Configuring Firewall Ports
The following ports must be opened between the nodes to install AppViewX. Users can configure it in a firewall device, firewalld, or using iptables.
| Sr No | Source | Destination | Protocol Used | TCP/UDP | Type of Information Communicated | ||
|---|---|---|---|---|---|---|---|
| IP | Port | IP | Port | ||||
| 1 | All Nodes | Any | All Nodes* | 22 | SSH | TCP | Required for AppViewX installation and prerequisite checks. |
| 2 | All Nodes | Any | All Nodes* | 179 | BGP | TCP | To establish a common routing table for the overlay network. |
| 3 | All Nodes | Any | All Nodes* | 6443 | HTTPS | TCP | Kubernetes API server for communication between Kubernetes master and worker nodes. |
| 4 | All Nodes | Any | All Nodes* | 10250 | HTTPS | TCP | Used by Kubelet Agent which exposes Rest endpoints for the Kubernetes API Server. |
| 5 | Load Balancer (for ex, F5, GCP, etc.) | Any | ISTIO Ingress Proxy IP (Kube Worker) |
31443 | HTTPS | TCP | To access the AppViewX web user
interface. Note: This port must be open in a
Single-Node setup. |
| 6 | Load Balancer (for ex, F5, GCP, etc.) | Any | Kube Master IP | 6443 | TCP | To allow communication between the F5 load balancer and the pool members (master nodes). | |
| 7 | All Nodes | Any | F5 VIP | 6443 | TCP | To allow all the nodes to communicate with the Kube Master for Kubernetes Control plane traffic. | |
| 8 | AppViewX Admin network # | Any | ISTIO Ingress Proxy IP (Kube Worker) |
30190 | HTTPS | TCP | To access the AppViewX management
console. Note: This port must be open in a
Single-Node setup. |
| 9 | All Nodes | - | All Nodes* | - | IP-IP IP Protocol 4 |
NA | Overlay network established with
IP-IP tunnels. Information over this tunnel is encrypted using
mTLS. Note: This protocol must be accessible in
a Single-Node setup. |
| 10 | Master | Any | Kube Master | 2379 | HTTPS | TCP | Required for etcd client communication from worker nodes to master node. |
| 11 | Master | Any | Kube Master | 2380 | HTTPS | TCP | Required for etcd peer communication in a multi-master setup. |
| 12 | All Nodes | Any | All Nodes* | 9100 | HTTP | TCP | Required for monitoring the node metrics. |
| 13 | All Nodes | Any | All Nodes* | 4789 | VXLAN | UDP | To establish a common routing table for the overlay network. |
| 14 | All Nodes | Any | All Nodes* | 30022 (SCEP) 30021 (EST) |
HTTPS | TCP | To access the Auto-Enrollment Protocols (SCEP & EST) |
| * (asterisk)
indicates all the nodes present in the cluster i.e. master nodes,
secondary master nodes, and worker nodes. # - indicates the network/machines/nodes of users who want to manage AppViewX Infra using the management console (actions include create, delete pods, and/or services. |
|||||||
Note:
- The system will require 1 IP per node.
- The externally exposed services will all use the nodes IP address to communicate within the network.
- Port 22 is used for administration of the node for example to log into the linux CLI. Need SSH access the nodes to other nodes.
- We would need an external Load Balancer to distribute user/API traffic to all Kube master nodes. We can open firewall ports depending on the network setup.
- Ensure that the external endpoints that you want to access from the AppViewX worker nodes are accessible., e.g. Microsoft CA. Ensure that the corresponding ports and URLs are opened for communication.
Configuring Firewall Ports for External Integrations
| S. No | Source | Destination | Protocol Used | TCP/UDP | Type of Information Communicated | ||
|---|---|---|---|---|---|---|---|
| IP | Port | IP | Port | ||||
| 1 | AppViewX Worker Nodes | Any | ADC | SSH | |||
| 2 | AppViewX Worker Nodes | Any | ADC | HTTPS | To execute REST APIs | ||
| 3 | AppViewX Worker Nodes | Any | MSCA Agent | HTTPS | AppViewX to MSCA agent communication | ||
| 4 | AppViewX Worker Nodes | Any | CA | HTTPS | To execute REST APIs | ||
