Firewall requirements for IBM Fusion HCI System

IBM Fusion HCI System requires outbound access to external sites for accessing image registries and sending telemetry data to IBM and Red Hat®. This outbound access can be optionally routed through a proxy server. Configure your data center's firewall rules or proxy access control list (ACL) to meet the requirements for IBM Fusion HCI System.

Outbound access for Red Hat OpenShift and IBM Fusion HCI System image registries

The following lists outbound access for Red Hat OpenShift® and IBM Fusion HCI System image registries.
URL Port Function
icr.io 443 IBM Entitled Registry and IBM Cloud Paks foundational services catalog source
cp.icr.io 443 IBM Entitled Registry and IBM Cloud Paks foundational services catalog source
gcr.io 443 Images from Google Cloud's Container Registry
registry.redhat.io 443 Provides core container images
*.quay.io
Note: If wildcard is not allowed, add cdn01.quay.io cdn02.quay.io cdn03.quay.io
443 Provides core container images
*.openshiftapps.com
Note: If your firewall does not accept wildcard, then use the complete URL.
443 Provides Red Hat Enterprise Linux CoreOS (RHCOS) images
cert-api.access.redhat.com 443 Required for Telemetry
access.redhat.com 443 Required for Telemetry
api.access.redhat.com 443 Required for Telemetry
infogw.api.openshift.com 443 Required for Telemetry
console.redhat.com/api/ingress 443 Required for Telemetry and for insights-operator
cloud.redhat.com/api/ingress 443 Required for Telemetry and for insights-operator
mirror.openshift.com 443 Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
storage.googleapis.com/openshift-release 443 A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
.apps.<cluster_name>.<base_domain> 443 Required to access the default cluster routes unless you set an ingress wildcard during installation.
quayio-production-s3.s3.amazonaws.com 443 Required to access Quay image content in AWS.
api.openshift.com 443 Required both for your cluster token and to check whether updates are available for the cluster.
art-rhcos-ci.s3.amazonaws.com 443 Required to download Red Hat Enterprise Linux CoreOS (RHCOS) images.
console.redhat.com/openshift 443 Required for your cluster token.
cloud.redhat.com/openshift 443 Required for your cluster token.
registry.access.redhat.com 443 Required for odo CLI.
sso.redhat.com 443 The https://console.redhat.com/openshift site uses authentication from sso.redhat.com
Note: You can use the wildcard *.quay.io and *.openshiftapps.com instead of cdn0[1-3].quay.io and rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com in your allowlist.
The entries from row 4 till the end are from Red Hat OpenShift documentation. For the actual list from Red Hat OpenShift, see https://docs.openshift.com/container-platform/4.15/installing/install_config/configuring-firewall.html.
Note: If you are using a private image registry to mirror Red Hat OpenShift and IBM Fusion HCI System images, then set the host and port of your registry (<your registry host><your registry port>).
Important: After you go online, do not remove the firewall settings or switch between online and offline; otherwise, your cluster might go down. An uninterrupted connection to the repository is needed for both online and offline.

Service node and remote support

For service node, ensure that firewall port 22 is allocated for SSH access.

The remote support works seamlessly with most firewalls. Usually, remote support connections are possible without any firewall reconfiguration. It requires access to outbound ports at both ends of a connection, so there is normally no need to open holes in firewalls. Remote support also supports configuring a proxy for communication.

Call Home

  • Configure your data center's firewall rules for IBM Call Home. For more information about Call Home settings, see Call home server IP addresses for automated Service and Support requests.
  • Ensure that you check whether any change in the IP address, for more information about IP addresses, see IP addresses.
  • To configure the Call Home firewall, enter the following server details:
    DNS name is http://www.secure.ecurep.ibm.com
    Table 1. secure.esupport.ibm.com DNS name
    IP address Ports Protocol Additional detail
    192.109.81.21 443 https

    Upload bulk data that is associated with status and problem reporting.

    Configure your data center's firewall rules or proxy access control list (ACL) to allow the manual and automated Service and Support request feature to communicate with the servers. For more information about the Call Home URLs, see Call home server IP addresses for automated Service and Support requests.

Metro-DR

The following table lists outbound access from a IBM Fusion HCI System cluster for Metro sync DR:
IP address TCP or UDP or IP protocol Additional detail
<TieBreaker IP address> TCP: 1191 and 12345 Required for IBM Fusion HCI storage to talk to tiebreaker storage
<Other site storage network> TCP: 1191 and 12345 Required for stretch cluster deployment across the sites.
<Other site Red Hat OpenShift network> UDP: 4500 Required for IPsec encapsulation traffic.
<Other site Red Hat OpenShift network> ESP IP protocol: 50 Required to provide security features.
The following table lists outbound access from tiebreaker VM for Metro sync DR:
IP address TCP Additional detail
<IBM Fusion storage network of both sites TCP: 1191 and 12345 Required for tiebreaker storage to talk to IBM Fusion HCI System storage.
For more information firewall details, see General Metro-DR prerequisites.
Scale (GDP) ephemeral ports
Range Protocol Service name Components involved in communication
User-selected range TCP GPFS ephemeral port range Intra-cluster
The ephemeral port range is automatically set to 60000-61000. Firewall ports must be opened according to the defined ephemeral port range. If commands such as mmlsmgr and mmcrfs hangs, it indicates that the ephemeral port range is not configured correctly.
As mentioned in this topic, pods use port 12345 for ssh. If it is for a different source or destination, then mention accordingly.

For more information about Scale port number recommendation, see Scale documentation.