Skip to main content
logoTetrate Service BridgeVersion: next

Firewall Information

If your environment has strict network policies that prevent any unauthorized communication between two namespaces, you may need to add one or more exceptions to your network policies to allow communication between the sidecars and the local Istio Control Plane, as well as between the local Istio Control Plane and the TSB management plane.

The following information can be used to derive the appropriate set of firewall rules.

Communication between TSB, Control Plane and Workloads

Between Istio and TSB

TSB Load Balancer port

TSB Load Balancer (also known as front-envoy) has default port 8443. This port value is user configurable. For example, it can be changed to 443. If the default port is changed, then all components that communicate via front-envoy need to be adjusted accordingly to match the user-defined value of the front-envoy port.

SourceDestination
xcp-edge.istio-systemTSB Load Balancer IP, port 9443
oap.istio-systemTSB Load Balancer IP, port 8443 or user defined front-envoy port
otel-collector.istio-systemTSB Load Balancer IP, port 8443 or user defined front-envoy port
oap.istio-systemElasticsearch target IP and port
(If using demo deployment of Elasticsearch or using front-envoy as Elasticsearch proxy, change to TSB Load Balancer IP, port 8443 or user defined front-envoy port)

Between Sidecars on k8s and Istio Control Plane

SourceDestination
Sidecars or load balancers in any application namespace or
shared load balancer in any namespace to access Istio Pilot xDS server.
istiod.istio-system, port 15012
Sidecars or load balancers in any application namespace or
shared load balancer in any namespace to access SkyWalking OAP metrics server.
oap.istio-system, port 11800
Sidecars or load balancers in any application namespace or
shared load balancer in any namespace to access SkyWalking OAP trace server.
oap.istio-system, port 9411

Between Sidecars on VMs and Istio Control Plane

SourceDestination
Sidecars on VMs to access Istio Pilot xDS server,
SkyWalking OAP metrics server, trace server
VM Gateway (vmgateway.istio-system) Load Balancer IP,
port 15443

Between Sidecars on VMs and workloads on k8s

SourceDestination
Sidecars on VMs to access workloads on k8sEither k8s pods directly,
Or VM Gateway (vmgateway.istio-system) Load Balancer IP,
port 15443

Between workloads on k8s and Sidecars on VMs

SourceDestination
k8s pods to access workloads on VMsVM IP

Between workloads in cluster A and workloads in cluster B

SourceDestination
k8s pods or VMs (cluster A)per-Service Gateway Load Balancer IP,
port 15443 (cluster B)
k8s pods or VMs (cluster B)per-Service Gateway Load Balancer IP,
port 15443 (cluster A)
Shared Load Balancers

If you are using a shared load balancer, then the load balancer envoy will need to be able to talk to all attached applications and their services. Since this information is not known in advance, we cannot provide definitive information on the ports to open in a firewall.

TSB components ports

Following are ports and protocols used by TSB components.

Cert manager

PortProtocolDescription
10250HTTPSWebhooks service port
6080HTTPHealth checks

Management plane

PortProtocolDescription
Management plane operator
tsb-operator-management-plane.tsb
8383HTTPPrometheus telemetry
443HTTPSWebhooks service port
9443HTTPSWebhook container port, forwarded from 443
TSB API server tsb.tsb
8000HTTPHTTP API
9080GRPCGRPC API
42422HTTPPrometheus telemetry
9082HTTPHealth checks
Open Telemetry otel-collector.tsb
9090HTTPPrometheus telemetry
9091HTTPCollector endpoint
13133HTTPHealth checks
TSB front-envoy envoy.tsb
8443HTTP/GRPCTSB HTTP and GRPC API port
9443TCPXCP port
IAM iamserver.tsb
8000HTTPHTTP API
9080GRPCGRPC API
42422HTTPPrometheus telemetry
9082HTTPHealth checks
MPC mpc.tsb
9080GRPCGRPC API
42422HTTPPrometheus telemetry
9082HTTPHealth checks
OAP oap.tsb
11800GRPCGRPC API
12800HTTPREST API
1234HTTPPrometheus telemetry
9411HTTPTrace query
9412HTTPTrace collect
TSB UI web.tsb
8080HTTPHTTP service port and health check
XCP operator central
xcp-operator-central.tsb
8383HTTPPrometheus telemetry
443HTTPSWebhooks service port
XCP central central.tsb
8090HTTPDebug interface
9080GRPCGRPC API
8080HTTPPrometheus telemetry
443HTTPSWebhooks service port
8443HTTPSWebhook container port, forwarded from 443

Control plane

PortProtocolDescription
Control plane operator
tsb-operator-control-plane.istio-system
8383HTTPPrometheus telemetry
443HTTPSWebhooks service port
9443HTTPSWebhook container port, forwarded from 443
Open Telemetry otel-collector.tsb
9090HTTPPrometheus telemetry
9091HTTPCollector endpoint
13133HTTPHealth checks
OAP oap.istio-system
11800GRPCGRPC API
12800HTTPREST API
1234HTTPPrometheus telemetry
15021HTTPEnvoy sidecar health check
15020HTTPEnvoy sidecar Merged Prometheus telemetry from Istio agent, Envoy, and application
9411HTTPTrace query
9412HTTPTrace collect
Istio operator
istio-operator.istio-system
443HTTPSWebhooks service port
8383HTTPPrometheus telemetry
Istiod istiod.istio-system
443HTTPSWebhooks service port
8080HTTPDebug interface
15010GRPCXDS and CA services (Plaintext, only for secure networks)
15012GRPCXDS and CA services (TLS and mTLS, recommended for production use)
15014HTTPControl plane monitoring
15017HTTPSWebhook container port, forwarded from 443
XCP operator central
xcp-operator-edge.istio-system
8383HTTPPrometheus telemetry
443HTTPSWebhooks service port
XCP central edge.istio-system
8090HTTPDebug interface
9080GRPCGRPC API
8080HTTPPrometheus telemetry
443HTTPSWebhooks service port
8443HTTPSWebhook container port, forwarded from 443
Onboarding operator
onboarding-operator.istio-system
443HTTPSWebhooks service port
9443HTTPSWebhook container port, forwarded from 443
9082HTTPHealth checks
Onboarding repository
onboarding-repository.istio-system
8080HTTPHTTP service port
9082HTTPHealth checks
Onboarding plane
onboarding-plane.istio-system
8443HTTPOnboarding API
9082HTTPHealth checks
VM Gateway vmgateway.istio-system
15021HTTPHealth checks
15012HTTPIstiod
11800HTTPOAP Metrics
9411HTTPTracing
15443HTTPSmTLS traffic port
443HTTPSHTTPS port

Data plane

PortProtocolDescription
Data plane operator
tsb-operator-data-plane.istio-gateway
8383HTTPPrometheus telemetry
443HTTPSWebhooks service port
9443HTTPSWebhook container port, forwarded from 443
Istio operator
istio-operator.istio-gateway
443HTTPSWebhooks service port
8383HTTPPrometheus telemetry
Istiod istiod.istio-gateway
443HTTPSWebhooks service port
8080HTTPDebug interface
15010GRPCXDS and CA services (Plaintext, only for secure networks)
15012GRPCXDS and CA services (TLS and mTLS, recommended for production use)
15014HTTPControl plane monitoring
15017HTTPSWebhook container port, forwarded from 443

Sidecars

Refer to Ports used by Istio for list of ports and protocols used by Istio sidecar proxy (Envoy).