A Cloud Native Core Network Port Flows
Network Port Flows
- Cluster IP addresses are reachable outside of the cluster and are typically assigned via a Network Load Balancer
- Node IP addresses are reachable from the bastion host (and may be exposed outside of the cluster)
OC-CNE Port Flows
Table A-1 OC-CNE Port Flows
| Name | Sever/Container | Ingress Port ext[:int]/Proto | TLS | Cluster IP (Service IP) | Node IP | Notes |
|---|---|---|---|---|---|---|
| SSH Access | ALL | 22/TCP | Y | SSH Access | Administrative SSH Access; no root/key only. | |
| RPC Bind | All | 111/TCP, UDP | N | RPCBind | Used for installation; pxe booting of NFS mounted images | |
| Repository | Bastion Host | 80/TCP, 443/TCP, 5000/TCP | Y | Repository Access | Access repositories (YUM, Docker, Helm, etc.) | |
| Prometheus Server | K8s Nodes | 80:9090/TCP | N | GUI | Prometheus Server | |
| Prometheus Push Gateway | K8s Nodes | 9091/TCP | N | Push Gateway | Prometheus Push Gateway | |
| Prometheus Exporters | K8s Nodes | 9100-9551/TCP 24231/TCP (fluent) 9099/TCP (snmp) | N | Prometheus Exporters | Prometheus Exporters | |
| MySQL Query | MySQL SQL Node | 3306/TCP | N | Replication Traffic | Microservice SQL Access | The SQL Query interfaces are used for 5G NFs to access the database and for remote sites to replicate data |
| MySQL Management | MySQL Management Node | 1186/TCP | N | Management Console Access | The SQL Management interface is used to access the management interfaces for the data cluster | |
| MySQL Data | MySQL Data Node | 50501/TCP | N | SQL Query Backend | The SQL Data interface provide a backend DBMS interface for the SQL Query Nodes | |
| Kubelet cAdvisor | K8s Nodes | 4149/TCP | Y | Container Metrics | Default cAdvisor port used to query container metrics | |
| Kubelet API | K8s Nodes | 10250/TCP | Y | Control Plane Node Access | API which allows full node access | |
| Kube-scheduler | K8s Nodes | 10251/TCP | N | Scheduler Access | Serve HTTP insecurely | |
| Kube-Scheduler | K8s Node | 10259/TCP | Y | Scheduler Access | HTTPS Access | |
| Kube-proxy | K8s Nodes | 10256/TCP | N | Health Check | Health check server for Kube Proxy | |
| Kube-controller | K8s Nodes | 10252/TCP | N | Controller Access | Serve HTTP insecurely | |
| Kube-controller | K8s Nodes | 10257/TCP | Y | Controller Access | HTTPS Access | |
| Kube API Server | K8s Master Nodes | 6443/TCP | Y | K8s Orchestration | The Kube API Server provides an orchestration API for the creation of K8s resources. | |
| Kibana | K8s Nodes | 80:5601/TPC | N | GUI | Logging Visualization | |
| Jaeger Query | K8s Nodes | 80:16686/TCP | N | GUI | Service Frontend | |
| Jaeger Collector | K8s Nodes | 14268/TCP | N | Collector | Accept jaeger.thrift directly from clients | |
| Jaeger Collector | K8s Nodes | 9411/TCP | N | Collector | Zipkin compatable endpoint (optional) | |
| Jaeger Agent | K8s Nodes | 6831/UDP | N | Agent | Accept jaeger.thrift over compact thrift protocol | |
| Jaeger Agent | K8s Nodes | 6832/UDP | N | Agent | Accept jaeger.thrift over binary thrift protocol | |
| Jaeger Agent | K8s Nodes | 5778/TCP | N | Agent | Serve Configs | |
| ILO | ILO Management Port | 443/TCP | Y | Installation / Management | This interface is used to manage the frame; it provided low level management for all of the frame HW assets | |
| Grafana | K8s Nodes | 80:3000/TCP | N | GUI | Grafana | |
| ETCD Peer | K8s Master Nodes | 2380/TCP | Y | Peer Access | ETCD Server Communication | |
| ETCD Client | K8s Master Nodes | 2379/TCP | Y | Client Access | Keystore DB used by K8s | |
| ElasticSearch | K8s Nodes | 9200/TCP | N | GUI | Search API access | |
| ElasticSearch | K8s Nodes | 9300/TCP | N | Logging | Internal Logging | |
| BGP | K8s Nodes | 179/TCP | N | BGP | Used on bare metal environments in load balancing | |
| Alertmanager clustering | K8s Nodes | 9094/TCP | N | Amertmanger Clustering | Alertmanager Clustering | |
| Alertmanager | K8s Nodes | 80:9093/TCP | N | GUI | Alertmanager |
NF Port Flows
Table A-2 NF Port Flows
| Name | Sever /Container | Ingress Port [external]:internal | TLS ? | Cluster IP (Service IP) | Node IP | Notes |
|---|---|---|---|---|---|---|
| 5G NRF | K8s Nodes/NRF Service | 80/TCP 443/TCP | Y | NfConfiguration IngressGateway | NfRegistration NfSubscription NfDiscovery NfAccessToken EgressGateway | 5G NRF |
| 5G SPF | K8s Nodes/SPF Worker | 8000/TCP | N | 5G Proxy | 5G SCP (SPF) Proxy | |
| 5G SPF | K8s Nodes/Soothsayer | 8082/TCP | N | Proxy Configuration | 5G SCP ( SPF) Proxy Configuration | |
| 5G SPF | K8s Nodes/Istio | ???/TCP | N | Mesh State Sharing | 5G SCP ( SPF) Mesh Management | |
| 5G NSSF | K8s Nodes/NSSF Service | 80/TCP | N | NSSF configuration | NSSF selection, NSSF policy, NSSF registration | 5G NSSF |
| 5G UDR/UDSF | K8s Nodes/UDR Service | 80/TCP | N | Nudr-dr/Nudr-prov | 5G UDR: Signaling network can be used for 1 management API exposed |