Required ports
List of required ports that must be available for installation and configuration of an IBM® Cloud Private cluster.
You open the ports before you start installing IBM Cloud Private, and the installer confirms that they are open.
Port access types
- Internal - port must be open to allow connections inside the cluster.
- External - port must be open to allow connections from outside the cluster.
If no access type is stated, the port is used for only internal communications.
Important: IBM Cloud Private supports an optional management node. If your cluster does not include a management node, the components that load on the management node load on the master node instead. You must open the Management ports on the master node.
Note: All cluster nodes refer to master, worker, proxy, management, etcd, and Vulnerability Advisor (VA) nodes. The boot node doesn't have port requirements.
- All cluster nodes to all cluster nodes
- All cluster nodes to master nodes
- All cluster nodes to management nodes
- All cluster nodes to proxy nodes
- All cluster nodes or etcd nodes to etcd nodes
- Master nodes to master nodes
- Master nodes or proxy node to management nodes
- Management nodes to all cluster nodes
- Management nodes to master nodes
- Management nodes to management nodes
- Management nodes to external
- Proxy nodes to management nodes
- External to proxy nodes
- GlusterFS nodes to all cluster nodes
- Required ports for IBM Multicloud Manager
- Required ports for IBM Edge Computing for Servers
All cluster nodes to all cluster nodes
Port | Protocol | Requirement |
---|---|---|
NA | IPv4 | Calico with IP-in-IP (calico_ipip_mode: Always, network_type:calico) Note: Enabled by default. |
179 | TCP | Always for Calico (network_type:calico) |
500 | TCP and UDP | IPsec (ipsec.enabled: true, calico_ipip_mode: Always, network_type:calico) |
4000 | TCP | Metering reader (management_services.metering: enabled) Note: For external metering through either proxy or internal self-metering. |
4500 | UDP | IPsec (ipsec.enabled: true) |
9091 | TCP | Calico (network_type: calico) |
9099 | TCP | Calico (network_type: calico) |
10248-10252 | TCP | Always for Kubernetes |
30000-32767 | TCP and UDP | Always for Kubernetes Note: External access. These ports must be opened only if you set Kubernetes Service type to NodePort. |
All cluster nodes to master nodes
Port | Protocol | Requirement |
---|---|---|
8001 | TCP | Always for the kube_apiserver_port Note: Default port. The kube_apiserver_port must be available on the master node only. |
8080 | TCP | Always for the management console Note: The management ingress insecure port equals the default value of router_http_port. Internal and external access. |
8443 | TCP | Always for the management console Note: The management ingress insecure port equals the default value of router_http_port. Internal and external access. |
8500 | TCP | Always for the Image manager Note: Internal and external access. |
8600 | TCP | Always for the Image manager Note: Internal and external access. |
27017 | TCP | MongoDB |
All cluster nodes to management nodes
Port | Protocol | Requirement |
---|---|---|
3000 | TCP | Prometheus scrape (management_services.metering: enabled) Note: For Prometheus scraping of metering data from metering-dm. |
5044 | TCP | Logstash enabled (management_services.logging: enabled) |
25826 | UDP | Core services Collectd exporter (management_services.monitoring: enabled) |
31514 | TCP | Tiller NodePort Note: Internal and external access. The default 31514 port can be overridden in the config.yaml file before you install IBM Cloud Private. |
44134 | TCP | Tiller network policy Note: Internal and external access. |
44135 | TCP | Tiller network policy Note: Internal and external access. |
All cluster nodes to proxy nodes
Port | Protocol | Requirement |
---|---|---|
31380 | TCP | Istio (management_services.istio: enabled) Note: Internal and external access. |
31390 | TCP | Istio (management_services.istio: enabled) Note: Internal and external access. |
All cluster nodes or etcd nodes to etcd nodes
Port | Protocol | Requirement |
---|---|---|
2380 | TCP | Always if etcd is enabled Note: etcd nodes to etcd nodes. |
4001 | TCP | Always if etcd is enabled Note: All cluster nodes to etcd nodes. |
Master nodes to master nodes
Port | Protocol | Requirement |
---|---|---|
6969 | TCP | Always for platform-api |
9443 | TCP | WebSphere ® Application Server Liberty Note: External access. |
31030 | TCP | Helm enabled (management_services.service-catalog: enabled) |
31031 | TCP | Helm enabled (management_services.service-catalog: enabled) |
20358 | TCP | Always for KMS plug-in health check port |
6967, 11211 | TCP | Always for system healthcheck service |
Master nodes or proxy node to management nodes
Port | Protocol | Requirement |
---|---|---|
3000 | TCP | Grafana (management_services.monitoring: enabled) |
5601 | TCP | Kibana (management_services.monitoring: enabled) |
9093 | TCP | Alert manager (management_services.monitoring: enabled) |
Management nodes to all cluster nodes
Port | Protocol | Requirement |
---|---|---|
8445 | TCP | Core services node exporter default port (management_services.monitoring: enabled) |
Management nodes to master nodes
Port | Protocol | Requirement |
---|---|---|
6969 | TCP | Always for platform-api |
Management nodes to management nodes
Port | Protocol | Requirement |
---|---|---|
80 | TCP | Core services kube-state-metrics explorer (management_services.monitoring: enabled Note: Internal and external access. |
389 | TCP | LDAP enabled (ldap_enabled: true) Note: Internal and external access. |
636 | TCP | LDAPS enabled (ldap_enabled: true) Note: Internal and external access. |
3000 | TCP | Always for platform-ui |
4000 | TCP | Always for catalog-ui |
9093 | TCP | Core services alert manager (management_services.monitoring: enabled) |
9090 | TCP | Prometheus (management_services.monitoring: enabled) |
9103 | TCP | Core services Collectd exporter (management_services.monitoring: enabled) |
9108 | TCP | Core services Elasticsearch exporter (management_services.monitoring: enabled |
9200 | TCP | Elasticsearch (management_services.logging: enabled) |
9300 | TCP | Elasticsearch (management_services.logging: enabled) |
Management node to external
Port | Protocol | Requirement |
---|---|---|
9004 | TCP | Required if you use Key Management Service with nCipher Hardware Security Module (HSM). The port is required for connection between the nCipher HSM middleware at the management node and the nCipher nShield Connect HSM device. |
Proxy nodes to management nodes
Port | Protocol | Requirement |
---|---|---|
3000 | TCP | Core services Grafana (management_services.monitoring: enabled) |
3130 | TCP | Metering user interface server (management_services.metering: enabled) |
5601 | TCP | Core services Kibana (management_services.logging: enabled) |
9093 | TCP | Core services alert manager (management_services.monitoring: enabled) |
9090 | TCP | Core services Prometheus (management_services.monitoring: enabled) |
9200 | TCP | Core services Elasticsearch (management_services.logging: enabled) |
9300 | TCP | Core services Elasticsearch (management_services.logging: enabled) |
External to proxy nodes
Port | Protocol | Requirement |
---|---|---|
80 | TCP | Always for the Ingress service Note: Default value of ingress_http_port. |
443 | TCP | Always for the Ingress service Note: Default value of ingress_http_port. Internal and external access. |
GlusterFS nodes to all cluster nodes
Port | Protocol | Requirement |
---|---|---|
2222 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |
24007 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |
24008 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |
49152:49251 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |
Required ports for IBM Multicloud Manager
See the IBM Multicloud Manager installation overview for IBM Multicloud Manager prepare and install topics.
Port | Requirement |
---|---|
8001 | default for managed cluster to communicate with Kubernetes API server port on the hub cluster |
8500 | default for managed cluster to communicate with IBM Cloud Private Docker registry on the hub cluster |
443 | default for hub cluster to communicate with Klusterlet service on IBM Cloud Private nginix ingress |