Port Matrix¶
This page documents all network ports required for the Toyota TMNA POC deployment. All traffic flows on VLAN 111 (10.25.233.0/24 for cluster nodes, 10.25.232.0/24 for the Palette appliance).
Palette Management Appliance Ports¶
Ports required on the Palette Management Appliance VM (10.25.232.155 / 10.25.232.252):
| Port | Protocol | Direction | Source / Destination | Purpose |
|---|---|---|---|---|
| 443 | TCP/HTTPS | Inbound | Browser, CLI, cluster agents | Palette UI, API, gRPC |
| 6443 | TCP/HTTPS | Outbound | PMA --> cluster nodes | K8s API management operations |
| 5080 | TCP/HTTPS | Inbound | Admin browser | Local UI (node management, content upload) |
| 30003 | TCP/HTTPS | Inbound | Cluster nodes | Internal container registry (image pulls) |
| 22 | TCP/SSH | Inbound | Admin workstation | SSH access (installation and troubleshooting) |
Bare Metal Cluster Ports¶
Ports required on each of the 3 bare-metal cluster nodes (10.25.233.4, .5, .6):
External Communication¶
| Port | Protocol | Direction | Source / Destination | Purpose |
|---|---|---|---|---|
| 443 | TCP/HTTPS | Outbound | Nodes --> Palette VIP | Agent heartbeat, profile sync, gRPC |
| 30003 | TCP/HTTPS | Outbound | Nodes --> Palette VIP | Image pulls from internal registry |
| 6443 | TCP/HTTPS | Inbound | Palette VIP --> nodes | K8s API (management operations) |
Inter-Node Communication (Kubernetes)¶
These ports must be open between all 3 bare-metal nodes:
| Port | Protocol | Purpose |
|---|---|---|
| 6443 | TCP/HTTPS | Kubernetes API server |
| 2379-2380 | TCP | etcd client and peer communication |
| 10250 | TCP | Kubelet API |
| 10259 | TCP | kube-scheduler |
| 10257 | TCP | kube-controller-manager |
Inter-Node Communication (Cilium)¶
| Port | Protocol | Purpose |
|---|---|---|
| 4240 | TCP | Cilium health checks |
| 4244 | TCP | Hubble server |
| 4245 | TCP | Hubble relay |
| 8472 | UDP | VXLAN overlay (if used) |
| 51871 | UDP | WireGuard encryption (if enabled) |
Portworx Ports (Inter-Node)¶
All Portworx ports are inter-node only -- they run between the 3 bare-metal nodes on the same subnet. No external firewall rules are required for Portworx traffic.
| Port | Protocol | Purpose |
|---|---|---|
| 9001 | TCP/REST | Portworx management API |
| 9002 | UDP | Gossip protocol (node discovery) |
| 9003 | TCP | Storage data replication between nodes |
| 9010 | TCP/REST | Object store (if enabled) |
| 9012 | TCP/gRPC | Node-to-node communication |
| 9013 | TCP/gRPC | Namespace management |
| 9014 | TCP/gRPC | Diagnostics |
| 9015 | TCP | SDK auto-scaling (if enabled) |
| 9018 | TCP/gRPC | Internal KVDB peer |
| 9019 | TCP/gRPC | Internal KVDB client |
| 9020 | TCP/REST | SDK gateway |
| 9021 | TCP/REST | Health monitor REST |
| 9022 | TCP/REST | Health monitor gRPC |
Same-Subnet Rule
Because all 3 nodes are on the same /24 subnet (10.25.233.0/24), Portworx inter-node traffic does not cross any firewall boundaries. These ports only need to be accessible between the 3 cluster nodes.
VMO / KubeVirt Ports (Inter-Node)¶
| Port | Protocol | Purpose |
|---|---|---|
| 16509 | TCP | libvirt API (live migration) |
| 49152-49215 | TCP | Live migration data transfer |
MetalLB Ports¶
| Port | Protocol | Purpose |
|---|---|---|
| 7946 | TCP/UDP | memberlist (inter-node) |
Summary Diagram¶
graph TB
subgraph External["External Access"]
ADMIN["Admin Browser"]
end
subgraph PMA["Palette Management Appliance<br/>10.25.232.155 / .252"]
P443["443 - UI/API"]
P5080["5080 - Local UI"]
P30003["30003 - Registry"]
P22["22 - SSH"]
end
subgraph Cluster["Bare Metal Cluster<br/>10.25.233.4-6"]
C443["443 out - Agent"]
C6443["6443 - K8s API"]
C30003["30003 out - Images"]
INTER["Inter-node:<br/>2379-2380, 10250<br/>9001-9022 (PX)<br/>16509 (VMO)"]
end
ADMIN -->|HTTPS| P443
ADMIN -->|HTTPS| P5080
PMA -->|"6443"| C6443
Cluster -->|"443"| P443
Cluster -->|"30003"| P30003
style PMA fill:#1F7A78,color:#fff
style Cluster fill:#005B5B,color:#fffFirewall Rules Summary¶
For the network team, here are the required firewall rules in a simplified format:
| Rule | Source | Destination | Ports | Protocol | Direction |
|---|---|---|---|---|---|
| Admin to PMA | Admin workstation | 10.25.232.155 | 443, 5080 | TCP | Inbound |
| SSH to PMA | Admin workstation | 10.25.232.252 | 22 | TCP | Inbound |
| PMA to Cluster | 10.25.232.155 | 10.25.233.4-6 | 6443 | TCP | Outbound |
| Cluster to PMA | 10.25.233.4-6 | 10.25.232.155 | 443, 30003 | TCP | Outbound |
| Inter-node (K8s) | 10.25.233.4-6 | 10.25.233.4-6 | 2379-2380, 6443, 10250 | TCP | Bidirectional |
| Inter-node (PX) | 10.25.233.4-6 | 10.25.233.4-6 | 9001-9022 | TCP/UDP | Bidirectional |
| Inter-node (VMO) | 10.25.233.4-6 | 10.25.233.4-6 | 16509, 49152-49215 | TCP | Bidirectional |
RFC Status
The firewall change request (RFC) was approved on 4/21. Ramana submitted the port requirements as part of the RFC process.