The tables here show Diego internal network communication paths with other VMware Tanzu Application Service for VMs (TAS for VMs) components.
For more information about Diego components and architecture, see How Diego pushes an app in Diego Components and Architecture.
Inbound communications
The following table lists network communication paths that are inbound to Diego:
| Source VM | Destination VM | Port | Transport Layer Protocol | App Layer Protocol | Security and Authentication |
|---|---|---|---|---|---|
| cloud_controller | diego_database (BBS) | 8889 | TCP | HTTPS | Mutual TLS |
| cloud_controller (Routing API) | diego_database (Locket) | 8891 | TCP | HTTPS | Mutual TLS |
Diego internal communications
The following table lists network communication paths that are internal for Diego:
| Source VM | Destination VM | Port | Transport Layer Protocol | App Layer Protocol | Security and Authentication |
|---|---|---|---|---|---|
| diego_brain (Auctioneer) | diego_cell (Rep) | 1801 | TCP | HTTPS | Mutual TLS |
| diego_brain (Auctioneer) | diego_database (BBS) | 8889 | TCP | HTTPS | Mutual TLS |
| diego_brain (Auctioneer) | diego_database (Locket) | 8891 | TCP | HTTPS | Mutual TLS |
| diego_brain (SSH Proxy) | diego_database (BBS) | 8889 | TCP | HTTPS | Mutual TLS |
| diego_brain (SSH Proxy) | diego_cell (App instances) | Varies‡ | TCP | SSH | SSH |
| diego_brain (TPS Watcher) | diego_database (Locket) | 8891 | TCP | HTTPS | Mutual TLS |
| diego_cell (local Route Emitter) | diego_database (BBS) | 8889 | TCP | HTTPS | Mutual TLS |
| diego_cell (Rep) | diego_brain (CC Uploader) | 9091 | TCP | HTTPS | Mutual TLS |
| diego_cell (Rep) | diego_brain (File Server)⁂ | 8447 | TCP | HTTPS | TLS |
| diego_cell (Rep) | diego_database (BBS) | 8889 | TCP | HTTPS | Mutual TLS |
| diego_cell (Rep) | diego_database (Locket) | 8891 | TCP | HTTPS | Mutual TLS |
| diego_database (BBS) | diego_brain (Auctioneer) | 9016 | TCP | HTTPS | Mutual TLS |
| diego_database (BBS) | diego_cell (Rep) | 1801 | TCP | HTTPS | Mutual TLS |
| diego_database (BBS) | diego_database (Locket) | 8891 | TCP | HTTPS | Mutual TLS |
‡These are the host-side ports that map to port 2222 in app instance containers and are typically within the range 61001 to 65534.
⁂The Diego File Server is responsible for distributing non-sensitive, static platform assets to internal platform components.
Outbound communications
The following table lists network communication paths that are outbound from Diego:
| Source VM | Destination VM | Port | Transport Layer Protocol | App Layer Protocol | Security and Authentication |
|---|---|---|---|---|---|
| diego_brain | cloud_controller | 9023 | TCP | HTTPS | Mutual TLS |
| diego_brain (SSH Proxy) | cloud_controller | 9024 | TCP | HTTPS | OAuth 2.0 |
| diego_brain (SSH Proxy) | uaa | 443 | TCP | HTTPS | TLS and OAuth 2.0 |
| diego_cell (local Route Emitter) | nats | 4222, 4223, 4224, 4225 | TCP | NATS | Basic authentication |
| diego_cell (Rep) | cloud_controller | 9023 | TCP | HTTPS | Mutual TLS |
| diego_cell (Rep) | nfs_server or other blobstore* | Varies | TCP | HTTP | Signed URLs/TLS |
| diego_database (BBS) | cloud_controller | 9023 | TCP | HTTPS | Mutual TLS |
| diego_database (BBS) | mysql_proxy† | 3306 | TCP | MySQL | MySQL authentication** |
| diego_database (Locket) | mysql_proxy† | 3306 | TCP | MySQL | MySQL authentication** |
*The destination depends on your TAS for VMs blobstore configuration. If you use the internal blobstore, the Diego Cell communicates to the blobstore using TLS on port 4443.
**MySQL authentication uses the MySQL native password method.
†Applies only to deployments where internal MySQL is selected as the database.
BOSH DNS communications
By default, TAS for VMs components and app containers look up services using the BOSH DNS service discovery mechanism. To support this lookup, BOSH Director co-locates a BOSH DNS server on every deployed VM. For more information, see BOSH DNS network communications.
