A Cloud Native Core Network Port Flows

Network Port Flows

This section describes network port flows for the Cloud Native Core.

• Cluster IP addresses are reachable outside of the cluster and are typically assigned by using a Network Load Balancer.
• Node IP addresses are reachable from the bastion host (and may be exposed outside of the cluster).

CNE Port Flows

Table A-1 CNE Port Flows

Name	Server/Container	Ingress Port ext[:int]/Proto	TLS	Cluster IP (Service IP)	Node IP	Notes
SSH Access	ALL	22/TCP	Y		SSH Access	Administrative SSH Access; no root / key only.
Repository	Bastion Host	80/TCP, 443/TCP, 5000/TCP	Y		Repository Access	Access repositories (YUM, Docker, Helm, etc.)
Jenkins CD	Bastion Host	8080/TCP	N		CD Pipeline Access	Access CD Pipeline GUI
Jenkins M2M	Bastion Host	50000/TCP	N		Jenkins M2M	CD Pipeline Operations
RPC Bind	All	111/TCP, UDP	N		RPCBind	Used for installation; pxe booting of NFS mounted images
BGP	K8s Nodes	179/TCP	N		BGP	Used on bare metal environments in load balancing
MySQL Query	MySQL SQL Node	3306/TCP	N	Replication Traffic	Microservice SQL Access	The SQL Query interfaces are used for 5G NFs to access the database and for remote sites to replicate data
Ceph	Ceph CSI Metric	9080/TCP, 9081/TCP, 9090/TCP, 9091/TCP	N		All Cluster Nodes	Used to monitor the CSI performance of the Ceph storage backend.
ILO	ILO Management Port	443/TCP	Y		Installation / Management	This interface is used to manage the frame; it provided low level management for all of the frame HW assets
Kube API Server	K8s Master Nodes	6443/TCP	Y		K8s Orchestration	The Kube API Server provides an orchestration API for the management creation of K8s resources.
Kubelet cAdvisor	K8s Nodes	4149/TCP	Y		Container Metrics	Default cAdvisor port used to query container metrics
Kubelet API	K8s Nodes	10250/TCP	Y		Control Plane Node Access	API which allows full node access
Kube-scheduler	K8s Nodes	10251/TCP	N		Scheduler Access	Serve HTTP insecurely
Kube-controller	K8s Nodes	10252/TCP	N		Controller Access	Serve HTTP insecurely
Kube-proxy	K8s Nodes	10256/TCP	N		Health Check	Health check server for Kube Proxy
Kube-proxy	K8s Nodes	30000-32767	N		Service Access	The default service node port range
Kube-controller	K8s Nodes	10257/TCP	Y		Controller Access	HTTPS Access
Kube-Scheduler	K8s Node	10259/TCP	Y		Scheduler Access	HTTPS Access

NF Port Flows

Table A-2 NF Port Flows

Name	Server / Container	Ingress Port [external:]internal	TLS?	Service IP	Node IP	Notes
5G NRF	K8s Nodes / NRF Service	80/TCP 443/TCP	Y	IngressGateway	NfRegistration NfSubscription NfDiscovery NfAccessToken EgressGateway NrfConfiguration	5G NRF
5G SCP	Kubernetes Nodes/SCP Worker	8000/TCP	N		5G Proxy	5G SCP Proxy
5G SCP	Kubernetes Nodes/scp-configuration	8082/TCP	N	Proxy Configuration		5G SCP Proxy Configuration
5G SCP	Kubernetes Nodes/Istio	/TCP	N		Mesh State Sharing	5G SCP Mesh Management
5G NSSF	K8s Nodes / NSSF Service	80/TCP 443/TCP	Y	NSSF configuration IngressGateway	NS-selection, NS-availability, NS-subscription EgressGateway NRF-Client	5G NSSF
5G UDR/UDSF	K8s Nodes / UDR Service	80/TCP 443/TCP	Y	UDR Configuration Ingress gateway	Nudr-dr/Nudr-prov	5G UDR
5G SEPP	K8s Nodes / SEPP Service	80/TCP 443/TCP	Y	plmn-ingress-gateway n32-ingress-gateway config-mgr-svc	n32-egress-gateway plmn-egress-gateway pn32c-svc cn32c-svc pn32f-svc cn32f-svc nfmediation-svc nfdiscovery nfmanagement coherence-svc perf-info app-info alternate-rte-svc config-mgr-svc	5G SEPP
5G PCF	K8s Nodes / PCF Service	80/TCP 443/TCP	Y	ingress_gateway	pcf-pcf-amservice pcf-pcf-smservice pcf-pcf-ueservice pcf-occnp-nrf-client	5G Policy
5G BSF	K8s Nodes / PCF Service	80/TCP 443/TCP	Y	ingress_gateway	ocpm-cm-service ocpm-queryservice	5G BSF

Common Service Port Flows

Table A-3 Common Service Port Flows

Name	Server / Container	Ingress Port ext[:int]/proto	TLS ?	Service IP (LP)	Node IP	Comments
5G CNCATS	K8s Node	8080/TCP8443/TCP5001/TCP	Y	GUI & ATS API	ocats-service	Provides GUI and API abilities to the ATS service. TLS is enabled on ports 8443 and 5001, only one of 8443 and 8080 is allocated depending on type of deployment( TLS or not)