Firewall requirements for Cloud Pak System patterns
Configure your firewall to meet the requirements for patterns.
There are two reasons you might care about the firewall requirements for your virtual machines: first, you might be configuring the firewall on the virtual machine itself; alternatively, you might also be configuring the firewall in your data center network.
If you are creating images or designing patterns to be used across the Cloud Pak System offerings, be aware of differences in the network environment between these environments.
Cloud Pak System defines a minimum of two network interfaces for each virtual machine. The first interface is used for virtual machine management. The second is used for application traffic, and you can create more add-on interfaces for other purposes. Virtual machines that are deployed to Cloud Pak System might be single cloud, in which case the management interface is attached to an IPv6 VLAN internal to the system, or multi cloud, in which case the management interface is attached to an IPv4 VLAN of your choice that might be external to the system. For information about configuring single-cloud and multi-cloud environments, see Adding IP groups and Adding cloud groups.
IBM® Cloud Pak System Software minimally defines a single network interface for each virtual machine, which is used both for virtual machine management and for application traffic. You may create additional add–on interfaces for other purposes.
The following sections distinguish between management and data traffic, but depending on the environment where you deploy your images and patterns the management and data traffic might be on the same network interface.
Management network traffic
If you choose to manually customize the firewall on your virtual machines, enable the following network traffic on them. Additionally, if you are deploying by using Cloud Pak System Software or by using multi-cloud deployment on Cloud Pak System, enable the following traffic in your data center network.
The following network traffic is required for basic virtual machine (VM) management for all deployments.
The system management IP addresses are, in the case of single cloud deployments on Cloud Pak System, a set of IPv6 addresses internal
to the system, which vary from cloud group to cloud group. In the case of Cloud Pak System Software and multi-cloud
Cloud Pak System deployments, they are the set
of IPv4 management addresses configured on the page for Cloud Pak System or
the page for Cloud Pak System Software. The
virtual machine address here refers to the address assigned to the virtual machine's management
interface (eth0
or en0
).
Protocol | Source IP address | Source port | Destination IP address | Destination port | Use |
---|---|---|---|---|---|
ICMP | Each virtual machine | N/A | All other virtual machines | N/A | Path MTU discovery and route management |
ICMP | System management IP addresses | N/A | Virtual machine | N/A | Path MTU discovery, route management, and liveness pings from system to the VM |
ICMP | Virtual machine | N/A | System management IP addresses | N/A | Path MTU discovery, route management, and availability pings from VM to system |
TCP | System management IP addresses | Any | Virtual machine | 22 | System management of the VM for purposes such as script execution or shutdown |
TCP | Virtual machine | Any | System management IP addresses | 123 | VM obtains NTP updates from system |
UDP | Virtual machine | Any | System management IP addresses | 123 | VM obtains NTP updates from system |
UDP | System management IP addresses | Any | Virtual machine | 161 | System monitors VM |
TCP | Virtual machine | Any | System management IP addresses | 162 | VM sends SNMP traps to system |
TCP | Virtual machine | Any | System management IP addresses | 8383 | VM downloads installation and configuration files from system |
TCP | Virtual machine | Any | System management IP addresses | 8585 | VM downloads installation and configuration files from system |
TCP | Virtual machine | Any | System management IP addresses | 9443 | VM makes API calls to system |
TCP | Virtual machine | Any | System management IP addresses | 9444 | VM downloads configuration files from system and maintains persistent deployment state information |
TCP | Each virtual machine | Any | All other virtual machines | 9999 | VMs perform Maestro operation requests from one VM to another |
TCP | System management IP addresses | Any | Virtual machine | 9999 | System execution of Maestro operations on the VM |
UDP | Each virtual machine | Any | All other virtual machines | 10000 | VMs maintain state information for deployment and perform liveness checking |
TCP | Each virtual machine | Any | All other virtual machines | 20000 | VMs maintain state information for deployment and perform liveness checking |
TCP | System management IP addresses | Any | Virtual machine | 445 | System management of the VM, for purposes such as script execution. This port is required only for Windows virtual machines. |
TCP | Virtual machine | Any | System management IP addresses | 443 | VM downloads configuration files and scripts from system and maintains persistent deployment state information. This port is required only for Windows virtual machines. |
If you configured
the logbackup
plug-in to back up the logs for your
deployments, enable the following network traffic.
Protocol | Source IP address | Source port | Destination IP address | Destination port | Use |
---|---|---|---|---|---|
TCP | Virtual machine | Any | Backup server | 22 | VMs send log data to backup server |
TCP | Virtual machine | Any | Backup server | 657 | Required for resource monitoring |
UDP | Virtual machine | Any | Backup server | 657 | Required for resource monitoring |
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | System management IP addresses | Any | PSM address | 443 |
TCP | Virtual machine | Any | Monitoring virtual machines | 443 |
TCP | System management IP addresses | Any | Monitoring virtual machines | 1920 |
TCP | System management IP addresses | Any | Monitoring virtual machines | 3661 |
TCP | Virtual machine | Any | Monitoring virtual machines | 10001 |
TCP | Virtual machine | Any | Monitoring virtual machines | 11080-11081 |
TCP | Virtual machine | Any | Monitoring virtual machines | 11086-11087 |
TCP | Virtual machine | Any | Monitoring virtual machines | 15200-15211 |
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | DB2® virtual machine | Any | Monitoring virtual machines | 55000, 55001 |
Data network traffic
The traffic to be permitted on your non–management interfaces is highly dependent on the applications and middleware that you deploy. The following documentation is a representative sample of the traffic you need to permit, but you should investigate the specific requirements for your applications and middleware.
This traffic must be permitted both on the virtual machines themselves (if you choose to customize your virtual machine firewall configuration) and also in your data center network.
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | Virtual machine | Any | DNS servers | 53 |
UDP | Virtual machine | Any | DNS servers | 53 |
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | Client | Any | Virtual machine | 8887, 8888 |
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | Client | Any | WebSphere Application Server virtual machine | 9080, 9443 |
If your application uses a Db2 database, permit the following network traffic for ports used by the Db2 HADR pattern.
Unlike some ports that are customizable, Reliable Scalable Cluster Technology (RSCT) ports are constant for all deployment instances and cannot be changed or customized. RSCT makes use of all network interfaces that are available on the virtual machine for high availability management. For example, when both eth0 and eth1 are used on Cloud Pak System virtual machines, the firewall ports must be open for all network interfaces whether they are data, management, IPv4 or IPv6.
For more information about RSCT ports, see RSCT port usage.
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | Application virtual machine | Any | Db2 provisioned virtual machine | 22, 657, 55000 |
UDP | Application virtual machine | Any | Db2 provisioned virtual machine | 12347, 12348 |
UDP | Application virtual machine | Any | Db2 provisioned virtual machine | 657 |
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | Application virtual machine | Any | Db2 virtual machine | 523, 50000 |
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | Application virtual machine | Any | Db2 provisioned virtual machine | 56000, 56001, 60000, 60001, 60002, 60003 |
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | Optim client | Any | Db2 virtual machine | 4553, 50010 |
TCP | Db2 virtual machine | Any | Optim client | 4554, 4555, 50010 |
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | Monitoring virtual machine | Any | SMTP server | 25 |
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | Client | Any | Virtual machine | Application ports |
TCP | Health Center | Any | Virtual machine | 1972, 35535 |
TCP | Debugger | Any | Virtual machine | 7777 |
Protocol | Source IP address | Source port | Destination IP address | Destination port |
---|---|---|---|---|
TCP | Health Center | Any | Virtual machine | 1972 |
TCP | Debugger | Any | Virtual machine | 7777 |
TCP | Client | Any | Virtual machine | 9080, 9443, 12100, Application ports |
TCP | Health Center | Any | Virtual machine | 35535 |