This topic describes the firewall ports and protocols requirements for using VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) on vSphere with NSX integration.
If you are not using TKGI on vSphere with NSX, see one of the follow topics instead:
- Firewall Ports and Protocols Requirements for vSphere (Antrea Networking)
- Firewall Ports and Protocols Requirements (Antrea Networking)
Overview
Apps frequently require the ability to pass internal communication between system components on different networks.
Firewalls and Kubernetes Pod Security Admission are used to filter traffic and limit access in environments with strict inter-network access control policies and your apps require one or more conduits through a secured environment’s firewalls.
VMware recommends that rather than using a Kubernetes Pod Security Admission to filter traffic between networks and TKGI system components and clusters that you instead use one of the following methods:
- Enable access to apps through standard Kubernetes load-balancers and ingress controller types. This enables you to designate specific ports and protocols as a firewall conduit.
- Enable access using the NSX load balancer and ingress. This enables you to configure external addresses and ports that are automatically mapped and resolved to internal/local addresses and ports.
For more information about vSphere with NSX port and protocol requirements, see VMware Ports and Protocols on the VMware site.
Consult the following tables when configuring port settings to install or upgrade TKGI or configure a Kubernetes cluster:
- TKGI Users Ports and Protocols
- TKGI Core Ports and Protocols
- VMware Virtual Infrastructure Ports and Protocols
- VMware Optional Integration Ports and Protocols
Note: To control which groups access deploying and scaling your organization’s Tanzu Kubernetes Grid Integrated Edition-deployed Kubernetes clusters, configure your firewall settings as described on the Operator –> TKGI API server lines below.
TKGI Ports and Protocols
The following tables list ports and protocols required for network communications between Tanzu Kubernetes Grid Integrated Edition v1.5.0 and later, and vSphere 6.7 and NSX-T or NSX 2.4.0.1 and later.
TKGI Users Ports and Protocols
The following table lists ports and protocols used for network communication between TKGI user interface components.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
|---|---|---|---|---|
| Admin/Operator Console | All System Components | TCP | 22 | SSH |
| Admin/Operator Console | All System Components | TCP | 80 | HTTP |
| Admin/Operator Console | All System Components | TCP | 443 | HTTPS |
| Admin/Operator Console | BOSH Director | TCP | 25555 | BOSH Director REST API |
| Admin/Operator Console | NSX API VIP | TCP | 443 | HTTPS |
| Admin/Operator Console | Ops Manager | TCP | 22 | SSH |
| Admin/Operator Console | Ops Manager | TCP | 443 | HTTPS |
| Admin/Operator Console | TKGI Controller | TCP | 9021 | TKGI API Server |
| Admin/Operator Console | vCenter Server | TCP | 443 | HTTPS |
| Admin/Operator Console | vCenter Server | TCP | 5480 | vami |
| Admin/Operator Console | vSphere ESXI Hosts Mgmt. vmknic | TCP | 902 | ideafarm-door |
| Admin/Operator and Developer Consoles | Harbor Private Image Registry | TCP | 80 | HTTP |
| Admin/Operator and Developer Consoles | Harbor Private Image Registry | TCP | 443 | HTTPS |
| Admin/Operator and Developer Consoles | Kubernetes App Load-Balancer Svc | TCP/UDP | Varies | varies with apps |
| Admin/Operator and Developer Consoles | Kubernetes Cluster API Server -LB VIP | TCP | 8443 | HTTPSCA |
| Admin/Operator and Developer Consoles | Kubernetes Cluster Ingress Controller | TCP | 80 | HTTP |
| Admin/Operator and Developer Consoles | Kubernetes Cluster Ingress Controller | TCP | 443 | HTTPS |
| Admin/Operator and Developer Consoles | Kubernetes Cluster Worker Node | TCP/UDP | 30000-32767 | Kubernetes NodePort |
| Admin/Operator and Developer Consoles | TKGI Controller | TCP | 8443 | HTTPSCA |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes App Load-Balancer Svc | TCP/UDP | Varies | varies with apps |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes Cluster Ingress Controller | TCP | 80 | HTTP |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes Cluster Ingress Controller | TCP | 443 | HTTPS |
| All User Consoles (Operator, Developer, Consumer) | Kubernetes Cluster Worker Node | TCP/UDP | 30000-32767 | Kubernetes NodePort |
Note: The type:NodePort Service type is not supported for TKGI deployments on vSphere with NSX. Only type:LoadBalancer and Services associated with Ingress rules are supported on vSphere with NSX.
TKGI Core Ports and Protocols
The following table lists ports and protocols used for network communication between core TKGI components.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
|---|---|---|---|---|
| All System Components | Corporate Domain Name Server | TCP/UDP | 53 | DNS |
| All System Components | Network Time Server | UDP | 123 | NTP |
| All System Components | vRealize LogInsight | TCP/UDP | 514/1514 | syslog/tls syslog |
| All System Control Plane Components | AD/LDAP Directory Server | TCP/UDP | 389/636 | LDAP/LDAPS |
| Ops Manager | Admin/Operator Console | TCP | 22 | SSH |
| Ops Manager | BOSH Director | TCP | 6868 | BOSH Agent HTTP |
| Ops Manager | BOSH Director | TCP | 8443 | HTTPSCA |
| Ops Manager | BOSH Director | TCP | 8844 | BOSH CredHub |
| Ops Manager | BOSH Director | TCP | 25555 | BOSH Director REST API |
| Ops Manager | Harbor Private Image Registry | TCP | 22 | SSH |
| Ops Manager | Kubernetes Cluster Control Plane/etcd Node | TCP | 22 | SSH |
| Ops Manager | Kubernetes Cluster Worker Node | TCP | 22 | SSH |
| Ops Manager | NSX API VIP | TCP | 443 | HTTPS |
| Ops Manager | NSX Manager/Controller Node | TCP | 22 | SSH |
| Ops Manager | NSX Manager/Controller Node | TCP | 443 | HTTPS |
| Ops Manager | TKGI Controller | TCP | 22 | SSH |
| Ops Manager | TKGI Controller | TCP | 8443 | HTTPSCA |
| Ops Manager | vCenter Server | TCP | 443 | HTTPS |
| Ops Manager | vSphere ESXI Hosts Mgmt. vmknic | TCP | 443 | HTTPS |
| BOSH Director | NSX API VIP | TCP | 443 | HTTPS |
| BOSH Director | vCenter Server | TCP | 443 | HTTPS |
| BOSH Director | vSphere ESXI Hosts Mgmt. vmknic | TCP | 443 | HTTPS |
| BOSH Compilation Job VM | BOSH Director | TCP | 4222 | BOSH nats server |
| BOSH Compilation Job VM | BOSH Director | TCP | 25250 | BOSH BlobStore |
| BOSH Compilation Job VM | BOSH Director | TCP | 25923 | health monitor daemon |
| BOSH Compilation Job VM | Harbor Private Image Registry | TCP | 443 | HTTPS |
| BOSH Compilation Job VM | Harbor Private Image Registry | TCP | 8853 | BOSH DNS health |
| TKGI Controller | BOSH Director | TCP | 4222 | BOSH nats server |
| TKGI Controller | BOSH Director | TCP | 8443 | HTTPSCA |
| TKGI Controller | BOSH Director | TCP | 25250 | BOSH BlobStore |
| TKGI Controller | BOSH Director | TCP | 25555 | BOSH director rest api |
| TKGI Controller | BOSH Director | TCP | 25923 | health monitor daemon |
| TKGI Controller | Kubernetes Cluster Control Plane/etcd Node | TCP | 8443 | HTTPSCA |
| TKGI Controller | TKGI Database VM | TCP | 3306 | tkgi db proxy |
| TKGI Controller | NSX API VIP | TCP | 443 | HTTPS |
| TKGI Controller | vCenter Server | TCP | 443 | HTTPS |
| Harbor Private Image Registry | BOSH Director | TCP | 4222 | BOSH nats server |
| Harbor Private Image Registry | BOSH Director | TCP | 25250 | BOSH BlobStore |
| Harbor Private Image Registry | BOSH Director | TCP | 25923 | health monitor daemon |
| Harbor Private Image Registry | IP NAS Storage Array | TCP | 111 | NFS RPC portmapper |
| Harbor Private Image Registry | IP NAS Storage Array | TCP | 2049 | NFS |
| Harbor Private Image Registry | Public CVE Source Database | TCP | 443 | HTTPS |
| kube-system pod/telemetry-agent | TKGI Controller | TCP | 24224 | Fluentd out_forward |
| Kubernetes Cluster Ingress Controller | NSX API VIP | TCP | 443 | HTTPS |
| Kubernetes Cluster Control Plane/etcd Node | BOSH Director | TCP | 4222 | BOSH NATS Server |
| Kubernetes Cluster Control Plane/etcd Node | BOSH Director | TCP | 25250 | BOSH BlobStore |
| Kubernetes Cluster Control Plane/etcd Node | BOSH Director | TCP | 25923 | health monitor daemon |
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 2379 | etcd client |
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 2380 | etcd server |
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 8443 | HTTPSCA |
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 8853 | BOSH DNS health |
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Worker Node | TCP | 4194 | cAdvisor |
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Worker Node | TCP | 10250 | kubelet API |
| Kubernetes Cluster Control Plane/etcd Node | Kubernetes Cluster Worker Node | TCP | 31194 | cAdvisor |
| Kubernetes Cluster Control Plane/etcd Node | NSX API VIP | TCP | 443 | HTTPS |
| Kubernetes Cluster Control Plane/etcd Node | TKGI Controller | TCP | 8443 | HTTPSCA |
| Kubernetes Cluster Control Plane/etcd Node | TKGI Controller | TCP | 8853 | BOSH DNS health |
| Kubernetes Cluster Control Plane/etcd Node | vCenter Server | TCP | 443 | HTTPS |
| Kubernetes Cluster Worker Node | BOSH Director | TCP | 4222 | BOSH NATS server |
| Kubernetes Cluster Worker Node | BOSH Director | TCP | 25250 | BOSH BlobStore |
| Kubernetes Cluster Worker Node | BOSH Director | TCP | 25923 | health monitor daemon |
| Kubernetes Cluster Worker Node | Harbor Private Image Registry | TCP | 443 | HTTPS |
| Kubernetes Cluster Worker Node | Harbor Private Image Registry | TCP | 8853 | BOSH DNS health |
| Kubernetes Cluster Worker Node | IP NAS Storage Array | TCP | 111 | nfs rpc portmapper |
| Kubernetes Cluster Worker Node | IP NAS Storage Array | TCP | 2049 | nfs |
| Kubernetes Cluster Worker Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 8443 | HTTPSCA |
| Kubernetes Cluster Worker Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 8853 | BOSH DNS health |
| Kubernetes Cluster Worker Node | Kubernetes Cluster Control Plane/etcd Node | TCP | 10250 | kubelet API |
| pks-system pod/cert-generator | TKGI Controller | TCP | 24224 | Fluentd out_forward |
| pks-system pod/fluent-bit | TKGI Controller | TCP | 24224 | Fluentd out_forward |
VMware Ports and Protocols
The following tables list ports and protocols required for network communication between VMware components. For additional information, see VMware Ports and Protocols.
VMware Virtual Infrastructure Ports and Protocols
The following table lists ports and protocols used for network communication between VMware virtual infrastructure components.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
|---|---|---|---|---|
| vCenter Server | NSX Manager/Controller Node | TCP | 8080 | HTTP alt |
| vCenter Server | vSphere ESXI Hosts Mgmt. vmknic | TCP | 443 | HTTPS |
| vCenter Server | vSphere ESXI Hosts Mgmt. vmknic | TCP | 8080 | HTTP alt |
| vCenter Server | vSphere ESXI Hosts Mgmt. vmknic | TCP | 9080 | io filter storage |
| vSphere ESXI Hosts Mgmt. vmknic | NSX Manager/Controller Node | TCP | 443 | HTTPS |
| vSphere ESXI Hosts Mgmt. vmknic | NSX Manager/Controller Node | TCP | 1235 | netcpa |
| vSphere ESXI Hosts Mgmt. vmknic | NSX Manager/Controller Node | TCP | 5671 | AMQP traffic |
| vSphere ESXI Hosts Mgmt. vmknic | NSX Manager/Controller Node | TCP | 8080 | HTTP alt |
| vSphere ESXI Hosts Mgmt. vmknic | vCenter Server | UDP | 902 | ideafarm-door |
| vSphere ESXI Hosts Mgmt. vmknic | vCenter Server | TCP | 9084 | update manager |
| vSphere ESXI Hosts Mgmt. vmknic | vSphere ESXI Hosts Mgmt. vmknic | TCP | 8182 | vSphere ha |
| vSphere ESXI Hosts Mgmt. vmknic | vSphere ESXI Hosts Mgmt. vmknic | UDP | 8182 | vSphere ha |
| vSphere ESXI Hosts vMotion vmknic | vSphere ESXI Hosts vMotion vmknic | TCP | 8000 | vmotion |
| vSphere ESXI Hosts IP Storage vmknic | IP NAS Storage Array | TCP | 111 | NFS RPC portmapper |
| vSphere ESXI Hosts IP Storage vmknic | IP NAS Storage Array | TCP | 2049 | NFS |
| vSphere ESXI Hosts IP Storage vmknic | IP NAS Storage Array | TCP | 3260 | iscsi |
| vSphere ESXI Hosts vSAN vmknic | vSphere ESXI Hosts vSAN vmknic | TCP | 2233 | vSAN transport |
| vSphere ESXI Hosts vSAN vmknic | vSphere ESXI Hosts vSAN vmknic | UDP | 12321 | unicast agent |
| vSphere ESXI Hosts vSAN vmknic | vSphere ESXI Hosts vSAN vmknic | UDP | 12345 | vSAN cluster svc |
| vSphere ESXI Hosts vSAN vmknic | vSphere ESXI Hosts vSAN vmknic | UDP | 23451 | vSAN cluster svc |
| vSphere ESXI Hosts TEP vmknic | vSphere ESXI Hosts TEP vmknic | UDP | 3784 | bfd |
| vSphere ESXI Hosts TEP vmknic | vSphere ESXI Hosts TEP vmknic | UDP | 3785 | bfd |
| vSphere ESXI Hosts TEP vmknic | vSphere ESXI Hosts TEP vmknic | UDP | 6081 | geneve |
| vSphere ESXI Hosts TEP vmknic | NSX Edge TEP vNIC | UDP | 3784 | bfd |
| vSphere ESXI Hosts TEP vmknic | NSX Edge TEP vNIC | UDP | 3785 | bfd |
| vSphere ESXI Hosts TEP vmknic | NSX Edge TEP vNIC | UDP | 6081 | geneve |
| vSphere ESXI Hosts TEP vmknic | NSX Manager/Controller | TCP | 1234 | NSX messaging |
| NSX Manager/Controller Node | NSX API VIP | TCP | 443 | HTTPS |
| NSX Manager/Controller Node | NSX Manager/Controller Node | TCP | 443 | HTTPS |
| NSX Manager/Controller Node | NSX Manager/Controller Node | TCP | 5671 | AMQP traffic |
| NSX Manager/Controller Node | NSX Manager/Controller Node | TCP | 8080 | HTTP alt |
| NSX Manager/Controller Node | NSX Manager/Controller Node | TCP | 9000 | loginsight ingestion api |
| NSX Manager/Controller Node | Traceroute Destination | UDP | 33434-33523 | traceroute |
| NSX Manager/Controller Node | vCenter Server | TCP | 80 | HTTP |
| NSX Manager/Controller Node | vCenter Server | TCP | 443 | HTTPS |
| NSX Manager/Controller Node | vSphere ESXI Hosts Mgmt. vmknic | TCP | 443 | HTTPS |
| NSX Edge Management | NSX Edge Management | TCP | 1167 | DHCP backend |
| NSX Edge Management | NSX Edge Management | TCP | 2480 | Nestdb |
| NSX Edge Management | NSX Edge Management | UDP | 3784 | bfd |
| NSX Edge Management | NSX Edge Management | UDP | 50263 | high-availability |
| NSX Edge Management | NSX Manager/Controller Node | TCP | 443 | HTTPS |
| NSX Edge Management | NSX Manager/Controller Node | TCP | 1235 | netcpa |
| NSX Edge Management | NSX Manager/Controller Node | TCP | 5671 | AMQP traffic |
| NSX Edge Management | NSX Manager/Controller Node | TCP | 8080 | HTTP alt |
| NSX Edge Management | Traceroute Destination | UDP | 33434-33523 | traceroute |
| NSX Edge TEP vNIC | NSX Edge TEP vNIC | UDP | 3784 | bfd |
| NSX Edge TEP vNIC | NSX Edge TEP vNIC | UDP | 3785 | bfd |
| NSX Edge TEP vNIC | NSX Edge TEP vNIC | UDP | 6081 | geneve |
| NSX Edge TEP vNIC | NSX Edge TEP vNIC | UDP | 50263 | high-availability |
| NSX Edge TEP vNIC | vSphere ESXI Hosts TEP vmknic | UDP | 3784 | bfd |
| NSX Edge TEP vNIC | vSphere ESXI Hosts TEP vmknic | UDP | 3785 | bfd |
| NSX Edge TEP vNIC | vSphere ESXI Hosts TEP vmknic | UDP | 6081 | geneve |
| NSX Edge Tier-0 Uplink IP(s) / HA VIP | Physical Network Router | TCP | 179 | bgp |
| NSX Edge TEP vNIC | NSX Manager/Controller | TCP | 1234 | NSX messaging |
| NSX Tier-1 Router | Kubernetes cluster Pods and Worker Nodes | TCP | 80 | HTTP |
| NSX Tier-1 Router | Kubernetes cluster Pods and Worker Nodes | TCP | 443 | HTTPS |
| NSX Tier-1 Router | Kubernetes cluster Pods and Worker Nodes | TCP | 8443 | HTTPSCA |
| Physical Network Router | NSX Edge Tier-0 Uplink IP(s) / HA VIP | TCP | 179 | bgp |
VMware Optional Integration Ports and Protocols
The following table lists ports and protocols used for network communication between optional VMware integrations.
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
|---|---|---|---|---|
| Admin/Operator Console | vRealize Operations Manager | TCP | 443 | HTTPS |
| vRealize Operations Manager | Kubernetes Cluster API Server -LB VIP | TCP | 8443 | HTTPSCA |
| vRealize Operations Manager | NSX API VIP | TCP | 443 | HTTPS |
| vRealize Operations Manager | TKGI Controller | TCP | 8443 | HTTPSCA |
| vRealize Operations Manager | Kubernetes Cluster API Server -LB VIP | TCP | 8443 | HTTPSCA |
| Admin/Operator Console | vRealize LogInsight | TCP | 443 | HTTPS |
| Kubernetes Cluster Ingress Controller | vRealize LogInsight | TCP | 9000 | ingestion api |
| Kubernetes Cluster Control Plane/Etcd Node | vRealize LogInsight | TCP | 9000 | ingestion api |
| Kubernetes Cluster Control Plane/Etcd Node | vRealize LogInsight | TCP | 9543 | ingestion api -tls |
| Kubernetes Cluster Worker Node | vRealize LogInsight | TCP | 9000 | ingestion api |
| Kubernetes Cluster Worker Node | vRealize LogInsight | TCP | 9543 | ingestion api -tls |
| NSX Manager/Controller Node | vRealize LogInsight | TCP | 9000 | ingestion api |
| TKGI Controller | vRealize LogInsight | TCP | 9000 | ingestion api |
| Admin/Operator and Developer Consoles | Wavefront SaaS APM | TCP | 443 | HTTPS |
| kube-system pod/wavefront-proxy | Wavefront SaaS APM | TCP | 443 | HTTPS |
| kube-system pod/wavefront-proxy | Wavefront SaaS APM | TCP | 8443 | HTTPSCA |
| pks-system pod/wavefront-collector | TKGI Controller | TCP | 24224 | Fluentd out_forward |
| Admin/Operator Console | vRealize Network Insight Platform | TCP | 443 | HTTPS |
| Admin/Operator Console | vRealize Network Insight Proxy | TCP | 22 | SSH |
| vRealize Network Insight Proxy | Kubernetes Cluster API Server -LB VIP | TCP | 8443 | HTTPSCA |
| vRealize Network Insight Proxy | NSX API VIP | TCP | 22 | SSH |
| vRealize Network Insight Proxy | NSX API VIP | TCP | 443 | HTTPS |
| vRealize Network Insight Proxy | TKGI Controller | TCP | 8443 | HTTPSCA |
| vRealize Network Insight Proxy | TKGI Controller | TCP | 9021 | TKGI API server |
