Network Flows and Firewall Requirements¶
To MetalSoft in an enterprise production environment, there are a series of flows that need to be allowed through the internal firewalls. These depend on the use case, the equipment with which MetalSoft needs to interact with and other factors such as external systems or custom ports. MetalSoft does not need any external connection and can be deployed in a fully air-gapped environment.
Typical deployment architecture¶
The following is a typical deployment. In most cases some the flows will not be required. Refer to the table below for more details about the respective flows.
Traffic Flows¶
The following are flows connected to the MetalSoft application.
Flow |
Description |
Ports |
Direction |
Required for Fabric Manager |
Required for Compute & Storage Manager |
|---|---|---|---|---|---|
Users/CI/CD/Terraform/Ansible |
UI and API access to the Global Controller from users, CI/CD pipelines etc. |
TCP 443 (HTTPS) |
Inbound to Global Controller |
Required |
Required |
Internal |
Internal Communication between the Site Controller from every site and the Primary Global Controller. Note that if a DR Global Controller is used the flows towards that must also be ensured. |
TCP 443 (HTTPS), TCP 9091 (proprietary protocol, AES encryption) |
Inbound to Global Controller |
Required |
Required |
Network device management |
Management traffic to network equipment OOB management interfaces. |
TCP 443 (HTTPS), 22 (SSH) |
Outbound from the Site Controller |
Required |
Not required |
Network device management NETCONF |
Management traffic to network equipment OOB management interfaces. NETCONF-enabled devices such as Arista EOS and Juniper JunOS. |
TCP 830 (HTTPS) |
Outbound from the Site Controller |
Depends on equipment |
Not required |
Network device ZTP |
Traffic used for “zero-touch” bring-up of network devices |
UDP 67,68 (DHCP), TCP 80/443 (see note below) |
Inbound to the Site Controller |
Required |
Not required |
Server management |
Server management traffic used to configure BMCs, mount ISOs etc. |
TCP 443 (HTTPS) |
Outbound from the Site Controller |
Not required |
Required |
Server firmware binaries and ISO |
Server management traffic used to mount ISOs etc. |
TCP 443 (HTTPS) |
Inbound to the Site Controller |
Not required |
Required |
Server console access |
Console access to servers’s management interfaces (for supported servers). |
TCP 5800, 5900 (VNC) |
Outbound from the Site Controller |
Not required |
Recommended |
Server ZTP |
Traffic used during the “zero touch” bring-up of servers. |
UDP 67,68 (DHCP), TCP 80/443 (HTTP) (see note below) |
Inbound to the Site Controller |
Not required |
Recommended |
Server legacy file access |
Used for (older) servers that do not support accessing files (ISOs, Firmware assets etc. ) via HTTPS. |
TCP 111, 2049, 32765, 32767 (NFS) |
Inbound to the Site Controller |
Not required |
Depends on equipment |
Server legacy management |
Used for (older) servers that do not support accessing network connection information via HTTPS from the BMC. |
UDP 623 (IPMI SOL) |
Outbound from the Site Controller |
Not required |
Depends on equipment |
Storage management |
Traffic used to manage storage devices |
TCP 443 (HTTPS) |
Outbound from the Site Controller |
Not required |
Recommended |
Cluster management |
Traffic used to deploy and manage clusters such as VMWare VCF, RedHat OpenShift, Incus etc. |
TCP 443 (HTTPS),22 (SSH) |
Outbound from the Site Controller to the in-band network. Note that the DNS is also required if cluster management is used. |
Not required |
Recommended |
Docker Registry access |
This is required for the kubernetes cluster to download MetalSoft docker images and other Docker images. In an enterprise environment this is towards an internal registry that mirrors the MetalSoft registry (registry.metalsoft.io). Not required for OVA setups. |
TCP 443 (HTTPS) |
Outbound from the Global Controller |
Required |
Required |
Repository traffic |
This is required for the Global Controller to be able to download assets such as Operating System ISO files and firmware binaries. |
TCP 443 (HTTPS) |
Outbound from the Global Controller |
Required |
Required |
DNS service integration |
Integrations with an external DNS solution such as Infoblox |
TCP 53, UDP 53 (DNS) |
Outbound from the Site Controller. See note below. |
Not required |
Recommended |
Identity services integration |
Integrations with various external solutions such as DCIM, DNS etc. |
TCP 636 (LADPS) |
Outbound from the Site Controller |
Recommended |
Recommended |
Notifications integration |
Used to send notifications via email. |
TCP 587 (SMTP) |
Outbound from the Global Controller |
Recommended |
Recommended |
Other intergrations |
Integrations with various external solutions such as DCIM etc. |
TCP 443 (HTTPS) |
Outbound from the Site Controller |
Recommended |
Recommended |
Kubernetes storage |
When deployed in kubernetes, this is the traffic between an external storage system and Kubernetes. Depends on storage system. Not required for OVA-based deployment. |
Depends on storage. Eg: NFS, ISCSI etc. |
Outbound from the Global Controller |
Not required |
Not required |
Note on ZTP
The PORT 80 requirement for ZTP can be removed (use 443 HTTPS instead) if:
The servers/switches are delivered using a valid Certificate Authority (CA) certificate installed on the BMC/Management interface that has been used to issue the HTTPS certificate installed on the Site Controller
There is a valid DNS record for the site controller resolvable by the server’s BMC or the switch’s management interface during the ZTP process.
Note on Proxies
If a proxy is required for any reason (such as to allow access to registry.metalsoft.io) use the kubernetes specific proxy settings. This depends on the underlying container runtime:
For docker refer to this resource
For CRIO refer to this resource