Required ports
List of required ports that must be available for installation and configuration of an IBM® Cloud Private cluster.
You open the ports before you start installing IBM Cloud Private, and the installer confirms that they are open.
Port access types
- Internal - port must be open to allow connections inside the cluster.
- External - port must be open to allow connections from outside the cluster.
If no access type is stated, the port is used for only internal communications.
Important: IBM Cloud Private supports an optional management node. If your cluster does not include a management node, the components that load on the management node load on the master node instead. You must open the Management ports on the master node.
Note: All cluster nodes refer to master, worker, proxy, management, etcd, and Vulnerability Advisor (VA) nodes. The boot node doesn't have port requirements.
- All cluster nodes to all cluster nodes
- All cluster nodes to master nodes
- All cluster nodes to management nodes
- All cluster nodes to proxy nodes
- All cluster nodes or etcd nodes to etcd nodes
- Master nodes to master nodes
- Master nodes or proxy node to management nodes
- Management nodes to all cluster nodes
- Management nodes to master nodes
- Management nodes to management nodes
- Proxy nodes to management nodes
- External to proxy nodes
- GlusterFS nodes to all cluster nodes
All cluster nodes to all cluster nodes
Port | Protocol | Requirement |
---|---|---|
NA | IPv4 | Calico with IP-in-IP (calico_ipip_mode: Always, network_type:calico) Note: Enabled by default. |
179 | TCP | Always for Calico (network_type:calico) |
500 | TCP and UDP | IPsec (ipsec.enabled: true, calico_ipip_mode: Always, network_type:calico) |
4000 | TCP | Metering reader (management_services.metering: enabled) Note: For external metering through either proxy or internal self-metering. |
4500 | UDP | IPsec (ipsec.enabled: true) |
9091 | TCP | Calico (network_type: calico) |
9099 | TCP | Calico (network_type: calico) |
10248-10252 | TCP | Always for Kubernetes |
30000-32767 | TCP and UDP | Always for Kubernetes Note: External access. These ports must be opened only if you set Kubernetes Service type to NodePort. |
All cluster nodes to master nodes
Port | Protocol | Requirement |
---|---|---|
3306 | TCP | Always for MariaDB |
4444 | TCP | Master HA enabled for MariaDB Galera |
4567 | TCP and UDP | Master HA enabled for MariaDB Galera |
4568 | TCP | Master HA enabled for MariaDB Galera |
8001 | TCP | Always for the kube_apiserver_port Note: Default port. The kube_apiserver_port must be available on the master node only. |
8080 | TCP | Always for the management console Note: The management ingress insecure port equals the default value of router_http_port. Internal and external access. |
8443 | TCP | Always for the management console Note: The management ingress insecure port equals the default value of router_http_port. Internal and external access. |
8500 | TCP | Always for the Image manager Note: Internal and external access. |
8600 | TCP | Always for the Image manager Note: Internal and external access. |
27017 | TCP | MongoDB |
All cluster nodes to management nodes
Port | Protocol | Requirement |
---|---|---|
3000 | TCP | Prometheus scrape (management_services.metering: enabled) Note: For Prometheus scraping of metering data from metering-dm. |
5044 | TCP | Logstash enabled (management_services.logging: enabled) |
25826 | UDP | Core services Collectd exporter (management_services.monitoring: enabled) |
31514 | TCP | Tiller NodePort Note: Internal and external access. The default 31514 port can be overridden in the config.yaml file prior to installing IBM Cloud Private. |
44134 | TCP | Tiller network policy Note: Internal and external access. |
44135 | TCP | Tiller network policy Note: Internal and external access. |
All cluster nodes to proxy nodes
Port | Protocol | Requirement |
---|---|---|
31380 | TCP | Istio (management_services.istio: enabled) Note: Internal and external access. |
31390 | TCP | Istio (management_services.istio: enabled) Note: Internal and external access. |
All cluster nodes or etcd nodes to etcd nodes
Port | Protocol | Requirement |
---|---|---|
2380 | TCP | Always if etcd is enabled Note: etcd nodes to etcd nodes. |
4001 | TCP | Always if etcd is enabled Note: All cluster nodes to etcd nodes. |
Master nodes to master nodes
Port | Protocol | Requirement |
---|---|---|
3306 | TCP | MariaDB |
6969 | TCP | Always for platform-api |
9443 | TCP | WebSphere ® Application Server Liberty Note: External access. |
20358 | TCP | Always for KMS plug-in health check port |
31030 | TCP | Helm enabled (management_services.service-catalog: enabled) |
31031 | TCP | Helm enabled (management_services.service-catalog: enabled) |
44134 | TCP | Tiller network policy Note: Internal and external access. |
Master nodes or proxy node to management nodes
Port | Protocol | Requirement |
---|---|---|
3000 | TCP | Grafana (management_services.monitoring: enabled) |
5601 | TCP | Kibana (management_services.monitoring: enabled) |
9093 | TCP | Alert manager (management_services.monitoring: enabled) |
Management nodes to all cluster nodes
Port | Protocol | Requirement |
---|---|---|
8445 | TCP | Core services node exporter default port (management_services.monitoring: enabled) |
Management nodes to master nodes
Port | Protocol | Requirement |
---|---|---|
6969 | TCP | Always for platform-api |
Management nodes to management nodes
Port | Protocol | Requirement |
---|---|---|
80 | TCP | Core services kube-state-metrics explorer (management_services.monitoring: enabled Note: Internal and external access. |
389 | TCP | LDAP enabled (ldap_enabled: true) Note: Internal and external access. |
636 | TCP | LDAPS enabled (ldap_enabled: true) Note: Internal and external access. |
3000 | TCP | Always for platform-ui |
4000 | TCP | Always for catalog-ui |
9093 | TCP | Core services alert manager (management_services.monitoring: enabled) |
9090 | TCP | Prometheus (management_services.monitoring: enabled) |
9103 | TCP | Core services Collectd exporter (management_services.monitoring: enabled) |
9108 | TCP | Core services Elasticsearch exporter (management_services.monitoring: enabled |
9200 | TCP | Elasticsearch (management_services.logging: enabled) |
9300 | TCP | Elasticsearch (management_services.logging: enabled) |
Proxy nodes to management nodes
Port | Protocol | Requirement |
---|---|---|
3000 | TCP | Core services Grafana (management_services.monitoring: enabled) |
3130 | TCP | Metering user interface server (management_services.metering: enabled) |
5601 | TCP | Core services Kibana (management_services.logging: enabled) |
9093 | TCP | Core services alert manager (management_services.monitoring: enabled) |
9090 | TCP | Core services Prometheus (management_services.monitoring: enabled) |
9200 | TCP | Core services Elasticsearch (management_services.logging: enabled) |
9300 | TCP | Core services Elasticsearch (management_services.logging: enabled) |
External to proxy nodes
Port | Protocol | Requirement |
---|---|---|
80 | TCP | Always for the Ingress service Note: Default value of ingress_http_port. |
443 | TCP | Always for the Ingress service Note: Default value of ingress_http_port. Internal and external access. |
GlusterFS nodes to all cluster nodes
Port | Protocol | Requirement |
---|---|---|
2222 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |
24007 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |
24008 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |
49152:49251 | TCP | GlusterFS (management_services.storage-glusterfs: enabled) |