This topic describes how to secure the environment for VMware Tanzu Kubernetes Grid Integrated Edition Management Console (TKGI MC) and Ops Manager (Ops Manager).



Overview

Apps frequently require the ability to pass internal communication between system components on different networks and require one or more conduits through the environment’s firewalls.

To configure security for your TKGI MC environment, see Configure Security and Ports for TKGI and Ops Manager below.



Configure Security and Ports for TKGI and Ops Manager

Firewall rules are typically used to provide apps the ability to pass internal communication between system components on different networks and require one or more conduits through the environment’s firewalls. Firewall rules are also used to enable interfacing with external systems such as with enterprise apps or apps and data on the public Internet.

To configure security and ports for a TKGI MC environment on vSphere:

  1. VMware recommends you deactivate security policies that filter traffic between the networks supporting the system.

  2. Use one of the following methods to secure the environment and grant access between TKGI system components:

    • Enable access to apps through standard Kubernetes load-balancers and ingress controller types. This enables you to designate specific ports and protocols as a firewall conduit.
    • Enable access using the NSX load balancer and ingress. This enables you to configure external addresses and ports that are automatically mapped and resolved to internal/local addresses and ports.
    • Manually Configure Ports for TKGI and Ops Manager.


Configure Ports for TKGI and Ops Manager

In a standard TKGI deployment, it is assumed that Ops Manager and BOSH are already deployed before you deploy TKGI.

This is not the case with TKGI MC deployments in which you do not know the IP addresses in the deployment network that will be assigned to TKGI API VM, BOSH VM, and Ops Manager VM.

VMware recommends you create a firewall rule that allows access by the TKGI MC VM to the entire deployment subnet.

The following table identifies the flows between the system components in an TKGI MC environment:

Source Component Destination Component Destination Protocol Destination Port Service
Management Console VM All System Components TCP 22 SSH
Management Console VM All System Components TCP 80 http
Management Console VM All System Components TCP 443 https
Management Console VM Cloud Foundry BOSH Director TCP 25555 bosh director rest api
Management Console VM DNS validation for Ops Manager TCP 53 netcat
Management Console VM Kubernetes Cluster API Server - LB VIP TCP 8443 httpsca
Management Console VM Pivotal Cloud Foundry Operations Manager TCP 22 SSH
Management Console VM Pivotal Cloud Foundry Operations Manager TCP 443 https
Management Console VM TKGI Controller TCP 9021 tkgi api server
Management Console VM vCenter Server TCP 443 https

The Source Component is the IP address of the TKGI Management Console VM.

check-circle-line exclamation-circle-line close-line
Scroll to top icon