Tetrate Istio Subscription PlusVersion: LatestFirewall Information
If your environment has strict network policies that prevent any unauthorized communication between two namespaces, you may need to add one or more exceptions to your network policies to allow communication between the sidecars and the local Istio Control Plane, as well as between the local Istio Control Plane and the TIS+ management plane.
The following information can be used to derive the appropriate set of firewall rules.
Communication between TIS+, Control Plane and Workloads
Between Istio and TIS+
TIS+ Load Balancer (also known as front-envoy) has default port 8443. This port value is user configurable.
For example, it can be changed to 443. If the default port is changed, then all components that communicate via front-envoy need to be adjusted accordingly to match the user-defined value of the front-envoy port.
| Source | Destination |
|---|---|
xcp-edge.istio-system | TIS+ Load Balancer IP, port 9443 |
oap.istio-system | TIS+ Load Balancer IP, port 8443 or user defined front-envoy port |
otel-collector.istio-system | TIS+ Load Balancer IP, port 8443 or user defined front-envoy port |
oap.istio-system | Elasticsearch target IP and port (If using demo deployment of Elasticsearch or using front-envoy as Elasticsearch proxy, change to TIS+ Load Balancer IP, port 8443 or user defined front-envoy port) |
Between Sidecars on k8s and TIS+ Control Plane
| Source | Destination |
|---|---|
| Sidecars or load balancers in any application namespace or shared load balancer in any namespace to access OAP metrics server. | oap.istio-system, port 11800 |
| Sidecars or load balancers in any application namespace or shared load balancer in any namespace to access OAP trace server. | oap.istio-system, port 9411 |
Between Sidecars on VMs and TIS+ Control Plane
| Source | Destination |
|---|---|
| Sidecars on VMs to access Istio Pilot xDS server, OAP metrics server, trace server | Without a VM Gateway (oap.istio-system) Load Balancer IP,port 11800 or 9411 |
Between workloads in cluster A and workloads in cluster B
| Source | Destination |
|---|---|
| k8s pods or VMs (cluster A) | per-Service Gateway Load Balancer IP, port 15443 (cluster B) |
| k8s pods or VMs (cluster B) | per-Service Gateway Load Balancer IP, port 15443 (cluster A) |
If you are using a shared load balancer, then the load balancer envoy will need to be able to talk to all attached applications and their services. Since this information is not known in advance, we cannot provide definitive information on the ports to open in a firewall.
TIS+ components ports
Following are ports and protocols used by TIS+ components.
Cert manager
| Port | Protocol | Description |
|---|---|---|
| 10250 | HTTPS | Webhooks service port |
| 6080 | HTTP | Health checks |
Management plane
| Port | Protocol | Description |
|---|---|---|
Management plane operator tsb-operator-management-plane.tsb | ||
| 8383 | HTTP | Prometheus telemetry |
| 443 | HTTPS | Webhooks service port |
| 9443 | HTTPS | Webhook container port, forwarded from 443 |
TIS+ API server tsb.tsb | ||
| 8000 | HTTP | HTTP API |
| 9080 | GRPC | GRPC API |
| 42422 | HTTP | Prometheus telemetry |
| 9082 | HTTP | Health checks |
Open Telemetry otel-collector.tsb | ||
| 9090 | HTTP | Prometheus telemetry |
| 9091 | HTTP | Collector endpoint |
| 13133 | HTTP | Health checks |
TIS+ front-envoy envoy.tsb | ||
| 8443 | HTTP/GRPC | TSB HTTP and GRPC API port |
| 9443 | TCP | XCP port |
IAM iamserver.tsb | ||
| 8000 | HTTP | HTTP API |
| 9080 | GRPC | GRPC API |
| 42422 | HTTP | Prometheus telemetry |
| 9082 | HTTP | Health checks |
MPC mpc.tsb | ||
| 9080 | GRPC | GRPC API |
| 42422 | HTTP | Prometheus telemetry |
| 9082 | HTTP | Health checks |
OAP oap.tsb | ||
| 11800 | GRPC | GRPC API |
| 12800 | HTTP | REST API |
| 1234 | HTTP | Prometheus telemetry |
| 9411 | HTTP | Trace query |
| 9412 | HTTP | Trace collect |
TIS+ UI web.tsb | ||
| 8080 | HTTP | HTTP service port and health check |
XCP operator central xcp-operator-central.tsb | ||
| 8383 | HTTP | Prometheus telemetry |
| 443 | HTTPS | Webhooks service port |
XCP central central.tsb | ||
| 8090 | HTTP | Debug interface |
| 9080 | GRPC | GRPC API |
| 8080 | HTTP | Prometheus telemetry |
| 443 | HTTPS | Webhooks service port |
| 8443 | HTTPS | Webhook container port, forwarded from 443 |
Control plane
| Port | Protocol | Description |
|---|---|---|
Control plane operator tsb-operator-control-plane.istio-system | ||
| 8383 | HTTP | Prometheus telemetry |
| 443 | HTTPS | Webhooks service port |
| 9443 | HTTPS | Webhook container port, forwarded from 443 |
Open Telemetry otel-collector.tsb | ||
| 9090 | HTTP | Prometheus telemetry |
| 9091 | HTTP | Collector endpoint |
| 13133 | HTTP | Health checks |
OAP oap.istio-system | ||
| 11800 | GRPC | GRPC API |
| 12800 | HTTP | REST API |
| 1234 | HTTP | Prometheus telemetry |
| 15021 | HTTP | Envoy sidecar health check |
| 15020 | HTTP | Envoy sidecar Merged Prometheus telemetry from Istio agent, Envoy, and application |
| 9411 | HTTP | Trace query |
| 9412 | HTTP | Trace collect |
XCP operator central xcp-operator-edge.istio-system | ||
| 8383 | HTTP | Prometheus telemetry |
| 443 | HTTPS | Webhooks service port |
XCP central edge.istio-system | ||
| 8090 | HTTP | Debug interface |
| 9080 | GRPC | GRPC API |
| 8080 | HTTP | Prometheus telemetry |
| 443 | HTTPS | Webhooks service port |
| 8443 | HTTPS | Webhook container port, forwarded from 443 |
Sidecars
Refer to Ports used by Istio for list of ports and protocols used by Istio sidecar proxy (Envoy).