Required ports

List of required ports that must be available for installation and configuration of an IBM® Cloud Private cluster.

You open the ports before you start installing IBM Cloud Private, and the installer confirms that they are open.

Port access types

If no access type is stated, the port is used for only internal communications.

Important: IBM Cloud Private supports an optional management node. If your cluster does not include a management node, the components that load on the management node load on the master node instead. You must open the Management ports on the master node.

Note: All cluster nodes refer to master, worker, proxy, management, etcd, and Vulnerability Advisor (VA) nodes. The boot node doesn't have port requirements.

All cluster nodes to all cluster nodes

Table 1. All cluster nodes to all cluster nodes
Port Protocol Requirement
NA IPv4 Calico with IP-in-IP (calico_ipip_mode: Always, network_type:calico)
Note: Enabled by default.
179 TCP Always for Calico (network_type:calico)
500 TCP and UDP IPsec (ipsec.enabled: true, calico_ipip_mode: Always, network_type:calico)
4000 TCP Metering reader (management_services.metering: enabled)
Note: For external metering through either proxy or internal self-metering.
4500 UDP IPsec (ipsec.enabled: true)
9091 TCP Calico (network_type: calico)
9099 TCP Calico (network_type: calico)
10248-10252 TCP Always for Kubernetes
30000-32767 TCP and UDP Always for Kubernetes
Note: External access. These ports must be opened only if you set Kubernetes Service type to NodePort.

All cluster nodes to master nodes

Table 2. All cluster nodes to master nodes
Port Protocol Requirement
8001 TCP Always for the kube_apiserver_port
Note: Default port. The kube_apiserver_port must be available on the master node only.
8080 TCP Always for the management console
Note: The management ingress insecure port equals the default value of router_http_port. Internal and external access.
8443 TCP Always for the management console
Note: The management ingress insecure port equals the default value of router_http_port. Internal and external access.
8500 TCP Always for the Image manager
Note: Internal and external access.
8600 TCP Always for the Image manager
Note: Internal and external access.
27017 TCP MongoDB

All cluster nodes to management nodes

Table 3. All cluster nodes to management nodes
Port Protocol Requirement
3000 TCP Prometheus scrape (management_services.metering: enabled)
Note: For Prometheus scraping of metering data from metering-dm.
5044 TCP Logstash enabled (management_services.logging: enabled)
25826 UDP Core services Collectd exporter (management_services.monitoring: enabled)
31514 TCP Tiller NodePort
Note: Internal and external access.
The default 31514 port can be overridden in the config.yaml file before you install IBM Cloud Private.
44134 TCP Tiller network policy
Note: Internal and external access.
44135 TCP Tiller network policy
Note: Internal and external access.

All cluster nodes to proxy nodes

Table 4. All cluster nodes to proxy nodes
Port Protocol Requirement
31380 TCP Istio (management_services.istio: enabled)
Note: Internal and external access.
31390 TCP Istio (management_services.istio: enabled)
Note: Internal and external access.

All cluster nodes or etcd nodes to etcd nodes

Table 5. All cluster nodes or etcd nodes to etcd nodes
Port Protocol Requirement
2380 TCP Always if etcd is enabled
Note: etcd nodes to etcd nodes.
4001 TCP Always if etcd is enabled
Note: All cluster nodes to etcd nodes.

Master nodes to master nodes

Table 6. Master nodes to master nodes
Port Protocol Requirement
6969 TCP Always for platform-api
9443 TCP WebSphere ® Application Server Liberty
Note: External access.
31030 TCP Helm enabled (management_services.service-catalog: enabled)
31031 TCP Helm enabled (management_services.service-catalog: enabled)
20358 TCP Always for KMS plug-in health check port
6967, 11211 TCP Always for system healthcheck service

Master nodes or proxy node to management nodes

Table 7. Master nodes or proxy node to management nodes
Port Protocol Requirement
3000 TCP Grafana (management_services.monitoring: enabled)
5601 TCP Kibana (management_services.monitoring: enabled)
9093 TCP Alert manager (management_services.monitoring: enabled)

Management nodes to all cluster nodes

Table 8. Management nodes to all cluster nodes
Port Protocol Requirement
8445 TCP Core services node exporter default port (management_services.monitoring: enabled)

Management nodes to master nodes

Table 9. Management nodes to master nodes
Port Protocol Requirement
6969 TCP Always for platform-api

Management nodes to management nodes

Table 10. Management nodes to management nodes
Port Protocol Requirement
80 TCP Core services kube-state-metrics explorer (management_services.monitoring: enabled
Note: Internal and external access.
389 TCP LDAP enabled (ldap_enabled: true)
Note: Internal and external access.
636 TCP LDAPS enabled (ldap_enabled: true)
Note: Internal and external access.
3000 TCP Always for platform-ui
4000 TCP Always for catalog-ui
9093 TCP Core services alert manager (management_services.monitoring: enabled)
9090 TCP Prometheus (management_services.monitoring: enabled)
9103 TCP Core services Collectd exporter (management_services.monitoring: enabled)
9108 TCP Core services Elasticsearch exporter (management_services.monitoring: enabled
9200 TCP Elasticsearch (management_services.logging: enabled)
9300 TCP Elasticsearch (management_services.logging: enabled)

Management node to external

Table 11. Management nodes to external
Port Protocol Requirement
9004 TCP Required if you use Key Management Service with nCipher Hardware Security Module (HSM). The port is required for connection between the nCipher HSM middleware at the management node and the nCipher nShield Connect HSM device.

Proxy nodes to management nodes

Table 12. Proxy nodes to management nodes
Port Protocol Requirement
3000 TCP Core services Grafana (management_services.monitoring: enabled)
3130 TCP Metering user interface server (management_services.metering: enabled)
5601 TCP Core services Kibana (management_services.logging: enabled)
9093 TCP Core services alert manager (management_services.monitoring: enabled)
9090 TCP Core services Prometheus (management_services.monitoring: enabled)
9200 TCP Core services Elasticsearch (management_services.logging: enabled)
9300 TCP Core services Elasticsearch (management_services.logging: enabled)

External to proxy nodes

Table 13. External to proxy nodes
Port Protocol Requirement
80 TCP Always for the Ingress service
Note: Default value of ingress_http_port.
443 TCP Always for the Ingress service
Note: Default value of ingress_http_port. Internal and external access.

GlusterFS nodes to all cluster nodes

Table 14. GlusterFS nodes to all cluster nodes
Port Protocol Requirement
2222 TCP GlusterFS (management_services.storage-glusterfs: enabled)
24007 TCP GlusterFS (management_services.storage-glusterfs: enabled)
24008 TCP GlusterFS (management_services.storage-glusterfs: enabled)
49152:49251 TCP GlusterFS (management_services.storage-glusterfs: enabled)

Required ports for IBM Multicloud Manager

See the IBM Multicloud Manager installation overview for IBM Multicloud Manager prepare and install topics.

Table 1. Table of IBM Multicloud Manager ports
Port Requirement
8001 default for managed cluster to communicate with Kubernetes API server port on the hub cluster
8500 default for managed cluster to communicate with IBM Cloud Private Docker registry on the hub cluster
443 default for hub cluster to communicate with Klusterlet service on IBM Cloud Private nginix ingress