Firewall Ports and Protocols Requirements for Tanzu Kubernetes Grid Integrated Edition Management Console

Note: As of v1.8, Enterprise PKS has been renamed to VMware Tanzu Kubernetes Grid Integrated Edition. Some screenshots in this documentation do not yet reflect the change.

Page last updated:

Firewalls and security policies are used to filter traffic and limit access in environments with strict inter-network access control policies.

Apps frequently require the ability to pass internal communication between system components on different networks and require one or more conduits through the environment’s firewalls. Firewall rules are also required to enable interfacing with external systems such as with enterprise apps or apps and data on the public Internet.

For Tanzu Kubernetes Grid Integrated Edition on vSphere, it is recommended to disable security policies that filter traffic between the networks supporting the system. To secure the environment and grant access between system components with Tanzu Kubernetes Grid Integrated Edition, use one of the following methods:

  • Enable access to apps through standard Kubernetes load-balancers and ingress controller types. This enables you to designate specific ports and protocols as a firewall conduit.
  • Enable access using the NSX-T load balancer and ingress. This enables you to configure external addresses and ports that are automatically mapped and resolved to internal/local addresses and ports.

If you are unable to implement your security policy using these methods, refer to the table below, which identifies the flows between the system components in an Tanzu Kubernetes Grid Integrated Edition Management Console deployment.

Notes: The Source Component is IP address of the Tanzu Kubernetes Grid Integrated Edition Management Console VM.

In a standard Tanzu Kubernetes Grid Integrated Edition deployment, it is assumed that Ops Manager and BOSH are already deployed before you deploy Tanzu Kubernetes Grid Integrated Edition. This is not the case with Tanzu Kubernetes Grid Integrated Edition deployments from the management console, in which you do not know the IP addresses in the deployment network that will be assigned to TKGI API VM, BOSH VM, and Ops Manager VM. As a consequence, it is recommended to create a firewall rule that allows access by the management console VM to the entire deployment subnet.

Source Component Destination Component Destination Protocol Destination Port Service
Management Console VM All System Components TCP 22 ssh
Management Console VM All System Components TCP 80 http
Management Console VM All System Components TCP 443 https
Management Console VM Cloud Foundry BOSH Director TCP 25555 bosh director rest api
Management Console VM DNS validation for Ops Manager TCP 53 netcat
Management Console VM Kubernetes Cluster API Server - LB VIP TCP 8443 httpsca
Management Console VM Pivotal Cloud Foundry Operations Manager TCP 22 ssh
Management Console VM Pivotal Cloud Foundry Operations Manager TCP 443 https
Management Console VM TKGI Controller TCP 9021 tkgi api server
Management Console VM vCenter Server TCP 443 https

Please send any feedback you have to pks-feedback@pivotal.io.