This topic describes how to configure your firewall for VMware Tanzu Operations Manager and VMware Tanzu Application Service for VMs (TAS for VMs), and how to verify that component VMs correctly resolve DNS entries behind your firewall.

Configure your firewall

VMware Tanzu Operations Manager and VMware Tanzu Application Service for VMs (TAS for VMs) require the following open TCP ports:

  • 25555: Routes from Tanzu Operations Manager VM to the BOSH Director
  • 443: Routes to HAProxy or, if configured, your own load balancer
  • 80: Routes to HAProxy or, if configured, your own load balancer
  • 8844: Routes from Tanzu Operations Manager VM to BOSH CredHub
  • 8443: Routes from Tanzu Operations Manager VM to BOSH Director UAA
  • 6868: Routes to the BOSH Agent
  • 2222: Necessary for using App SSH
  • 25595: Routes from the Traffic Controller to the BOSH Director, to enable sending BOSH health metrics to the Firehose
  • For vSphere Only: Tanzu Operations Manager requires that the NSX firewall routes are not blocked. By default, all communication between Tanzu Operations Manager VMs and vCenter or ESXi hosts route through the NSX firewall and are blocked. For more information on which ports to enable, see VMware ports and protocols for vSphere.

If you want to use an external NTP server, UDP port 123 must be open.

For more information about required ports for additional installed products, see Routing Network Communications.

Example: Configure firewall with `iptables’

The following example procedure uses iptables commands to configure a firewall.

Note GATEWAY_EXTERNAL_IP is a placeholder. Replace this value with your PUBLIC_IP.

  1. Open /etc/sysctl.conf, a file that contains configurations for Linux kernel settings, by running:

    sudo vi /etc/sysctl.conf
    
  2. Add the line net.ipv4.ip_forward=1 to /etc/sysctl.conf and save the file.

  3. To remove all existing filtering or Network Address Translation (NAT) rules, run:

    iptables --flush
    iptables --flush -t nat
    
  4. Add environment variables to use when creating the IP rules by running:

    export INTERNAL_NETWORK_RANGE=10.0.0.0/8
    export GATEWAY_INTERNAL_IP=10.0.0.1
    export GATEWAY_EXTERNAL_IP=203.0.113.242
    export VMWARETANZU_IP=10.0.0.2
    export HA_PROXY_IP=10.0.0.254
    
  5. To configure IP rules for the specified chains, run:

    • FORWARD:

      iptables -A FORWARD -i eth1 -j ACCEPT
      iptables -A FORWARD -o eth1 -j ACCEPT
      
    • POSTROUTING:

      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      iptables -t nat -A POSTROUTING -d $HA_PROXY_IP -s $INTERNAL_NETWORK_RANGE \
            -p tcp --dport 80 -j SNAT --to $GATEWAY_INTERNAL_IP
      iptables -t nat -A POSTROUTING -d $HA_PROXY_IP -s $INTERNAL_NETWORK_RANGE \
            -p tcp --dport 443 -j SNAT --to $GATEWAY_INTERNAL_IP
      
    • PREROUTING:

      iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
             25555 -j DNAT --to $VMWARETANZU_IP
      iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
             443 -j DNAT --to $HA_PROXY_IP
      iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
             80 -j DNAT --to $HA_PROXY_IP
      iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8443 -j DNAT \
          --to $VMWARETANZU_IP:443
      iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
          --to $HA_PROXY_IP:80
      iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8022 -j DNAT \
          --to $VMWARETANZU_IP:22
      iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT \
          --to $VMWARETANZU_IP:80
      
  6. Save the iptables by running:

    service iptables save
    

For more information about administering IP tables with iptables, see the iptables documentation.

Verify that component VMs resolve DNS entries behind your firewall

When you install Tanzu Operations Manager in an environment that uses a strong firewall, the firewall might block DNS resolution. For example, if you use xip.io to test your DNS configuration, the tests fail without warning if the firewall prevents TAS for VMs from accessing *.xip.io.

To verify that component VMs can correctly resolve DNS entries:

  1. SSH into the Tanzu Operations Manager VM by following the procedure in Log Into the Tanzu Operations Manager VM with SSH.

  2. Run any of the following network administration commands with the IP address of the VM:

    • nslookup
    • dig
    • host
    • The appropriate traceroute command for your OS
  3. Review the output of the command and fix any blocked routes. If the output displays an error message, review the firewall logs to determine which blocked route or routes you need to clear.

  4. Repeat steps 1-3 with the BOSH Director VM and the HAProxy VM.

check-circle-line exclamation-circle-line close-line
Scroll to top icon