Allowlisting addresses for your proxy
If your organization requires outbound traffic to pass through a proxy server, allowlist the following addresses in your proxy server:
- gcr.io
- googleapis.com
- www.googleapis.com
- accounts.google.com
- cloudresourcemanager.googleapis.com
- container.googleapis.com
- gkeconnect.googleapis.com
- gkehub.googleapis.com
- iam.googleapis.com
- logging.googleapis.com
- monitoring.googleapis.com
- oauth2.googleapis.com
- servicecontrol.googleapis.com
- serviceusage.googleapis.com
- storage.googleapis.com
- checkpoint-api.hashicorp.com
- releases.hashicorp.com
If you use gkeadm
to install GKE on-prem, you don't need to allowlist the
hashicorp URLs above.
Also, if your vCenter Server has an external IP address, allowlist its address in your proxy server.
Firewall rules
Set up your firewall rules to allow the following traffic:
From |
To |
Port |
Protocol |
Description |
---|---|---|---|---|
Admin cluster control plane node |
vCenter Server API |
443 |
TCP/https |
Cluster resizing. |
User cluster control plane node |
vCenter Server API |
443 |
TCP/https |
Cluster resizing. |
Cloud Logging Collector, which runs on an admin cluster add-on node |
oauth2.googleapis.com logging.googleapis.com stackdriver.googleapis.com servicecontrol.googleapis.com |
443 |
TCP/https |
|
Cloud Monitoring Collector, which runs on an admin cluster add-on node |
oauth2.googleapis.com Monitoring.googleapis.com stackdriver.googleapis.com servicecontrol.googleapis.com |
443 |
TCP/https |
|
Admin cluster control plane node |
F5 BIG-IP API |
443 |
TCP/https |
|
User cluster control plane node |
F5 BIG-IP API |
443 |
TCP/https |
|
Admin cluster control plane node |
On-premises local Docker registry |
Depends on your registry |
TCP/https |
Required if GKE on-prem is configured to use a local private Docker registry instead of gcr.io. |
User cluster control plane node |
On-premises local Docker registry |
Depends on your registry |
TCP/https |
Required if GKE on-prem is configured to use a local private Docker registry instead of gcr.io. |
Admin cluster control plane node |
gcr.io *.googleusercontent.com *.googleapis.com *.k8s.io |
443 |
TCP/https |
Download images from public Docker registries. Not required if using a private Docker registry. |
User cluster control plane node |
gcr.io *.googleusercontent.com *.googleapis.com *.k8s.io |
443 |
TCP/https |
Download images from public Docker registries. Not required if using a private Docker registry. |
Admin cluster worker nodes |
Admin cluster worker nodes |
All |
179 - bgp 443 - https 5473 - Calico/Typha 9443 - Envoy metrics 10250 - kubelet node port |
All worker nodes must be layer-2 adjacent and without any firewall. |
Admin cluster worker nodes |
User cluster nodes |
22 |
ssh |
API server to kubelet communication over an SSH tunnel. |
User cluster worker nodes |
Admin workstation Docker registry |
|||
User cluster worker nodes |
gcr.io *.googleusercontent.com *.googleapis.com *.k8s.io |
443 |
TCP/https |
Download images from public Docker registries. Not required if using a private Docker registry. |
User cluster worker nodes |
F5 BIG-IP API |
443 |
TCP/https |
|
User cluster worker nodes |
VIP of the pushprox server, which runs in the Admin cluster. |
8443 |
TCP/https |
Prometheus traffic. |
User cluster worker nodes |
User cluster worker nodes |
all |
22 - ssh 179 - bgp 443 - https 5473 - calico-typha 9443 - envoy metrics 10250 - kubelet node port" |
All worker nodes must be layer-2 adjacent and without any firewall. |
Admin cluster pod CIDR |
Admin cluster pod CIDR |
all |
any |
Inter-pod traffic does L2 forwarding directly with pod CIDR. No overlay. |
Admin cluster nodes |
Admin cluster pod CIDR |
all |
any |
External traffic get SNATted on the first node and sent to pod IP. |
Admin cluster pod CIDR |
Admin cluster nodes |
all |
any |
Return traffic of external traffic. |
User cluster pod CIDR |
User cluster pod CIDR |
all |
any |
Inter-pod traffic does L2 forwarding directly with pod CIDR. No overlay. |
User cluster nodes |
User cluster pod CIDR |
all |
any |
External traffic get SNATted on the first node and sent to pod IP. |
User cluster pod CIDR |
User cluster nodes |
all |
any |
Return traffic of external traffic. |
Connect Agent, which runs on a random user cluster worker node. |
gkeconnect.googleapis.com gkehub.googleapis.com www.googleapis.com oauth2.googleapis.com accounts.google.com |
443 |
TCP/https |
Connect traffic. |
Cloud Logging Collector, which runs on a random user cluster worker node |
oauth2.googleapis.com logging.googleapis.com stackdriver.googleapis.com servicecontrol.googleapis.com |
443 |
TCP/https |
|
Cloud Monitoring Collector, which runs on a random user cluster worker node |
oauth2.googleapis.com Monitoring.googleapis.com stackdriver.googleapis.com servicecontrol.googleapis.com |
443 |
TCP/https |
|
Clients an application end users |
VIP of Istio ingress |
80, 443 |
TCP |
End user traffic to the ingress service of a user cluster. |
Jump server to deploy the admin workstation |
checkpoint-api.hashicorp.com releases.hashicorp.com vCenter Server API ESXi VMkernel (mgt) IPs of hosts in target cluster |
443 |
TCP/https |
Terraform deployment of the admin workstation. |
Admin workstation |
gcr.io *.googleusercontent.com *.googleapis.com *.k8s.io" |
443 |
TCP/https |
Download Docker images from public Docker registries. |
Admin workstation |
vCenter Server API F5 BIG-IP API |
443 |
TCP/https |
Cluster bootstrapping |
Admin workstation |
ESXi VMkernel (mgt) IPs of hosts in target cluster |
443 |
TCP/https |
The admin workstation uploads the OVA to the datastore through the ESXi hosts |
Admin workstation |
Node IP of Admin Cluster Control Plane VM |
443 |
TCP/https |
Cluster bootstrapping |
Admin workstation |
VIP of the admin cluster's Kubernetes API server VIPs of user clusters' Kubernetes API servers |
443 |
TCP/https |
Cluster bootstrapping User cluster deletion |
Admin workstation |
Admin cluster control plane node and worker nodes |
443 |
TCP/https |
Cluster bootstrapping Control plane upgrades |
Admin workstation |
All admin cluster nodes and all user cluster nodes |
443 |
TCP/https |
Network validation as part of the |
Admin workstation |
VIP of the admin cluster's Istio ingress VIP of user clusters' Istio ingress |
443 |
TCP/https |
Network validation as part of the |
Admin workstation |
IPs of Seesaw LB VMs in both admin and user clusters Seesaw LB VIPs of both admin and user clusters |
20256,20258 |
TCP/http/gRPC |
Health check of LBs. Only needed if you are using Bundled LB Seesaw. |
Admin workstation |
Node IP of the admin cluster control plane |
22 |
TCP |
Required if you need SSH access from the admin workstation to the admin cluster control plane. |
Admin cluster nodes |
IPs of Seesaw LB VMs of the admin cluster |
20255,20257 |
TCP/http |
LB config push and metrics monitoring. Only needed if you are using Bundled LB Seesaw. |
User cluster nodes |
IPs of Seesaw LB VMs of the user cluster |
20255,20257 |
TCP/http |
LB config push and metrics monitoring. Only needed if you are using Bundled LB Seesaw. |
LB VM IPs |
node IPs of the corresponding cluster |
10256: node health check 30000 - 32767: healthCheckNodePort |
TCP/http |
Node health check. healthCheckNodePort is for services with externalTrafficPolicy set to Local. Only needed if you are using Bundled LB Seesaw. |
F5 Self-IP |
All admin and all user cluster nodes |
30000 - 32767 |
any |
For the data plane traffic that F5 BIG-IP load balances via a virtual server VIP to the node ports on the Kubernetes cluster nodes. Typically the F5 self-ip is on the same network/subnet as the Kubernetes cluster nodes. |