Firewall Information
If your environment has strict network policies that prevent any unauthorized communication between two namespaces, you may need to add one or more exceptions to your network policies to allow communication between the sidecars and the local Istio Control Plane, as well as between the local Istio Control Plane and the TSB management plane. The following information can be used to derive the appropriate set of firewall rules. Default port for TSB management plane is 8443.
1. Between Istio and TSB
| Source | Destination |
|---|---|
tsbd.istio-system | TSB Load Balancer IP, port 8443 |
oap.istio-system | TSB Load Balancer IP, port 8443 |
oap.istio-system, istio-tracing-service.istio-system | TSB Load Balancer IP, port 8443 (This is for Elasticsearch. If the Elasticsearch server is an external, then change the IP and port accordingly) |
2. Between Sidecars and Istio Control Plane
| Source | Destination |
|---|---|
| Sidecars or load balancers in any application namespace or shared load balancer in any namespace to access Istio Pilot xDS server. | istio-pilot.istio-system, port 15011 |
| Sidecars or load balancers in any application namespace or shared load balancer in any namespace to access SkyWalking OAP metrics server. | oap.istio-system, port 11800 |
| Sidecars or load balancers in any application namespace or shared load balancer in any namespace to access Zipkin server. | zipkin.istio-system, port 9411 |
Nodeagent or Sidecar on VM in any namespace to access VM gateway | vmgateway-istio-system, port 15011, 11800, 9411, 8060, 15443 |
3. Between Kubernetes Gateway Serving VM workload traffic to VM workload application
| Source | Destination |
|---|---|
tcc-gateway serving VM workload traffic such as tcc-gateway-vmns.vmns | VM workload, with or without sidecars such as ec2-34-242-9-229.us-west-2.compute.amazonaws.com |
Shared Load Balancers
If you are using a shared load balancer, then the load balancer envoy will need to be able to talk to all attached applications and their services. Since this information is not known in advance, we cannot provide definitive information on the ports to open in a firewall.