Proxy Server Allowlist

To install and run Tanzu Kubernetes Grid (TKG) in environment that is internet-restricted but not physically airgapped, you have two options:

Configure your proxy server and firewall to allow access from TKG’s subnets to the online sources for TKG images, the container images for TKG components.
Make offline copies of all the TKG images.

This topic lists the domains that your proxy server (Layer 7) needs to allow in order to enable Tanzu Kubernetes Grid, for the first option above. It also lists second-option alternatives for copying and using images offline.

For the port and protocol firewall (Layer 4) rules required by Tanzu Kubernetes Grid, see Tanzu Kubernetes Grid Firewall Rules.

For how to install Tanzu Kubernetes Grid in an airgapped or internet-restricted environment, see Prepare an Internet-Restricted Environment.

Domains to Allow

Add the following domains to your proxy server’s allowlist to install Tanzu Kubernetes Grid and enable it to provision workload clusters.

Domains	Registry	Purpose
`projects.registry.vmware.com` `projects.packages.broadcom.com` `jfrog-prod-usw2-shared-oregon-main.s3.amazonaws.com`	VMware plugins registry, Tanzu Standard package repository	VMware plugins registry hosts images, binaries and configuration files used by the Tanzu CLI to perform core functions like creating clusters and managing access. Tanzu Standard package repository stores images for packaged services that the Tanzu CLI installs into clusters.
`registry.tkg.vmware.run`	VMware OCI Images registry	Uses Harbor to host images that TKG uses to bootstrap management and workload clusters. Images in this registry are scanned for vulnerabilities and are safe to operate in all environments.
Environment- and infrastructure-specific registries, for example: `registry.k8s.io` `s14749d.vmware.com.edgekey.net` `e14749.dsce4.akamaiedge.net` `storage.googleapis.com`

Alternatives to Allowlisting

As an alternative to allowing the domains above, you can copy the images offline as follows:

All Images: Run the image copying scripts described in Prepare an Internet-Restricted Environment.
VMware Plugins Registry Images: Run tanzu plugin sync from an internet-connected bootstrap machine and transfer its $HOME/.tkg folder to the internet-restricted machine.
Docker Hub Images: Use the ytt tool to change the package source registry to your own private Docker registry or Helm Artifact Hub. For information about how to download and install ytt, see Install the Carvel Tools.