Firewall Information
If your environment has strict network policies that prevent any unauthorized communication between two namespaces, you may need to add one or more exceptions to your network policies to allow communication between the sidecars and the local Istio Control Plane, as well as between the local Istio Control Plane and the TSB management plane.
The following information can be used to derive the appropriate set of firewall rules.
Between Istio and TSB
| Source | Destination |
|---|---|
xcp-edge.istio-system | TSB Load Balancer IP, port 9443 |
oap.istio-system | TSB Load Balancer IP, port 8443 |
otel-collector.istio-system | TSB Load Balancer IP, port 8443 |
oap.istio-system, zipkin.istio-system | Elasticsearch target IP and port (If using demo deployment of Elasticsearch, change to TSB Load Balancer IP, port 8443) |
Between Sidecars on k8s and Istio Control Plane
| Source | Destination |
|---|---|
| Sidecars or load balancers in any application namespace or shared load balancer in any namespace to access Istio Pilot xDS server. | istio-pilot.istio-system, port 15012 |
| Sidecars or load balancers in any application namespace or shared load balancer in any namespace to access SkyWalking OAP metrics server. | oap.istio-system, port 11800 |
| Sidecars or load balancers in any application namespace or shared load balancer in any namespace to access Zipkin server. | zipkin.istio-system, port 9411 |
Between Sidecars on VMs and Istio Control Plane
| Source | Destination |
|---|---|
| Sidecars on VMs to access Istio Pilot xDS server, SkyWalking OAP metrics server, Zipkin server | VM Gateway (vmgateway.istio-system) Load Balancer IP,port 15443 |
Between Sidecars on VMs and workloads on k8s
| Source | Destination |
|---|---|
| Sidecars on VMs to access workloads on k8s | Either k8s pods directly, Or VM Gateway ( vmgateway.istio-system) Load Balancer IP,port 15443 |
Between workloads on k8s and Sidecars on VMs
| Source | Destination |
|---|---|
| k8s pods to access workloads on VMs | VM IP |
Between Istio in cluster A and Istio in cluster B
| Source | Destination |
|---|---|
xcp-edge.istio-system (cluster A) | XCP Edge (xcp-edge.istio-system) Load Balancer IP,port 15555 (cluster B) |
xcp-edge.istio-system (cluster B) | XCP Edge (xcp-edge.istio-system) Load Balancer IP,port 15555 (cluster A) |
Between workloads in cluster A and workloads in cluster B
| Source | Destination |
|---|---|
| k8s pods or VMs (cluster A) | per-Service Gateway Load Balancer IP, port 15443 (cluster B) |
| k8s pods or VMs (cluster B) | per-Service Gateway Load Balancer IP, port 15443 (cluster A) |
Shared Load Balancers
If you are using a shared load balancer, then the load balancer envoy will need to be able to talk to all attached applications and their services. Since this information is not known in advance, we cannot provide definitive information on the ports to open in a firewall.