A Cloud Native Core Network Port Flows
Network Port Flows
- Cluster IP addresses are reachable outside of the cluster and are typically assigned via a Network Load Balancer
- Node IP addresses are reachable from the bastion host (and may be exposed outside of the cluster)
OC-CNE Port Flows
Table A-1 OC-CNE Port Flows
| Name | Sever/Container | Ingress Port ext[:int]/Proto | TLS | Cluster IP (Service IP) | Node IP | Notes |
|---|---|---|---|---|---|---|
| SSH Access | ALL | 22/TCP | Y | SSH Access | Administrative SSH Access; no root / key only. | |
| Repository | Bastion Host |
80/TCP, 443/TCP, 5000/TCP |
Y | Repository Access | Access repositories (YUM, Docker, Helm, etc.) | |
| RPC Bind | All | 111/TCP, UDP | N | RPCBind | Used for installation; pre booting of NFS mounted images. | |
| BGP | K8s Nodes | 179/TCP | N | BGP | Used on bare metal environments in load balancing. | |
| MySQL Query | MySQL SQL Node | 3306/TCP | N | Replication Traffic | Microservice SQL Access | The SQL Query interfaces are used for 5G NFs to access the database and for remote sites to replicate data. |
| MySQL Management | MySQL Management Node | 1186/TCP | N | Management Console Access | The SQL Management interface is used to access the management interfaces for the data cluster. | |
| MySQL Data | MySQL Data Node | 50501/TCP | N | SQL Query Backend | The SQL Data interface provide a backend DBMS interface for the SQL Query Nodes. | |
| ILO | ILO Management Port | 443/TCP | Y | Installation / Management | This interface is used to manage the frame; it provides low level management for all of the frame HW assets. | |
| ETCD Client | K8s Master Nodes | 2379/TCP | Y | Client Access | Keystore DB used by K8s | |
| ETCD Peer | K8s Master Nodes | 2380/TCP | Y | Peer Access | ETCD Server Communication | |
| Kube API Server | K8s Master Nodes | 6443/TCP | Y | K8s Orchestration | The Kube API Server provides an orchestration API for the creation of K8s resources. | |
| Kubelet cAdvisor | K8s Nodes | 4149/TCP | Y | Container Metrics | Default cAdvisor port used to query container metrics. | |
| Kubelet API | K8s Nodes | 10250/TCP | Y | Control Plane Node Access | API which allows full node access. | |
| Kube-scheduler | K8s Nodes | 10251/TCP | N | Scheduler Access | Serve HTTP insecurely | |
| Kube-controller | K8s Nodes | 10252/TCP | N | Controller Access | Serve HTTP insecurely | |
| Kubelet Node State | K8s Nodes | 10255/TCP | Y | Node State Access | Unauthenticated read-only port, allowing access to node state. | |
| Kube-proxy | K8s Nodes | 10256/TCP | N | Health Check | Health check server for Kube Proxy. | |
| Kube-controller | K8s Nodes | 10257/TCP | Y | Controller Access | HTTPS Access | |
| Kube-Scheduler | K8s Node | 10259/TCP | Y | Scheduler Access | HTTPS Access | |
| Kibana | K8s Nodes | 80:5601/TPC | N | GUI | Logging Visualization | |
| ElasticSearch | K8s Nodes | 9200/TCP | N | GUI | Search API access | |
| ElasticSearch | K8s Nodes | 9300/TCP | N | Logging | Internal Logging | |
| Jaeger Agent | K8s Nodes | 6831/UDP | N | Agent | Accept jaeger.thrift over compact thrift protocol. | |
| Jaeger Agent | K8s Nodes | 6832/UDP | N | Agent | Accept jaeger.thrift over binary thrift protocol. | |
| Jaeger Agent | K8s Nodes | 5778/TCP | N | Agent | Serve Configs | |
| Jaeger Query | K8s Nodes | 80:16686/TCP | N | GUI | Service Frontend | |
| Jaeger Collector | K8s Nodes | 14268/TCP | N | Collector | Accept jaeger.thrift directly from clients. | |
| Jaeger Collector | K8s Nodes | 9411/TCP | N | Collector | Zipkin compatable endpoint (optional). | |
| Prometheus Server | K8s Nodes | 80:9090/TCP | N | GUI | Prometheus Server | |
| Prometheus Push Gateway | K8s Nodes | 9091/TCP | N | Push Gateway | Prometheus Push Gateway | |
| Alertmanager | K8s Nodes | 80:9093/TCP | N | GUI | Alertmanager | |
| Alertmanager clustering | K8s Nodes | 9094/TCP | N | Amertmanger Clustering | Alertmanager Clustering | |
| Prometheus Exporters | K8s Nodes |
9100-9551/TCP 24231/TCP (fluent) 9099/TCP (snmp) |
N | Prometheus Exporters | Prometheus Exporters | |
| Grafana | K8s Nodes | 80:3000/TCP | N | GUI | Grafana |
NF Port Flows
Table A-2 NF Port Flows
| Name | Sever /Container | Ingress Port [external]:internal | TLS ? | Cluster IP (Service IP) | Node IP | Notes |
|---|---|---|---|---|---|---|
| 5G NRF | K8s Nodes / NRF Service |
80/TCP 443/TCP |
Y |
NfConfiguration IngressGateway |
NfRegistration NfSubscription NfDiscovery NfAccessToken EgressGateway |
5G NRF |
| 5G SPF | K8s Nodes / SPF Worker | 8000/TCP | N | 5G Proxy | 5G SCP (aka SPF) Proxy | |
| 5G SPF | K8s Nodes / Soothsayer | 8082/TCP | N | Proxy Configuration | 5G SCP (aka SPF) Proxy Configuration | |
| 5G SPF | K8s Nodes / Istio | N | Mesh State Sharing | 5G SCP (aka SPF) Mesh Management | ||
| 5G NSSF | K8s Nodes / NSSF Service |
80/TCP 443/TCP |
Y |
NSSF configuration IngressGateway |
NS-selection, NS-availability, NS-subscription EgressGateway NRF-Client |
5G NSSF |
| 5G UDR/UDSF | K8s Nodes / UDR Service | 80/TCP | N | Nudr-dr/Nudr-prov | 5G UDR: Signalling network can be used for management API exposed |