Required ports
List of required ports that must be available for installation and configuration of an IBM® Cloud Private cluster.
You open the ports before you start installing IBM Cloud Private, and the installer confirms that they are open.
Port access types
- Internal - port must be open to allow connections inside the cluster.
- External - port must be open to allow connections from outside the cluster.
If no access type is stated, the port is used for only internal communications.
Important: IBM Cloud Private supports an optional management node. If your cluster does not include a management node, the components that load on the management node load on the master node instead. You must open the Management ports on the master node.
Note: All cluster nodes refer to master, worker, proxy, management, etcd, and Vulnerability Advisor (VA) nodes. The boot node doesn't have port requirements.
- All cluster nodes to all cluster nodes
- All cluster nodes to master nodes
- All cluster nodes to management nodes
- All cluster nodes to proxy nodes
- All cluster nodes or etcd nodes to etcd nodes
- Master nodes to master nodes
- Master nodes or proxy node to management nodes
- Management nodes to all cluster nodes
- Management nodes to master nodes
- Management nodes to management nodes
- Proxy nodes to management nodes
- External to proxy nodes
- GlusterFS nodes to all cluster nodes
All cluster nodes to all cluster nodes
| Port | Protocol | Requirement |
|---|---|---|
| NA | IPv4 | Calico with IP-in-IP (calico_ipip_mode: Always, network_type:calico) Note: Enabled by default. |
| 179 | TCP | Always for Calico (network_type:calico) |
| 500 | TCP and UDP | IPsec (ipsec.enabled: true, calico_ipip_mode: Always, network_type:calico) |
| 4000 | TCP | Metering reader (management_services.metering: enabled) Note: For external metering through either proxy or internal self-metering. |
| 4500 | UDP | IPsec (ipsec.enabled: true) |
| 9091 | TCP | Calico (network_type: calico) |
| 9099 | TCP | Calico (network_type: calico) |
| 10248-10252 | TCP | Always for Kubernetes |
| 30000-32767 | TCP and UDP | Always for Kubernetes Note: External access. These ports must be opened only if you set Kubernetes Service type to NodePort. |
All cluster nodes to master nodes
| Port | Protocol | Requirement |
|---|---|---|
| 3306 | TCP | Always for MariaDB |
| 4444 | TCP | Master HA enabled for MariaDB Galera |
| 4567 | TCP and UDP | Master HA enabled for MariaDB Galera |
| 4568 | TCP | Master HA enabled for MariaDB Galera |
| 8001 | TCP | Always for the kube_apiserver_port Note: Default port. The kube_apiserver_port must be available on the master node only. |
| 8080 | TCP | Always for the management console Note: The management ingress insecure port equals the default value of router_http_port. Internal and external access. |
| 8443 | TCP | Always for the management console Note: The management ingress insecure port equals the default value of router_http_port. Internal and external access. |
| 8500 | TCP | Always for the Image manager Note: Internal and external access. |
| 8600 | TCP | Always for the Image manager Note: Internal and external access. |
| 27017 | TCP | MongoDB |
All cluster nodes to management nodes
| Port | Protocol | Requirement |
|---|---|---|
| 3000 | TCP | Prometheus scrape (management_services.metering: enabled) Note: For Prometheus scraping of metering data from metering-dm. |
| 5044 | TCP | Logstash enabled (management_services.logging: enabled) |
| 25826 | UDP | Core services Collectd exporter (management_services.monitoring: enabled) |
| 31514 | TCP | Tiller NodePort Note: Internal and external access. The default 31514 port can be overridden in the config.yaml file prior to installing IBM Cloud Private. |
| 44134 | TCP | Tiller network policy Note: Internal and external access. |
| 44135 | TCP | Tiller network policy Note: Internal and external access. |
All cluster nodes to proxy nodes
| Port | Protocol | Requirement |
|---|---|---|
| 31380 | TCP | Istio (management_services.istio: enabled) Note: Internal and external access. |
| 31390 | TCP | Istio (management_services.istio: enabled) Note: Internal and external access. |
All cluster nodes or etcd nodes to etcd nodes
| Port | Protocol | Requirement |
|---|---|---|
| 2380 | TCP | Always if etcd is enabled Note: etcd nodes to etcd nodes. |
| 4001 | TCP | Always if etcd is enabled Note: All cluster nodes to etcd nodes. |
Master nodes to master nodes
| Port | Protocol | Requirement |
|---|---|---|
| 3306 | TCP | MariaDB |
| 6969 | TCP | Always for platform-api |
| 9443 | TCP | WebSphere ® Application Server Liberty Note: External access. |
| 20358 | TCP | Always for KMS plug-in health check port |
| 31030 | TCP | Helm enabled (management_services.service-catalog: enabled) |
| 31031 | TCP | Helm enabled (management_services.service-catalog: enabled) |
| 44134 | TCP | Tiller network policy Note: Internal and external access. |
Master nodes or proxy node to management nodes
| Port | Protocol | Requirement |
|---|---|---|
| 3000 | TCP | Grafana (management_services.monitoring: enabled) |
| 5601 | TCP | Kibana (management_services.monitoring: enabled) |
| 9093 | TCP | Alert manager (management_services.monitoring: enabled) |
Management nodes to all cluster nodes
| Port | Protocol | Requirement |
|---|---|---|
| 8445 | TCP | Core services node exporter default port (management_services.monitoring: enabled) |
Management nodes to master nodes
| Port | Protocol | Requirement |
|---|---|---|
| 6969 | TCP | Always for platform-api |
Management nodes to management nodes
| Port | Protocol | Requirement |
|---|---|---|
| 80 | TCP | Core services kube-state-metrics explorer (management_services.monitoring: enabled Note: Internal and external access. |
| 389 | TCP | LDAP enabled (ldap_enabled: true) Note: Internal and external access. |
| 636 | TCP | LDAPS enabled (ldap_enabled: true) Note: Internal and external access. |
| 3000 | TCP | Always for platform-ui |
| 4000 | TCP | Always for catalog-ui |
| 9093 | TCP | Core services alert manager (management_services.monitoring: enabled) |
| 9090 | TCP | Prometheus (management_services.monitoring: enabled) |
| 9103 | TCP | Core services Collectd exporter (management_services.monitoring: enabled) |
| 9108 | TCP | Core services Elasticsearch exporter (management_services.monitoring: enabled |
| 9200 | TCP | Elasticsearch (management_services.logging: enabled) |
| 9300 | TCP | Elasticsearch (management_services.logging: enabled) |
Proxy nodes to management nodes
| Port | Protocol | Requirement |
|---|---|---|
| 3000 | TCP | Core services Grafana (management_services.monitoring: enabled) |
| 3130 | TCP | Metering user interface server (management_services.metering: enabled) |
| 5601 | TCP | Core services Kibana (management_services.logging: enabled) |
| 9093 | TCP | Core services alert manager (management_services.monitoring: enabled) |
| 9090 | TCP | Core services Prometheus (management_services.monitoring: enabled) |
| 9200 | TCP | Core services Elasticsearch (management_services.logging: enabled) |
| 9300 | TCP | Core services Elasticsearch (management_services.logging: enabled) |
External to proxy nodes
| Port | Protocol | Requirement |
|---|---|---|
| 80 | TCP | Always for the Ingress service Note: Default value of ingress_http_port. |
| 443 | TCP | Always for the Ingress service Note: Default value of ingress_http_port. Internal and external access. |
GlusterFS nodes to all cluster nodes
| Port | Protocol | Requirement |
|---|---|---|
| 2222 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |
| 24007 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |
| 24008 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |
| 49152:49251 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |