Firewall requirements for Cloud Pak System patterns

Configure your firewall to meet the requirements for patterns.

There are two reasons you might care about the firewall requirements for your virtual machines: first, you might be configuring the firewall on the virtual machine itself; alternatively, you might also be configuring the firewall in your data center network.

If you are creating images or designing patterns to be used across the Cloud Pak System offerings, be aware of differences in the network environment between these environments.

Cloud Pak System defines a minimum of two network interfaces for each virtual machine. The first interface is used for virtual machine management. The second is used for application traffic, and you can create more add-on interfaces for other purposes. Virtual machines that are deployed to Cloud Pak System might be single cloud, in which case the management interface is attached to an IPv6 VLAN internal to the system, or multi cloud, in which case the management interface is attached to an IPv4 VLAN of your choice that might be external to the system. For information about configuring single-cloud and multi-cloud environments, see Adding IP groups and Adding cloud groups.

IBM® Cloud Pak System Software minimally defines a single network interface for each virtual machine, which is used both for virtual machine management and for application traffic. You may create additional add–on interfaces for other purposes.

The following sections distinguish between management and data traffic, but depending on the environment where you deploy your images and patterns the management and data traffic might be on the same network interface.

Management network traffic

If you choose to manually customize the firewall on your virtual machines, enable the following network traffic on them. Additionally, if you are deploying by using Cloud Pak System Software or by using multi-cloud deployment on Cloud Pak System, enable the following traffic in your data center network.

Mandatory ports

The following network traffic is required for basic virtual machine (VM) management for all deployments.

The system management IP addresses are, in the case of single cloud deployments on Cloud Pak System, a set of IPv6 addresses internal to the system, which vary from cloud group to cloud group. In the case of Cloud Pak System Software and multi-cloud Cloud Pak System deployments, they are the set of IPv4 management addresses configured on the System > Network configuration page for Cloud Pak System or the System > System settings page for Cloud Pak System Software. The virtual machine address here refers to the address assigned to the virtual machine's management interface (eth0 or en0).

Table 1.
Protocol Source IP address Source port Destination IP address Destination port Use
ICMP Each virtual machine N/A All other virtual machines N/A Path MTU discovery and route management
ICMP System management IP addresses N/A Virtual machine N/A Path MTU discovery, route management, and liveness pings from system to the VM
ICMP Virtual machine N/A System management IP addresses N/A Path MTU discovery, route management, and availability pings from VM to system
TCP System management IP addresses Any Virtual machine 22 System management of the VM for purposes such as script execution or shutdown
TCP Virtual machine Any System management IP addresses 123 VM obtains NTP updates from system
UDP Virtual machine Any System management IP addresses 123 VM obtains NTP updates from system
UDP System management IP addresses Any Virtual machine 161 System monitors VM
TCP Virtual machine Any System management IP addresses 162 VM sends SNMP traps to system
TCP Virtual machine Any System management IP addresses 8383 VM downloads installation and configuration files from system
TCP Virtual machine Any System management IP addresses 8585 VM downloads installation and configuration files from system
TCP Virtual machine Any System management IP addresses 9443 VM makes API calls to system
TCP Virtual machine Any System management IP addresses 9444 VM downloads configuration files from system and maintains persistent deployment state information
TCP Each virtual machine Any All other virtual machines 9999 VMs perform Maestro operation requests from one VM to another
TCP System management IP addresses Any Virtual machine 9999 System execution of Maestro operations on the VM
UDP Each virtual machine Any All other virtual machines 10000 VMs maintain state information for deployment and perform liveness checking
TCP Each virtual machine Any All other virtual machines 20000 VMs maintain state information for deployment and perform liveness checking
TCP System management IP addresses Any Virtual machine 445 System management of the VM, for purposes such as script execution. This port is required only for Windows virtual machines.
TCP Virtual machine Any System management IP addresses 443 VM downloads configuration files and scripts from system and maintains persistent deployment state information. This port is required only for Windows virtual machines.
Logging

If you configured the logbackup plug-in to back up the logs for your deployments, enable the following network traffic.

Table 2.
Protocol Source IP address Source port Destination IP address Destination port Use
TCP Virtual machine Any Backup server 22 VMs send log data to backup server
TCP Virtual machine Any Backup server 657 Required for resource monitoring
UDP Virtual machine Any Backup server 657 Required for resource monitoring
Monitoring
If you are using the System Monitoring shared services, you should additionally enable the following traffic on the management interfaces of the respective virtual machines, which allows your deployments to communicate with the System Monitoring shared services.
Note: If you hardcoded the specific monitoring shared service IP addresses in your firewall configuration (instead of using broader criteria such as an IP subnet), you must take care to reconfigure the firewall in case you redeploy the System Monitoring shared service.
Table 3.
Protocol Source IP address Source port Destination IP address Destination port
TCP System management IP addresses Any PSM address 443
TCP Virtual machine Any Monitoring virtual machines 443
TCP System management IP addresses Any Monitoring virtual machines 1920
TCP System management IP addresses Any Monitoring virtual machines 3661
TCP Virtual machine Any Monitoring virtual machines 10001
TCP Virtual machine Any Monitoring virtual machines 11080-11081
TCP Virtual machine Any Monitoring virtual machines 11086-11087
TCP Virtual machine Any Monitoring virtual machines 15200-15211
Database performance monitoring
Enable the following network traffic if you are using the Database Performance Monitoring shared service.
Table 4.
Protocol Source IP address Source port Destination IP address Destination port
TCP DB2® virtual machine Any Monitoring virtual machines 55000, 55001

Data network traffic

The traffic to be permitted on your non–management interfaces is highly dependent on the applications and middleware that you deploy. The following documentation is a representative sample of the traffic you need to permit, but you should investigate the specific requirements for your applications and middleware.

This traffic must be permitted both on the virtual machines themselves (if you choose to customize your virtual machine firewall configuration) and also in your data center network.

Domain Name Services (DNS)
Enable the following traffic on the data interface to allow for domain name resolution on your instance:
Table 5.
Protocol Source IP address Source port Destination IP address Destination port
TCP Virtual machine Any DNS servers 53
UDP Virtual machine Any DNS servers 53
Instance management
Enable the following traffic on the data interface if you are using the instance management UI to manage your instance:
Table 6.
Protocol Source IP address Source port Destination IP address Destination port
TCP Client Any Virtual machine 8887, 8888
WebSphere® Application Server
Permit the following network traffic on your data interface if you deployed the IBM WebSphere Application Server:
Table 7.
Protocol Source IP address Source port Destination IP address Destination port
TCP Client Any WebSphere Application Server virtual machine 9080, 9443
Db2®

If your application uses a Db2 database, permit the following network traffic for ports used by the Db2 HADR pattern.

Unlike some ports that are customizable, Reliable Scalable Cluster Technology (RSCT) ports are constant for all deployment instances and cannot be changed or customized. RSCT makes use of all network interfaces that are available on the virtual machine for high availability management. For example, when both eth0 and eth1 are used on Cloud Pak System virtual machines, the firewall ports must be open for all network interfaces whether they are data, management, IPv4 or IPv6.

For more information about RSCT ports, see RSCT port usage.

Table 8.
Protocol Source IP address Source port Destination IP address Destination port
TCP Application virtual machine Any Db2 provisioned virtual machine 22, 657, 55000
UDP Application virtual machine Any Db2 provisioned virtual machine 12347, 12348
UDP Application virtual machine Any Db2 provisioned virtual machine 657
Table 9.
Protocol Source IP address Source port Destination IP address Destination port
TCP Application virtual machine Any Db2 virtual machine 523, 50000
Table 10.
Protocol Source IP address Source port Destination IP address Destination port
TCP Application virtual machine Any Db2 provisioned virtual machine 56000, 56001, 60000, 60001, 60002, 60003
Enable the following network traffic if you are using an Optim client for debugging:
Table 11.
Protocol Source IP address Source port Destination IP address Destination port
TCP Optim client Any Db2 virtual machine 4553, 50010
TCP Db2 virtual machine Any Optim client 4554, 4555, 50010
Database Performance Monitoring
If you deployed the Database Performance Monitoring shared service and enabled email alert notifications, permit the following network traffic for its data interface:
Table 12.
Protocol Source IP address Source port Destination IP address Destination port
TCP Monitoring virtual machine Any SMTP server 25
Application Pattern Type for Java™
If you are deploying an Application Pattern Type for Java pattern, permit the following traffic for the data network:
Table 13.
Protocol Source IP address Source port Destination IP address Destination port
TCP Client Any Virtual machine Application ports
TCP Health Center Any Virtual machine 1972, 35535
TCP Debugger Any Virtual machine 7777
Web Application Pattern Type
If you are deploying a Web Application Pattern, permit the following traffic for the data network:
Table 14.
Protocol Source IP address Source port Destination IP address Destination port
TCP Health Center Any Virtual machine 1972
TCP Debugger Any Virtual machine 7777
TCP Client Any Virtual machine 9080, 9443, 12100, Application ports
TCP Health Center Any Virtual machine 35535