@@ -59,33 +59,39 @@ between hosts.
5959
6060## Ports used
6161
62- When installing UCP on a host, make sure the following ports are open:
63-
64- | Hosts | Direction | Port | Purpose |
65- | :---------------- | :-------: | :---------------------- | :-------------------------------------------------------------------------------- |
66- | managers, workers | in | TCP 443 (configurable) | Port for the UCP web UI and API |
67- | managers | in | TCP 2376 (configurable) | Port for the Docker Swarm manager. Used for backwards compatibility |
68- | managers, workers | in | TCP 2377 (configurable) | Port for communication between swarm nodes |
69- | workers | out | TCP 2377 (configurable) | Port for communication between swarm nodes |
70- | managers, workers | in, out | TCP 4194 | Port for Kubelet cAdvisor |
71- | managers, workers | in, out | UDP 4789 | Port for overlay networking |
72- | managers, workers | in, out | TCP 6443 | Port for Kubernetes API server |
73- | managers, workers | in, out | TCP 6444 | Port for Kubernetes reverse proxy |
74- | managers, workers | in, out | TCP, UDP 7946 | Port for gossip-based clustering |
75- | managers, workers | in, out | TCP 10248 | Port for Kubelet healthz |
76- | managers, workers | in, out | TCP 10250 | Port for Kubelet |
77- | managers, workers | in, out | TCP 10256 | Port for Kubernetes proxy healthz |
78- | managers, workers | in, out | TCP 12376 | Port for a TLS proxy that provides access to UCP, Docker Engine, and Docker Swarm |
79- | managers, workers | in, out | TCP 12378 | Port for Etcd reverse proxy |
80- | managers | in, out | TCP 12379 | Port for internal node configuration, cluster configuration, and HA |
81- | managers | in, out | TCP 12380 | Port for internal node configuration, cluster configuration, and HA |
82- | managers | in, out | TCP 12381 | Port for the certificate authority |
83- | managers | in, out | TCP 12382 | Port for the UCP certificate authority |
84- | managers | in, out | TCP 12383 | Port for the authentication storage backend |
85- | managers | in, out | TCP 12384 | Port for the authentication storage backend for replication across managers |
86- | managers | in, out | TCP 12385 | Port for the authentication service API |
87- | managers | in, out | TCP 12386 | Port for the authentication worker |
88- | managers | in, out | TCP 12387 | Port for the metrics service |
62+ When installing UCP on a host, a series of ports need to be opened to incoming
63+ traffic. Each of these ports will expect incoming traffic from a set of hosts,
64+ indicated as the "Scope" of that port. The three scopes are:
65+ - External: Traffic arrives from outside the cluster through end-user
66+ interaction.
67+ - Internal: Traffic arrives from other hosts in the same cluster.
68+ - Self: Traffic arrives to that port only from processes on the same host.
69+
70+ Make sure the following ports are open for incoming traffic on the respective
71+ host types:
72+
73+ | Hosts | Port | Scope | Purpose |
74+ | :---------------- | :---------------------- | :---------------------- | :-------------------------------------------------------------------------------- |
75+ | managers, workers | TCP 179 | Internal | Port for BGP peers, used for kubernetes networking |
76+ | managers | TCP 443 (configurable) | External, Internal | Port for the UCP web UI and API |
77+ | managers | TCP 2376 (configurable) | Internal | Port for the Docker Swarm manager. Used for backwards compatibility |
78+ | managers | TCP 2377 (configurable) | Internal, | Port for control communication between swarm nodes |
79+ | managers, workers | UDP 4789 | Internal, | Port for overlay networking |
80+ | managers | TCP 6443 (configurable) | External, Internal | Port for Kubernetes API server |
81+ | managers, workers | TCP 6444 | Self | Port for Kubernetes API reverse proxy |
82+ | managers, workers | TCP, UDP 7946 | Internal | Port for gossip-based clustering |
83+ | managers, workers | TCP 10250 | Internal | Port for Kubelet |
84+ | managers, workers | TCP 12376 | Internal | Port for a TLS authentication proxy that provides access to the Docker Engine |
85+ | managers, workers | TCP 12378 | Self | Port for Etcd reverse proxy |
86+ | managers | TCP 12379 | Internal | Port for Etcd Control API |
87+ | managers | TCP 12380 | Internal | Port for Etcd Peer API |
88+ | managers | TCP 12381 | Internal | Port for the UCP cluster certificate authority |
89+ | managers | TCP 12382 | Internal | Port for the UCP client certificate authority |
90+ | managers | TCP 12383 | Internal | Port for the authentication storage backend |
91+ | managers | TCP 12384 | Internal | Port for the authentication storage backend for replication across managers |
92+ | managers | TCP 12385 | Internal | Port for the authentication service API |
93+ | managers | TCP 12386 | Internal | Port for the authentication worker |
94+ | managers | TCP 12387 | Internal | Port for the metrics service |
8995
9096For overlay networks with encryption to work, you need to ensure that
9197IP protocol 50 (ESP) traffic is allowed.
0 commit comments