Firewall requirements for multisystem domains and subdomains

Configure your firewall to meet the requirements for multisystem environments.

If you are creating a multisystem domain among two or more Cloud Pak System or Cloud Pak System Software instances, enable the following connections between the system management IP addresses on each system. The communication is bidirectional between all systems in the domain, which allows the systems to communicate to manage the domain:
Table 1.
Protocol Source and destination IP address Source port Destination port
ICMP System management IP addresses on each system N/A N/A
TCP System management IP addresses on each system Any 443
If you are creating a multisystem subdomain between two systems, you additionally need to enable the following bidirectional connections between the two systems' management IP addresses. These connections are used to manage the shared file system that is mirrored between the systems to record the state of externally managed deployments:
Table 2.
Protocol Source and destination IP address Source port Destination port
TCP System management IP addresses on either system Any 22
TCP System management IP addresses on either system Any 1191
TCP System management IP addresses on either system Any 49300–49320
If you are creating a multisystem subdomain, you also need to enable the following connections between your systems and the iSCSI target device that is being used as your subdomain's tiebreaker. These connections are used to establish quorum for the subdomain in case the two systems cannot communicate with each other.
Table 3.
Protocol Source IP address Source port Destination IP address Destination port
ICMP System management IP addresses on both systems N/A iSCSI target N/A
TCP System management IP addresses on both systems Any iSCSI target 860, 3260

For your multisystem subdomain you should also carefully consider the firewall requirements for your deployments. For more information, see Firewall requirements for Cloud Pak System patterns.