[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Open ports on a private cluster\n===============================\n\n| **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/docs/overview).\n\nIf you are\n[installing in-cluster Cloud Service Mesh](/service-mesh/docs/unified-install/install-anthos-service-mesh)\non a private cluster, you must open port 15017 in the firewall to get the\nwebhooks used with\n[automatic sidecar injection](/service-mesh/docs/onboarding/kubernetes-workloads#inject_sidecar_proxies)\n(auto-injection) and configuration validation to work.\n\nThe following steps describe how to [add a firewall rule](/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules) to include the new ports that you want to open.\n\n1. Find the source range (`master-ipv4-cidr`) and targets of the cluster. In the\n following command, replace\n \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e with the name of your\n cluster:\n\n ```\n gcloud compute firewall-rules list \\\n --filter 'name~gke-CLUSTER_NAME-[0-9a-z]*-master' \\\n --format 'table(\n name,\n network,\n direction,\n sourceRanges.list():label=SRC_RANGES,\n allowed[].map().firewall_rule().list():label=ALLOW,\n targetTags.list():label=TARGET_TAGS\n )'\n ```\n2. Create the firewall rule. Choose from the following commands and replace\n \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e with the name of the cluster of the previous command.\n\n - To enable auto-injection, run the following command to\n open port 15017:\n\n ```\n gcloud compute firewall-rules create allow-api-server-to-webhook-CLUSTER_NAME \\\n --action ALLOW \\\n --direction INGRESS \\\n --source-ranges CONTROL_PLANE_RANGE \\\n --rules tcp:15017 \\\n --target-tags TARGET\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of your cluster\n - \u003cvar translate=\"no\"\u003eCONTROL_PLANE_RANGE\u003c/var\u003e: the cluster control plane's IP address range (`masterIpv4CidrBlock`) that you collected previously.\n - \u003cvar translate=\"no\"\u003eTARGET\u003c/var\u003e: the target (`Targets`) value that you collected previously.\n\n | **Note** : To add a firewall rule for a Shared VPC, add the following flags to the command: \n |\n | ```\n | --project HOST_PROJECT_ID\n | --network NETWORK_ID\n | ```\n |\n | For more information on Shared VPC, see\n | [Setting up clusters with Shared VPC](/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules).\n - If you also want to enable the `istioctl version`\n and `istioctl ps` commands, run the following command to open ports\n 15014, and 8080:\n\n ```\n gcloud compute firewall-rules create allow-debug-proxy-CLUSTER_NAME \\\n --action ALLOW \\\n --direction INGRESS \\\n --source-ranges CONTROL_PLANE_RANGE \\\n --rules tcp:15014,tcp:8080 \\\n --target-tags TARGET\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of your cluster\n - \u003cvar translate=\"no\"\u003eCONTROL_PLANE_RANGE\u003c/var\u003e: the cluster control plane's IP address range (`masterIpv4CidrBlock`) that you collected previously.\n - \u003cvar translate=\"no\"\u003eTARGET\u003c/var\u003e: the target (`Targets`) value that you collected previously.\n\n | **Note** : To add a firewall rule for a Shared VPC, add the following flags to the command: \n |\n | ```\n | --project HOST_PROJECT_ID\n | --network NETWORK_ID\n | ```\n |\n | For more information on Shared VPC, see\n | [Setting up clusters with Shared VPC](/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules)."]]
