This section explains the protocol and ports used for management communication.
Protocols and ports are used by the Controller and Service Engines for:
Management communication (used by the Controller and Service Engines)
Network services (used by the Controller)
Cloud orchestrators
Container Cluster nodes
For the latest information about ports and protocols used by the Avi Load Balancer, see VMware Ports and Protocols.
Ensure that the firewall allows traffic for the ports used by the Controller and SEs for management communication.
You do not have to open a firewall port from the Controller to the SE. The SE initiates communication to the Controller.
Even if the cluster IP is configured, the source IP is derived from the Controller IP and not from the cluster IP.
The secure channel on port 22 (or 5098 in container environments) is used for communication between components for configuration sync, metrics and logs transfer, heartbeats and other management processes.
OpenStack mode does not support 5098 port on the container side.
Service Engines and Controllers display a login banner that shows basic connectivity status, when accessed through SSH. Connectivity checks are made with a simple ICMP Echo (PING). If PING is not allowed between a Controller or Service Engine and its Management default gateway, the status of Gateway will be shown as DOWN. Similarly, if PING is not allowed between Service Engine and Controller, the status of Controller will be shown as DOWN. There is no operational impact if these reachability checks fail and so, the messages can be ignored if it is not possible to allow PING between these components.
For more information on the system port 8443 and port 22 usage, see Avi Load Balancer Service Engine to Controller Communication.
Ports Used for Management Communication
The Avi Load Balancer Controller and SEs use the following ports for management. The firewall must also allow traffic for these ports.
Traffic Source |
Traffic Destination |
Ports to Allow |
---|---|---|
Avi Load Balancer Controller |
Avi Load Balancer Controller |
|
External Entities |
Refer to the sections below the table. |
|
Avi Load Balancer Service Engine |
Not Required. |
|
Avi Load Balancer Service Engine |
Avi Load Balancer Service Engine |
|
Avi Load Balancer Controller |
|
|
External Network Services |
Avi Load Balancer Controller |
|
Protocols and Ports used by Cloud Orchestrators
Cloud Orchestrators |
Protocols/ Ports Used |
---|---|
GCP |
Port 443 is needed for the GCP cloud to connect to Avi Load Balancer. |
OpenStack |
Some or all of the following ports might be required:
|
VMware vCenter |
Controller-to-ESXi hosts: port 443 |
OpenShift Master |
Port 8443 |
Kubernetes Master |
Port 8080 for unauthenticated masters |
Mesos or DC/OS Masters |
|
AWS |
Port 443 for AWS cloud to connect to Avi Load Balancer |
Azure |
Port 443 for Azure cloud to connect to Avi Load Balancer |
Ports Used by Container Cluster Nodes
Container Cluster Node |
Port Used |
---|---|
OpenShift |
Port 22 |
Kubernetes Minions |
Port 22 |
Mesos Nodes |
Port 22 |
Service Engine Firewalls
The following protocols and ports are required for SE-SE management traffic:
Protocols |
Ports |
---|---|
75 |
- |
97 |
- |
UDP |
1550 |
To allow ingress traffic for SE to SE management traffic, see Configuring Service Engine Ingress Rules.
To allow egress traffic for SE to SE management traffic, see Configuring Controller Egress Rules.