Firewall requirements for IBM Fusion HCI System
IBM Fusion HCI System requires outbound access to external sites for accessing image registries and sending telemetry data to IBM and Red Hat®. This outbound access can be optionally routed through a proxy server. Configure your data center's firewall rules or proxy access control list (ACL) to meet the requirements for IBM Fusion HCI System.
Outbound access for Red Hat OpenShift and IBM Fusion HCI System image registries
URL | Port | Function |
---|---|---|
icr.io
|
443 | IBM Entitled Registry and IBM Cloud Paks foundational services catalog source |
cp.icr.io |
443 | IBM Entitled Registry and IBM Cloud Paks foundational services catalog source |
gcr.io |
443 | Images from Google Cloud's Container Registry |
registry.redhat.io |
443 | Provides core container images |
*.quay.io Note: If wildcard is not allowed, add
cdn01.quay.io
cdn02.quay.io
cdn03.quay.io
|
443 | Provides core container images |
*.openshiftapps.com Note: If your firewall does not accept wildcard, then use the complete URL.
|
443 | Provides Red Hat Enterprise Linux CoreOS (RHCOS) images |
cert-api.access.redhat.com |
443 | Required for Telemetry |
access.redhat.com |
443 | Required for Telemetry |
api.access.redhat.com |
443 | Required for Telemetry |
infogw.api.openshift.com |
443 | Required for Telemetry |
console.redhat.com/api/ingress |
443 | Required for Telemetry and for insights-operator |
cloud.redhat.com/api/ingress |
443 | Required for Telemetry and for insights-operator |
mirror.openshift.com |
443 | Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source. |
storage.googleapis.com/openshift-release |
443 | A source of release image signatures, although the Cluster Version Operator needs only a single functioning source. |
.apps.<cluster_name>.<base_domain> |
443 | Required to access the default cluster routes unless you set an ingress wildcard during installation. |
quayio-production-s3.s3.amazonaws.com |
443 | Required to access Quay image content in AWS. |
api.openshift.com |
443 | Required both for your cluster token and to check whether updates are available for the cluster. |
art-rhcos-ci.s3.amazonaws.com |
443 | Required to download Red Hat Enterprise Linux CoreOS (RHCOS) images. |
console.redhat.com/openshift |
443 | Required for your cluster token. |
cloud.redhat.com/openshift |
443 | Required for your cluster token. |
registry.access.redhat.com |
443 | Required for odo CLI. |
sso.redhat.com |
443 | The https://console.redhat.com/openshift site uses authentication from
sso.redhat.com |
*.quay.io
and
*.openshiftapps.com
instead of cdn0[1-3].quay.io
and
rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com
in your allowlist.<your registry host><your registry port>
). Service node and remote support
For service node, ensure that firewall port 22 is allocated for SSH access.
The remote support works seamlessly with most firewalls. Usually, remote support connections are possible without any firewall reconfiguration. It requires access to outbound ports at both ends of a connection, so there is normally no need to open holes in firewalls. Remote support also supports configuring a proxy for communication.
Call Home
- Configure your data center's firewall rules for IBM Call Home. For more information about Call Home settings, see Call home server IP addresses for automated Service and Support requests.
- Ensure that you check whether any change in the IP address, for more information about IP addresses, see IP addresses.
- To configure the Call Home firewall, enter the following server details: DNS name is http://www.secure.ecurep.ibm.com
Table 1. secure.esupport.ibm.com DNS name IP address Ports Protocol Additional detail 192.109.81.21 443 https Upload bulk data that is associated with status and problem reporting.
Configure your data center's firewall rules or proxy access control list (ACL) to allow the manual and automated Service and Support request feature to communicate with the servers. For more information about the Call Home URLs, see Call home server IP addresses for automated Service and Support requests.
Metro-DR
IP address | TCP or UDP or IP protocol | Additional detail |
---|---|---|
<TieBreaker IP address> | TCP: 1191 and 12345 | Required for IBM Fusion HCI storage to talk to tiebreaker storage |
<Other site storage network> | TCP: 1191 and 12345 | Required for stretch cluster deployment across the sites. |
<Other site Red Hat OpenShift network> | UDP: 4500 | Required for IPsec encapsulation traffic. |
<Other site Red Hat OpenShift network> | ESP IP protocol: 50 | Required to provide security features. |
IP address | TCP | Additional detail |
---|---|---|
<IBM Fusion storage network of both sites | TCP: 1191 and 12345 | Required for tiebreaker storage to talk to IBM Fusion HCI System storage. |
- Scale (GDP) ephemeral ports
The ephemeral port range is automatically set to 60000-61000. Firewall ports must be opened according to the defined ephemeral port range. If commands such as mmlsmgr and mmcrfs hangs, it indicates that the ephemeral port range is not configured correctly.Range Protocol Service name Components involved in communication User-selected range TCP GPFS ephemeral port range Intra-cluster