This topic describes how to configure your firewall for VMware Tanzu Operations Manager and VMware Tanzu Application Service for VMs (TAS for VMs), and how to verify that component VMs correctly resolve DNS entries behind your firewall.
VMware Tanzu Operations Manager and VMware Tanzu Application Service for VMs (TAS for VMs) require the following open TCP ports:
If you want to use an external NTP server, UDP port 123
must be open.
For more information about required ports for additional installed products, see Routing Network Communications.
The following example procedure uses iptables
commands to configure a firewall.
Note GATEWAY_EXTERNAL_IP
is a placeholder. Replace this value with your PUBLIC_IP
.
Open /etc/sysctl.conf
, a file that contains configurations for Linux kernel settings, by running:
sudo vi /etc/sysctl.conf
Add the line net.ipv4.ip_forward=1
to /etc/sysctl.conf
and save the file.
To remove all existing filtering or Network Address Translation (NAT) rules, run:
iptables --flush
iptables --flush -t nat
Add environment variables to use when creating the IP rules by running:
export INTERNAL_NETWORK_RANGE=10.0.0.0/8
export GATEWAY_INTERNAL_IP=10.0.0.1
export GATEWAY_EXTERNAL_IP=203.0.113.242
export VMWARETANZU_IP=10.0.0.2
export HA_PROXY_IP=10.0.0.254
To configure IP rules for the specified chains, run:
FORWARD:
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
POSTROUTING:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -d $HA_PROXY_IP -s $INTERNAL_NETWORK_RANGE \
-p tcp --dport 80 -j SNAT --to $GATEWAY_INTERNAL_IP
iptables -t nat -A POSTROUTING -d $HA_PROXY_IP -s $INTERNAL_NETWORK_RANGE \
-p tcp --dport 443 -j SNAT --to $GATEWAY_INTERNAL_IP
PREROUTING:
iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
25555 -j DNAT --to $VMWARETANZU_IP
iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
443 -j DNAT --to $HA_PROXY_IP
iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
80 -j DNAT --to $HA_PROXY_IP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8443 -j DNAT \
--to $VMWARETANZU_IP:443
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
--to $HA_PROXY_IP:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8022 -j DNAT \
--to $VMWARETANZU_IP:22
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT \
--to $VMWARETANZU_IP:80
Save the iptables
by running:
service iptables save
For more information about administering IP tables with iptables
, see the iptables documentation.
When you install Tanzu Operations Manager in an environment that uses a strong firewall, the firewall might block DNS resolution. For example, if you use xip.io
to test your DNS configuration, the tests fail without warning if the firewall prevents TAS for VMs from accessing *.xip.io
.
To verify that component VMs can correctly resolve DNS entries:
SSH into the Tanzu Operations Manager VM by following the procedure in Log Into the Tanzu Operations Manager VM with SSH.
Run any of the following network administration commands with the IP address of the VM:
nslookup
dig
host
traceroute
command for your OSReview the output of the command and fix any blocked routes. If the output displays an error message, review the firewall logs to determine which blocked route or routes you need to clear.
Repeat steps 1-3 with the BOSH Director VM and the HAProxy VM.