Firewall Ports and Protocols Requirements for Tanzu Kubernetes Grid Integrated Edition Management Console
Note: As of v1.8, Enterprise PKS has been renamed to VMware Tanzu Kubernetes Grid Integrated Edition. Some screenshots in this documentation do not yet reflect the change.
Page last updated:
Firewalls and security policies are used to filter traffic and limit access in environments with strict inter-network access control policies.
Apps frequently require the ability to pass internal communication between system components on different networks and require one or more conduits through the environment’s firewalls. Firewall rules are also required to enable interfacing with external systems such as with enterprise apps or apps and data on the public Internet.
For Tanzu Kubernetes Grid Integrated Edition on vSphere, it is recommended to disable security policies that filter traffic between the networks supporting the system. To secure the environment and grant access between system components with Tanzu Kubernetes Grid Integrated Edition, use one of the following methods:
- Enable access to apps through standard Kubernetes load-balancers and ingress
controller types. This enables you to designate specific ports and protocols as a firewall conduit.
- Enable access using the NSX-T load balancer and ingress. This enables you to configure external addresses and ports that are automatically mapped and resolved to internal/local addresses and ports.
If you are unable to implement your security policy using these methods, refer to the table below, which identifies the flows between the system components in an Tanzu Kubernetes Grid Integrated Edition Management Console deployment.
Notes: The Source Component is IP address of the Tanzu Kubernetes Grid Integrated Edition Management Console VM.
In a standard Tanzu Kubernetes Grid Integrated Edition deployment, it is assumed that Ops Manager and BOSH are already deployed before you deploy Tanzu Kubernetes Grid Integrated Edition. This is not the case with Tanzu Kubernetes Grid Integrated Edition deployments from the management console, in which you do not know the IP addresses in the deployment network that will be assigned to TKGI API VM, BOSH VM, and Ops Manager VM. As a consequence, it is recommended to create a firewall rule that allows access by the management console VM to the entire deployment subnet.
|Source Component||Destination Component||Destination Protocol||Destination Port||Service|
|Management Console VM||All System Components||TCP||22||ssh|
|Management Console VM||All System Components||TCP||80||http|
|Management Console VM||All System Components||TCP||443||https|
|Management Console VM||Cloud Foundry BOSH Director||TCP||25555||bosh director rest api|
|Management Console VM||DNS validation for Ops Manager||TCP||53||netcat|
|Management Console VM||Kubernetes Cluster API Server - LB VIP||TCP||8443||httpsca|
|Management Console VM||Pivotal Cloud Foundry Operations Manager||TCP||22||ssh|
|Management Console VM||Pivotal Cloud Foundry Operations Manager||TCP||443||https|
|Management Console VM||TKGI Controller||TCP||9021||tkgi api server|
|Management Console VM||vCenter Server||TCP||443||https|
Please send any feedback you have to firstname.lastname@example.org.