The tables here show Cloud Controller internal network communication paths with other VMware Tanzu Application Service for VMs (TAS for VMs) components.
For more information about Cloud Controller, see Cloud Controller.
Inbound communications
The following table lists network communication paths that are inbound to the Cloud Controller:
| Source VM | Destination VM | Port | Transport Layer Protocol | App Layer Protocol | Security and Authentication |
|---|---|---|---|---|---|
| cloud_controller | cloud_controller (Routing API) | 443 | TCP | HTTPS | OAuth 2.0 |
| clock_global (Syslog Binding Cache) | cloud_controller | 9023 | TCP | HTTPS | Mutual TLS |
| diego_brain | cloud_controller | 9023 | TCP | HTTPS | Mutual TLS |
| diego_brain (SSH Proxy) | cloud_controller | 9024 | TCP | HTTPS | OAuth 2.0 |
| diego_cell (Rep) | cloud_controller | 9023 | TCP | HTTPS | Mutual TLS |
| diego_database (BBS) | cloud_controller | 9023 | TCP | HTTPS | Mutual TLS |
| log_cache (Log Cache CF Auth Proxy) | cloud_controller | 9023 | TCP | HTTPS | Mutual TLS |
| loggregator_trafficcontroller (Traffic Controller) | cloud_controller | 9023 | TCP | HTTPS | Mutual TLS |
| loggregator_trafficcontroller (Reverse Log Proxy) | cloud_controller | 9023 | TCP | HTTPS | Mutual TLS |
| router | cloud_controller | 9024 | TCP | HTTPS | OAuth 2.0 |
Outbound communications
The following table lists network communication paths that are outbound from the Cloud Controller:
| Source VM | Destination VM | Port | Transport Layer Protocol | App Layer Protocol | Security and Authentication |
|---|---|---|---|---|---|
| cloud_controller | mysql_proxy* | 3306 | TCP | MySQL | MySQL authentication** |
| cloud_controller | nfs_server or other blobstore† | 4443 | TCP | HTTPS | TLS and basic authentication |
| cloud_controller | uaa | 8443 | TCP | HTTPS | OAuth 2.0 or none |
| cloud_controller | diego_database (BBS) | 8889 | TCP | HTTPS | Mutual TLS |
| cloud_controller (Route Registrar) | nats | 4222 | TCP | NATS | Basic authentication |
| cloud_controller (Routing API) | diego_database (Locket) | 8891 | TCP | HTTPS | Mutual TLS |
| cloud_controller_worker | mysql_proxy* | 3306 | TCP | MySQL | MySQL authentication** |
| cloud_controller_worker | nfs_server or other blobstore† | 4443 | TCP | HTTPS | TLS and basic authentication |
| clock_global | mysql_proxy* | 3306 | TCP | MySQL | MySQL authentication** |
*Applies only to deployments where internal MySQL is selected as the database.
**MySQL authentication uses the MySQL native password method.
†The destination depends on your file storage or blobstore configuration.
The authentication method depends on the type of request.
BOSH DNS communications
By default, TAS for VMs components and app containers look up services using the BOSH DNS service discovery mechanism. To support this lookup, BOSH Director co-locates a BOSH DNS server on every deployed VM. For more information, see BOSH DNS network communications.
