Version 1.6. This version is no longer supported. For information about how to upgrade to version 1.7, see Upgrading Anthos on bare metal in the 1.7 documentation. For more information about supported and unsupported versions, see the Version history page in the latest documentation.

Network requirements

External network requirements

Google Distributed Cloud requires an internet connection for operational purposes. Google Distributed Cloud retrieves cluster components from Container Registry and the cluster is registered with Connect.

You can connect to Google using the public internet (with HTTPS), through a Virtual Private Network (VPN), or through a Dedicated Interconnect.

Internal network requirements

Google Distributed Cloud can work with L2 or L3 connectivity between cluster nodes and requires load balancer nodes be in the same L2 domain. The load balancer nodes can be the control plane nodes or a dedicated set of nodes. See Choosing and configuring load balancers for configuration information.

The L2 network requirement applies whether you run the load balancer on the control plane node pool or in a dedicated set of nodes.

The requirements for load balancer machines are:

All load balancers for a given cluster are in the same L2 domain.
All VIPs must be in the load balancer machine subnet and routable to the gateway of the subnet.
Users are responsible to allow ingress load balancer traffic.

Single user cluster deployment with high availability

The following diagram illustrates a number of key networking concepts for Google Distributed Cloud in one possible network configuration.

Google Distributed Cloud typical network configuration

The control plane nodes run load balancers, and they are all on the same L2 network, while other connections, including worker nodes, only require L3 connectivity.
Configuration files define IP addresses for worker node pools, as well as virtual IP addresses for Services, for ingress and for control plane (Kubernetes API) access.
A connection to Google Cloud is also required.

Port usage

This section shows how UDP and TCP ports are used on cluster and load balancer nodes.

Master nodes

Protocol	Direction	Port range	Purpose	Used by
UDP	Inbound	6081	GENEVE Encapsulation	Self
TCP	Inbound	22	Provisioning and updates of admin cluster nodes	Admin workstation
TCP	Inbound	443	Cluster management	Admin cluster nodes
TCP	Inbound	6443	Kubernetes API server	All
TCP	Inbound	6444	Control plane HA	All
TCP	Inbound	2379 - 2380	etcd server client API	kube-apiserver, etcd
TCP	Inbound	10250	kubelet API	Self, Control plane
TCP	Inbound	10251	kube-scheduler	Self
TCP	Inbound	10252	kube-controller-manager	Self
TCP	Both	4240	CNI health check	All

Worker nodes

Protocol	Direction	Port range	Purpose	Used by
TCP	Inbound	22	Provisioning and updates of user cluster nodes	Admin cluster nodes
UDP	Inbound	6081	GENEVE Encapsulation	Self
TCP	Inbound	10250	kubelet API	Self, Control plane
TCP	Inbound	30000 - 32767	NodePort Services	Self
TCP	Both	4240	CNI health check	All

Load balancer nodes

Protocol	Direction	Port range	Purpose	Used by
UDP	Inbound	6081	GENEVE Encapsulation	Self
TCP	Inbound	6444	Kubernetes API server	All
TCP	Both	4240	CNI health check	All
TCP	Inbound	7946	Metal LB health check	LB nodes
UDP	Inbound	7946	Metal LB health check	LB nodes