Remote Collector Ports

  • All nodes refer to a single remote cluster.

  • The port refers to the destination node.

  • All node-to-node traffic within the cluster and all central-remote cluster connectivity is encrypted.

For more information, see TOS Aurora Architecture.

Source Destination Service / Port Description
Administrator's PC

Any node (physical IP)

SSH <TCP 22>

Mandatory

Used for system maintenance

Any node (physical IP)

Any node (physical IP)

TCP <TCP 7472>

Required for all deployments except Azure/AWS/GCP

Used by MetalLB speaker

Any node (physical IP)

Any node (physical IP)

UCP <UDP 323>

Mandatory

Used for Chrony

Any node (physical IP)

DNS Server

DNS <UDP 53>

Mandatory

Used for domain lookups

Any node (physical IP)

NTP Server

NTP <UDP 123>

Required if NTP is used for network time synchronization

Any node (physical IP)

Syslog Server

Syslog <UDP 514> (default) or alternative port as configured

Required if you configure notifications via syslog.
Administrator's PC

RMM interfaces on all Tufin Appliances

Web GUI <TCP 80> or <TCP 443> (SSL certificate upload available)

Unencrypted: KVM <TCP 7578>

CDROM <TCP 5120>

USB <TCP 5123>

Encrypted (AES/RC4/Stunnel):

KVM <TCP 7582>

CDROM <TCP 5124>

USB <TCP 5127>

Required for Tufin appliances only.

Used for remote management module (RMM) network card address.

See also:

Configuring RMM for Gen 4

Configuring RMM for Gen 3.5

Any node (physical IP)

Any node (physical IP)

UDP 51820 Mandatory K3s server and agent nodes required by Wireguard

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 2379-2381> Mandatory Etcd server communication

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 6443-6444>

Mandatory

Kubernetes API Server

Any node (physical IP)

Any node (physical IP)

Application Specific <TCP/UDP 30000-32767>

Mandatory

Kubernetes internal service range

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 10248-10252,10255, 10256>

Mandatory

Kubernetes components

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 32500>

Mandatory

Docker registry

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 9100>

Mandatory

Kubernetes node-exporter

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 8080>

Required for adding and removing nodes from the cluster

Remote Collector cluster nodes network IPs

Central Cluster primary VIP

HTTPS <TCP 443, 8443, 61617, 8422, 9090>

For high availability, additionally: HTTPS <TCP 8423, 8424>

Required for connecting remote collector clusters

Allows central cluster to receive data from remote collector cluster

Remote Collector cluster nodes network IPs

  • External Load balancer VIP

  • Any node (physical IP)

HTTPS <TCP 31443, 31617, 31843,31422, 31090>

For high availability, additionally: HTTPS <TCP 31423, 31424>

Required for connecting remote collector clusters

Allows central cluster to receive data from remote collector cluster

For a Central Cluster deployed on the cloud

All Central Cluster Nodes Network IPs

Remote collector cluster Primary VIP

HTTPS <TCP 8443>

Mandatory
Required for remote collector clusters

Allows remote collector cluster to receive data from central cluster