCP 25923 health monitor daemon
BOSH Compilation Job VM Harbor Private Image Registry TCP 443 https
BOSH Compilation Job VM Harbor Private Image Registry TCP 8853 bosh dns health
TKGI Controller BOSH Director TCP 4222 bosh nats server
TKGI Controller BOSH Director TCP 8443 httpsca
TKGI Controller BOSH Director TCP 25250 bosh blobstore
TKGI Controller BOSH Director TCP 25555 bosh director rest api
TKGI Controller BOSH Director TCP 25923 health monitor daemon
TKGI Controller Kubernetes Cluster Master/Etcd Node TCP 8443 httpsca
TKGI Controller TKGI Database VM TCP 3306 tkgi db proxy
Harbor Private Image Registry BOSH Director TCP 4222 bosh nats server
Harbor Private Image Registry BOSH Director TCP 25250 bosh blobstore
Harbor Private Image Registry BOSH Director TCP 25923 health monitor daemon
Harbor Private Image Registry IP NAS Storage Array TCP 111 nfs rpc portmapper
Harbor Private Image Registry IP NAS Storage Array TCP 2049 nfs
Harbor Private Image Registry Public CVE Source Database TCP 443 https
kube-system pod/telemetry-agent TKGI Controller TCP 24224 fluentd out_forward
Kubernetes Cluster Master/Etcd Node BOSH Director TCP 4222 bosh nats server
Kubernetes Cluster Master/Etcd Node BOSH Director TCP 25250 bosh blobstore
Kubernetes Cluster Master/Etcd Node BOSH Director TCP 25923 health monitor daemon
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Master/Etcd Node TCP 2379 etcd clent
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Master/Etcd Node TCP 2380 etcd server
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Master/Etcd Node TCP 8443 httpsca
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Master/Etcd Node TCP 8853 bosh dns health
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Worker Node TCP 4194 cadvisor
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Worker Node TCP 10250 kubelet api
Kubernetes Cluster Master/Etcd Node Kubernetes Cluster Worker Node TCP 31194 cadvisor
Kubernetes Cluster Master/Etcd Node TKGI Controller TCP 8443 httpsca
Kubernetes Cluster Master/Etcd Node TKGI Controller TCP 8853 bosh dns health
Kubernetes Cluster Worker Node BOSH Director TCP 4222 bosh nats server
Kubernetes Cluster Worker Node BOSH Director TCP 25250 bosh blobstore
Kubernetes Cluster Worker Node BOSH Director TCP 25923 health monitor daemon
Kubernetes Cluster Worker Node Harbor Private Image Registry TCP 443 https
Kubernetes Cluster Worker Node Harbor Private Image Registry TCP 8853 bosh dns health
Kubernetes Cluster Worker Node IP NAS Storage Array TCP 111 nfs rpc portmapper
Kubernetes Cluster Worker Node IP NAS Storage Array TCP 2049 nfs
Kubernetes Cluster Worker Node Kubernetes Cluster Master/Etcd Node TCP 8443 httpsca
Kubernetes Cluster Worker Node Kubernetes Cluster Master/Etcd Node TCP 8853 bosh dns health
Kubernetes Cluster Worker Node Kubernetes Cluster Master/Etcd Node TCP 10250 kubelet api
pks-system pod/cert-generator TKGI Controller TCP 24224 fluentd out_forward
pks-system pod/fluent-bit TKGI Controller TCP 24224 fluentd out_forward

Networking Ports and Protocols

The following tables list ports and protocols required for network communication.

Antrea Networking Ports and Protocols

The following tables list ports and protocols required for network communication in Antrea environments.

Source Component Destination Component Destination Protocol Destination Port Service
Worker Node VMs Worker Node VMs UDP 6081 Geneve
Master Node VMs Master Node VMs TCP 8091 TCP

Note: Port 6081 must be open on all of the worker node VMs and port 8091 must be open on all master node VMs in the clusters you create in an Antrea networking environment.

For more information, see Network Requirements in the Antrea GitHub repository.


Please send any feedback you have to pks-feedback@pivotal.io.