-
Notifications
You must be signed in to change notification settings - Fork 68
/
_ports-protocols.html.md.erb
194 lines (179 loc) · 11.4 KB
/
_ports-protocols.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
<br>
<br>
## <a id="enterprise"></a> TKGI Ports and Protocols
<% if current_page.data.netenv == "nsxt" %>
The following tables list ports and protocols required for network communications between Tanzu Kubernetes Grid Integrated Edition v1.5.0
and later, and vSphere 6.7 and NSX-T or NSX 2.4.0.1 and later.
<% end %>
<% if current_page.data.netenv == "vsphere" %>
The following tables list ports and protocols required for network communications between Tanzu Kubernetes Grid Integrated Edition v1.5.0
and later, and vSphere 6.7 and later.
<% end %>
<% if current_page.data.netenv == "vsphere" || current_page.data.netenv == "nsxt" %>
<% else %>
The following tables list ports and protocols required for network communications between Tanzu Kubernetes Grid Integrated Edition v1.5.0
and later, and other components.
<% end %>
<br>
### <a id="users"></a> TKGI Users Ports and Protocols
The following table lists ports and protocols used for network communication between TKGI user interface components.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
| --- | --- | --- | --- | --- |
| Admin/Operator Console | All System Components | TCP | 22 | SSH |
| Admin/Operator Console | All System Components | TCP | 80 | HTTP |
| Admin/Operator Console | All System Components | TCP | 443 | HTTPS |
| Admin/Operator Console | BOSH Director | TCP | 25555 | BOSH Director REST API |
<% if current_page.data.netenv == "nsxt" %>
| Admin/Operator Console | NSX API VIP | TCP | 443 | HTTPS |
<% else %>
<% end %>
| Admin/Operator Console | Ops Manager | TCP | 22 | SSH |
| Admin/Operator Console | Ops Manager | TCP | 443 | HTTPS |
| Admin/Operator Console | TKGI Controller | TCP | 9021 | TKGI API Server |
<% if current_page.data.netenv == "nsxt" || current_page.data.netenv == "vsphere" %>
| Admin/Operator Console | vCenter Server | TCP | 443 | HTTPS |
| Admin/Operator Console | vCenter Server | TCP | 5480 | vami |
| Admin/Operator Console | vSphere ESXI Hosts Mgmt. vmknic | TCP | 902 | ideafarm-door |
<% else %>
<% end %>
| Admin/Operator and Developer Consoles | Harbor Private Image Registry | TCP | 80 | HTTP |
| Admin/Operator and Developer Consoles | Harbor Private Image Registry | TCP | 443 | HTTPS |
| Admin/Operator and Developer Consoles | Harbor Private Image Registry | TCP | 4443 | notary |
| Admin/Operator and Developer Consoles | Kubernetes App Load-Balancer Svc | TCP/UDP | Varies | varies with apps |
| Admin/Operator and Developer Consoles | Kubernetes Cluster API Server -LB VIP | TCP | 8443 | HTTPSCA |
| Admin/Operator and Developer Consoles | Kubernetes Cluster Ingress Controller | TCP | 80 | HTTP |
| Admin/Operator and Developer Consoles | Kubernetes Cluster Ingress Controller | TCP | 443 | HTTPS |
| Admin/Operator and Developer Consoles | Kubernetes Cluster Worker Node | TCP/UDP | 30000-32767 | Kubernetes NodePort |
| Admin/Operator and Developer Consoles | TKGI Controller | TCP | 8443 | HTTPSCA |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes App Load-Balancer Svc | TCP/UDP | Varies | varies with apps |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes Cluster Ingress Controller | TCP | 80 | HTTP |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes Cluster Ingress Controller | TCP | 443 | HTTPS |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes Cluster Worker Node | TCP/UDP | 30000-32767 | Kubernetes NodePort |
<% if current_page.data.netenv == "nsxt" %>
<p class="note"><strong>Note</strong>: The <code>type:NodePort</code> Service type is not supported for TKGI deployments on vSphere with NSX.
Only <code>type:LoadBalancer</code> and Services associated with Ingress rules are supported on vSphere with NSX.</p>
<% else %>
<% end %>
<br>
### <a id="core"></a> TKGI Core Ports and Protocols
The following table lists ports and protocols used for network communication between core TKGI components.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service|
| --- | --- | --- | --- | --- |
| All System Components | Corporate Domain Name Server | TCP/UDP | 53 | DNS|
| All System Components | Network Time Server | UDP | 123 | NTP|
<% if current_page.data.netenv == "nsxt" || current_page.data.netenv == "vsphere" %>
| All System Components | vRealize LogInsight | TCP/UDP | 514/1514 | syslog/tls syslog|
<% else %>
<% end %>
| All System Control Plane Components | AD/LDAP Directory Server | TCP/UDP | 389/636 | LDAP/LDAPS|
| Ops Manager | Admin/Operator Console | TCP | 22 | SSH|
| Ops Manager | BOSH Director | TCP | 6868 | BOSH Agent HTTP|
| Ops Manager | BOSH Director | TCP | 8443 | HTTPSCA|
| Ops Manager | BOSH Director | TCP | 8844 | BOSH CredHub |
| Ops Manager | BOSH Director | TCP | 25555 | BOSH Director REST API |
| Ops Manager | Harbor Private Image Registry | TCP | 22 | SSH|
| Ops Manager | Kubernetes Cluster Control Plane/etcd Node | TCP | 22 | SSH|
| Ops Manager | Kubernetes Cluster Worker Node | TCP | 22 | SSH|
<% if current_page.data.netenv == "nsxt" %>
| Ops Manager | NSX API VIP | TCP | 443 | HTTPS|
| Ops Manager | NSX Manager/Controller Node | TCP | 22 | SSH|
| Ops Manager | NSX Manager/Controller Node | TCP | 443 | HTTPS|
<% else %>
<% end %>
| Ops Manager | TKGI Controller | TCP | 22 | SSH|
| Ops Manager | TKGI Controller | TCP | 8443 | HTTPSCA|
<% if current_page.data.netenv == "nsxt" || current_page.data.netenv == "vsphere" %>
| Ops Manager | vCenter Server | TCP | 443 | HTTPS|
| Ops Manager | vSphere ESXI Hosts Mgmt. vmknic | TCP | 443 | HTTPS|
<% else %>
<% end %>
<% if current_page.data.netenv == "nsxt" %>
| BOSH Director | NSX API VIP | TCP | 443 | HTTPS|
<% else %>
<% end %>
<% if current_page.data.netenv == "nsxt" || current_page.data.netenv == "vsphere" %>
| BOSH Director | vCenter Server | TCP | 443 | HTTPS|
| BOSH Director | vSphere ESXI Hosts Mgmt. vmknic | TCP | 443 | HTTPS|
<% else %>
<% end %>
| BOSH Compilation Job VM | BOSH Director | TCP | 4222 | BOSH nats server|
| BOSH Compilation Job VM | BOSH Director | TCP | 25250 | BOSH BlobStore|
| BOSH Compilation Job VM | BOSH Director | TCP | 25923 | health monitor daemon|
| BOSH Compilation Job VM | Harbor Private Image Registry | TCP | 443 | HTTPS|
| BOSH Compilation Job VM | Harbor Private Image Registry | TCP | 8853 | BOSH DNS health|
| TKGI Controller | BOSH Director | TCP | 4222 | BOSH nats server|
| TKGI Controller | BOSH Director | TCP | 8443 | HTTPSCA|
| TKGI Controller | BOSH Director | TCP | 25250 | BOSH BlobStore|
| TKGI Controller | BOSH Director | TCP | 25555 | BOSH director rest api|
| TKGI Controller | BOSH Director | TCP | 25923 | health monitor daemon|
| TKGI Controller | Kubernetes Cluster Control Plane/etcd Node | TCP | 8443 | HTTPSCA|
| TKGI Controller | TKGI Database VM | TCP | 3306 | tkgi db proxy |
<% if current_page.data.netenv == "nsxt" %>
| TKGI Controller | NSX API VIP | TCP | 443 | HTTPS|
<% else %>
<% end %>
<% if current_page.data.netenv == "nsxt" || current_page.data.netenv == "vsphere" %>
| TKGI Controller | vCenter Server | TCP | 443 | HTTPS|
<% else %>
<% end %>
| Harbor Private Image Registry | BOSH Director | TCP | 4222 | BOSH nats server|
| Harbor Private Image Registry | BOSH Director | TCP | 25250 | BOSH BlobStore|
| Harbor Private Image Registry | BOSH Director | TCP | 25923 | health monitor daemon|
| Harbor Private Image Registry | IP NAS Storage Array | TCP | 111 | NFS RPC portmapper|
| Harbor Private Image Registry | IP NAS Storage Array | TCP | 2049 | NFS |
| Harbor Private Image Registry | Public CVE Source Database | TCP | 443 | HTTPS|
| kube-system pod/telemetry-agent | TKGI Controller | TCP | 24224 | Fluentd out_forward|
<% if current_page.data.netenv == "nsxt" %>
| Kubernetes Cluster Ingress Controller | NSX API VIP | TCP | 443 | HTTPS|
<% else %>
<% end %>
| Kubernetes Cluster Control Plane/etcd Node | BOSH Director | TCP | 4222 | BOSH NATS Server|
| Kubernetes Cluster Control Plane/etcd Node | BOSH Director | TCP | 25250 | BOSH BlobStore|
| Kubernetes Cluster Control Plane/etcd Node | BOSH Director | TCP | 25923 | health monitor daemon|
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 2379 | etcd client|
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 2380 | etcd server|
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 8443 | HTTPSCA|
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 8853 | BOSH DNS health|
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Worker Node | TCP | 4194 | cAdvisor|
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Worker Node | TCP | 10250 | kubelet API|
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Worker Node | TCP | 31194 | cAdvisor|
<% if current_page.data.netenv == "nsxt" %>
| Kubernetes Cluster Control Plane/etcd Node | NSX API VIP | TCP | 443 | HTTPS|
<% else %>
<% end %>
| Kubernetes Cluster Control Plane/etcd Node | TKGI Controller | TCP | 8443 | HTTPSCA|
| Kubernetes Cluster Control Plane/etcd Node | TKGI Controller | TCP | 8853 | BOSH DNS health|
<% if current_page.data.netenv == "nsxt" || current_page.data.netenv == "vsphere" %>
| Kubernetes Cluster Control Plane/etcd Node | vCenter Server | TCP | 443 | HTTPS|
<% else %>
<% end %>
| Kubernetes Cluster Worker Node | BOSH Director | TCP | 4222 | BOSH NATS server|
| Kubernetes Cluster Worker Node | BOSH Director | TCP | 25250 | BOSH BlobStore|
| Kubernetes Cluster Worker Node | BOSH Director | TCP | 25923 | health monitor daemon|
| Kubernetes Cluster Worker Node | Harbor Private Image Registry | TCP | 443 | HTTPS|
| Kubernetes Cluster Worker Node | Harbor Private Image Registry | TCP | 8853 | BOSH DNS health|
| Kubernetes Cluster Worker Node | IP NAS Storage Array | TCP | 111 | nfs rpc portmapper|
| Kubernetes Cluster Worker Node | IP NAS Storage Array | TCP | 2049 | nfs|
| Kubernetes Cluster Worker Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 8443 | HTTPSCA|
| Kubernetes Cluster Worker Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 8853 | BOSH DNS health|
| Kubernetes Cluster Worker Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 10250 | kubelet API |
| pks-system pod/cert-generator | TKGI Controller | TCP | 24224 | Fluentd out_forward|
| pks-system pod/fluent-bit | TKGI Controller | TCP | 24224 | Fluentd out_forward|
<% if current_page.data.netenv == "nsxt" || current_page.data.netenv == "vsphere" %>
<% else %>
<br>
<br>
## <a id="networking"></a> Networking Ports and Protocols
The following tables list ports and protocols required for network communication.
<br>
### <a id="antrea"></a> Antrea Networking Ports and Protocols
The following tables list ports and protocols required for network communication in Antrea environments.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service|
| --- | --- | --- | --- | --- |
| Worker Node VMs | Worker Node VMs | UDP | 6081 | Geneve |
| Control Plane Node VMs | Control Plane Node VMs | TCP | 8091 | TCP|
<p class="note"><strong>Note</strong>: Port 6081 must be open on all of the worker node VMs and
port 8091 must be open on all control plane node VMs in the clusters you create in an Antrea networking environment.</p>
For more information, see [Network Requirements](HTTPS://github.com/antrea-io/antrea/blob/main/docs/network-requirements.md#network-requirements)
in the Antrea GitHub repository.
<% end %>