Allowlisting addresses for your proxy
If your organization requires outbound traffic to pass through a proxy server, allowlist the following addresses in your proxy server:
- gcr.io
- googleapis.com
- www.googleapis.com
- storage.googleapis.com
- gkeconnect.googleapis.com
- cloudresourcemanager.googleapis.com
- container.googleapis.com
- serviceusage.googleapis.com
- gkehub.googleapis.com
- logging.googleapis.com
- monitoring.googleapis.com
- oauth2.googleapis.com
- console.cloud.google.com
- accounts.google.com
- iam.googleapis.com
- cloud.google.com
- checkpoint-api.hashicorp.com
- releases.hashicorp.com
Also, if your vCenter Server has an external IP address, allowlist its address in your proxy server.
Firewall rules
Set up your firewall rules to allow the following traffic:
From |
To |
Port |
Protocol |
Description |
---|---|---|---|---|
Admin cluster control plane node |
vCenter Server API |
443 |
TCP/https |
Cluster resizing. |
User cluster control plane node |
vCenter Server API |
443 |
TCP/https |
Cluster resizing. |
Cloud Logging Collector, which runs on an admin cluster add-on node |
oauth2.googleapis.com logging.googleapis.com stackdriver.googleapis.com servicecontrol.googleapis.com |
443 |
TCP/https |
|
Cloud Monitoring Collector, which runs on an admin cluster add-on node |
oauth2.googleapis.com Monitoring.googleapis.com stackdriver.googleapis.com servicecontrol.googleapis.com |
443 |
TCP/https |
|
Admin cluster control plane node |
F5 BIG-IP API |
443 |
TCP/https |
|
User cluster control plane node |
F5 BIG-IP API |
443 |
TCP/https |
|
Admin cluster control plane node |
On-prem local Docker registry |
Depends on your registry |
TCP/https |
Required if GKE on-prem is configured to use a local private Docker registry instead of gcr.io. |
User cluster control plane node |
On-prem local Docker registry |
Depends on your registry |
TCP/https |
Required if GKE on-prem is configured to use a local private Docker registry instead of gcr.io. |
Admin cluster control plane node |
gcr.io quay.io *.googleusercontent.com *.googleapis.com *.docker.io *.k8s.io |
443 |
TCP/https |
Download images from public Docker registries. Not required if using a private Docker registry. |
User cluster control plane node |
gcr.io quay.io *.googleusercontent.com *.googleapis.com *.docker.io *.k8s.io |
443 |
TCP/https |
Download images from public Docker registries. Not required if using a private Docker registry. |
Admin cluster worker nodes |
Admin cluster worker nodes |
All |
179 - bgp 443 - https 5473 - Calico/Typha 9443 - Envoy metrics 10250 - kubelet node port |
All worker nodes must be layer-2 adjacent and without any firewall. |
Admin cluster worker nodes |
User cluster nodes |
22 |
ssh |
API server to kubelet communication over an SSH tunnel. |
User cluster worker nodes |
Admin workstation Docker registry |
|||
User cluster worker nodes |
gcr.io quay.io *.googleusercontent.com *.googleapis.com *.docker.io *.k8s.io |
443 |
TCP/https |
Download images from public Docker registries. Not required if using a private Docker registry. |
User cluster worker nodes |
F5 BIG-IP API |
443 |
TCP/https |
|
User cluster worker nodes |
VIP of the pushprox server, which runs in the Admin cluster. |
8443 |
TCP/https |
Prometheus traffic. |
User cluster worker nodes |
User cluster worker nodes |
all |
22 - ssh 179 - bgp 443 - https 5473 - calico-typha 9443 - envoy metrics 10250 - kubelet node port" |
All worker nodes must be layer-2 adjacent and without any firewall. |
Admin cluster pod CIDR |
Admin cluster pod CIDR |
all |
any |
Inter-pod traffic does L2 forwarding directly with pod CIDR. No overlay. |
Admin cluster nodes |
Admin cluster pod CIDR |
all |
any |
External traffic get SNATted on the first node and sent to pod IP. |
Admin cluster pod CIDR |
Admin cluster nodes |
all |
any |
Return traffic of external traffic. |
User cluster pod CIDR |
User cluster pod CIDR |
all |
any |
Inter-pod traffic does L2 forwarding directly with pod CIDR. No overlay. |
User cluster nodes |
User cluster pod CIDR |
all |
any |
External traffic get SNATted on the first node and sent to pod IP. |
User cluster pod CIDR |
User cluster nodes |
all |
any |
Return traffic of external traffic. |
Connect Agent, which runs on a random user cluster worker node. |
gkeconnect.googleapis.com gkehub.googleapis.com www.googleapis.com oauth2.googleapis.com accounts.google.com |
443 |
TCP/https |
Connect traffic. |
Cloud Logging Collector, which runs on a random user cluster worker node |
oauth2.googleapis.com logging.googleapis.com stackdriver.googleapis.com servicecontrol.googleapis.com |
443 |
TCP/https |
|
Cloud Monitoring Collector, which runs on a random user cluster worker node |
oauth2.googleapis.com Monitoring.googleapis.com stackdriver.googleapis.com servicecontrol.googleapis.com |
443 |
TCP/https |
|
Clients an application end users |
VIP of Istio ingress |
80, 443 |
TCP |
End user traffic to the ingress service of a user cluster. |
Jump server to deploy the admin workstation |
checkpoint-api.hashicorp.com releases.hashicorp.com vCenter Server API ESXi VMkernel (mgt) IPs of hosts in target cluster |
443 |
TCP/https |
Terraform deployment of the admin workstation. |
Admin workstation |
gcr.io quay.io *.googleusercontent.com *.googleapis.com *.docker.io *.k8s.io" |
443 |
TCP/https |
Download Docker images from public Docker registries. |
Admin workstation |
vCenter Server API F5 BIG-IP API |
443 |
TCP/https |
Cluster bootstrapping |
Admin workstation |
ESXi VMkernel (mgt) IPs of hosts in target cluster |
443 |
TCP/https |
The admin workstation uploads the OVA to the datastore through the ESXi hosts |
Admin workstation |
Node IP of Admin Cluster Control Plane VM |
443 |
TCP/https |
Cluster bootstrapping |
Admin workstation |
VIP of the admin cluster's Kubernetes API server VIPs of user clusters' Kubernetes API servers |
443 |
TCP/https |
Cluster bootstrapping User cluster deletion |
Admin workstation |
Admin cluster control plane node and worker nodes |
443 |
TCP/https |
Cluster bootstrapping Control plane upgrades |
Admin workstation |
All admin cluster nodes and all user cluster nodes |
443 |
TCP/https |
Network validation as part of the |
Admin workstation |
VIP of the admin cluster's Istio ingress VIP of user clusters' Istio ingress |
443 |
TCP/https |
Network validation as part of the |
F5 Self-IP |
All admin and all user cluster nodes |
30000 - 32767 |
any |
For the data plane traffic that F5 BIG-IP load balances via a virtual server VIP to the node ports on the Kubernetes cluster nodes. Typically the F5 self-ip is on the same network/subnet as the Kubernetes cluster nodes. |