Last active
March 7, 2024 11:05
-
-
Save papivot/eb39067e770133501255965b5413ffc4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Source IP Address | Destination IP Address | Port Display | Protocol | Optional/Mandatory | Use | |
|---|---|---|---|---|---|---|
| Client | Service Installer VM | 22 | TCP | SSH | ||
| Client | NSX ALB VIP Network IP Range | 443 | TCP | HTTPS Workload | ||
| Client | NSX ALB VIP Network IP Range | 6443 | TCP | Cluster access | ||
| Client | Supervisor Management IP Range | 22 | TCP | (Optional) | Troubleshooting | |
| Client | Workload Cluster IP Range | 22 | TCP | (Optional) | Troubleshooting | |
| Client | Workload Cluster IP Range | 30000-32767 | TCP | (Optional) | If Nodeport Support is required | |
| Client | NSX ALB VIP Network IP Range | 80 | TCP | (Optional) | HTTP Workload | |
| NSX ALB Controller(s) | DNS Server | 53 | UDP | DNS | ||
| NSX ALB Controller(s) | NTP Server | 123 | UDP | NTP | ||
| NSX ALB Controller(s) | NSX ALB Service Engines (Management) | 123 | UDP | NTP | ||
| NSX ALB Controller(s) | ESXi Server(s) | 443 | TCP | Infra connectivity | ||
| NSX ALB Controller(s) | vCenter Server | 443 | TCP | Infra connectivity | ||
| NSX ALB Service Engines (Management) | NSX ALB Controller(s) | 22 | TCP | |||
| NSX ALB Service Engines (Management) | NSX ALB Controller(s) | 8443 | TCP | |||
| Service Installer VM | DNS Server | 53 | UDP | DNS | ||
| Service Installer VM | NTP Server | 123 | UDP | NTP | ||
| Service Installer VM | NSX ALB Controller(s) | 443 | TCP | NSX ALB Configuration | ||
| Service Installer VM | vCenter Server | 443 | TCP | WCP Configuration | ||
| Service Installer VM | NSX ALB VIP Network IP Range | 80 | TCP | HTTP Workload | ||
| Service Installer VM | NSX ALB VIP Network IP Range | 443 | TCP | HTTPS Workload | ||
| Service Installer VM | NSX ALB VIP Network IP Range | 6443 | TCP | Cluster Access | ||
| Service Installer VM | wp-content.vmware.com | 443 | TCP | (Optional) | If Optional - configure content library from VC UI | |
| Service Installer VM | *.tmc.cloud.vmware.com | 443 | TCP | (Optional) | TMC Connectivity | |
| Service Installer VM | console.cloud.vmware.com | 443 | TCP | (Optional) | TMC Connectivity | |
| Supervisor Management IP Range | DNS Server | 53 | UDP | DNS | ||
| Supervisor Management IP Range | NTP Server | 123 | UDP | NTP | ||
| Supervisor Management IP Range | wp-content.vmware.com | 443 | TCP | Content Library | ||
| Supervisor Management IP Range | NSX ALB Controller(s) | 443 | TCP | AKO connectivity | ||
| Supervisor Management IP Range | vCenter Server | 443 | TCP | Critical !!! | ||
| Supervisor Management IP Range | NSX ALB VIP Network IP Range | 6443 | TCP | Supervisor cluster -> Workload cluster config | ||
| Supervisor Management IP Range | Workload Cluster IP Range | 6443 | TCP | VM Operator and TKC VM communication | ||
| Supervisor Management IP Range | *.tmc.cloud.vmware.com | 443 | TCP | (Optional) | TMC Connectivity | |
| Supervisor Management IP Range | projects.registry.vmware.com | 443 | TCP | (Optional) | TMC Connectivity | |
| Supervisor Management IP Range | Private registry | 443 | TCP | (Optional) | In a internet restricted env | |
| Supervisor Management IP Range | TSM and TO (to be expanded later) | 443 | TCP | (Optional) | SaaS connectivity | |
| Supervisor Workload IP Range* | DNS Server | 53 | UDP | DNS | ||
| Supervisor Workload IP Range* | Supervisor Management IP Range | 6443 | TCP | |||
| Supervisor Workload IP Range* | Workload Cluster IP Range | 6443 | TCP | |||
| Workload Cluster IP Range | DNS Server | 53 | UDP | DNS | ||
| Workload Cluster IP Range | NTP Server | 123 | UDP | NTP | ||
| Workload Cluster IP Range | NSX ALB VIP Network IP Range | 6443 | TCP | |||
| Workload Cluster IP Range | NSX ALB Controller(s) | 443 | TCP | (Optional) | While using AKOO on guest cluster | |
| Workload Cluster IP Range | *.tmc.cloud.vmware.com | 443 | TCP | (Optional) | TMC Connectivity | |
| Workload Cluster IP Range | projects.registry.vmware.com | 443 | TCP | (Optional) | TMC Connectivity | |
| Workload Cluster IP Range | Private registry | 443 | TCP | (Optional) | ||
| Workload Cluster IP Range | TSM and TO (to be expanded later) | 443 | TCP | (Optional) | SaaS connectivity | |
| NSX ALB VIP Network IP Range | Supervisor Workload IP Range | 443 | TCP | Supervisor Cluster | ||
| NSX ALB VIP Network IP Range | Supervisor Workload IP Range | 6443 | TCP | Supervisor Cluster | ||
| NSX ALB VIP Network IP Range | Workload Cluster IP Range | 443 | TCP | HTTPS Workload | ||
| NSX ALB VIP Network IP Range | Workload Cluster IP Range | 6443 | TCP | Workload Cluster | ||
| NSX ALB VIP Network IP Range | Workload Cluster IP Range | 80 | TCP | (Optional) | HTTP Workload | |
| NSX ALB VIP Network IP Range | Workload Cluster IP Range | 30000-32767 | TCP | (Optional) | If Nodeport Support is required | |
| vCenter Server | Supervisor Management IP Range | 443 | TCP | |||
| vCenter Server | Supervisor Management IP Range | 6443 | TCP | |||
| vCenter Server | Supervisor Management IP Range | 22 | TCP | (Optional) | Troubleshooting | |
| Notes:- | ||||||
| 1. For TMC, if firewalls do not allow wildcard | ||||||
| open ports to ALL IPs corresponding to - | ||||||
| [account_name].tmc.cloud.vmware.com and | ||||||
| extensions.aws-usw2.tmc.cloud.vmware.com | ||||||
| 2. This doc assumes there is no firewall | ||||||
| WITHIN a subnet/VLAN | ||||||
| 3. Supervisor Workload IP Range & | ||||||
| Workload Cluster IP Range | ||||||
| are the same subnet/VLAN for the | ||||||
| Primary Supervisor Namespace |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment