vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/cce/umn/cce_faq_00265.html
Dong, Qiu Jian 86fb05065f CCE UMN for 24.2.0 version -20240428 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
2024-06-10 08:19:07 +00:00

770 lines
64 KiB
HTML
Raw Blame History

<a name="cce_faq_00265"></a><a name="cce_faq_00265"></a>
<h1 class="topictitle1">How Can I Configure a Security Group Rule in a Cluster?</h1>
<div id="body1588044237098"><p id="cce_faq_00265__p1589158413">CCE is a universal container platform. Its default security group rules apply to common scenarios. When a cluster is created, a security group is automatically created for the master node and worker node, separately. The security group name of the master node is <em id="cce_faq_00265__i163921522135119">{Cluster name}</em><strong id="cce_faq_00265__b10450519318">-cce-control-</strong><em id="cce_faq_00265__i10485193814517">{Random ID}</em>, and the security group name of the worker node is <em id="cce_faq_00265__i9323218175211">{Cluster name}</em><strong id="cce_faq_00265__b574211162037">-cce-node-</strong><em id="cce_faq_00265__i359532819528">{Random ID}</em>. If a CCE Turbo cluster is used, an additional ENI security group named <em id="cce_faq_00265__i1750144064317">{Cluster name}</em><strong id="cce_faq_00265__b135074094320">-cce-eni-</strong><em id="cce_faq_00265__i145019403439">{Random ID}</em> will be created.</p>
<p id="cce_faq_00265__p914919525503">You can log in to the management console, choose <strong id="cce_faq_00265__b1368210509150">Service List</strong> &gt; <strong id="cce_faq_00265__b19682175071512">Networking</strong> &gt; <strong id="cce_faq_00265__b11683750161510">Virtual Private Cloud</strong>. On the page displayed, choose <strong id="cce_faq_00265__b56839501154">Access Control</strong> &gt; <strong id="cce_faq_00265__b1683150101513">Security Groups</strong> in the navigation pane, locate the security group of the cluster, and modify the security group rules as required.</p>
<p id="cce_faq_00265__p1977618595354">The default security group rules of the clusters using different networks are as follows:</p>
<ul id="cce_faq_00265__ul515214117352"><li id="cce_faq_00265__li6152411123512"><a href="#cce_faq_00265__section726682184019">Security Group Rules of a Cluster Using a VPC Network</a></li><li id="cce_faq_00265__li1277031953516"><a href="#cce_faq_00265__section1427413563337">Security Group Rules of a Cluster Using the Tunnel Network</a></li><li id="cce_faq_00265__li7501152519351"><a href="#cce_faq_00265__section94793418319">Security Group Rules of a CCE Turbo Cluster Using the Cloud Native Network 2.0</a></li></ul>
<div class="notice" id="cce_faq_00265__note3779193834418"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><ul id="cce_faq_00265__ul1489392231116"><li id="cce_faq_00265__li2894422201110">Modifying or deleting security group rules may affect cluster running. Exercise caution when performing this operation. If you need to modify security group rules, do not modify the rules of the port on which CCE running depends.</li><li id="cce_faq_00265__li16418133471116">When adding a new security group rule to a cluster, ensure that the new rule does not conflict with the original rules. Otherwise, the original rules may become invalid, affecting the cluster running.</li></ul>
</div></div>
<div class="section" id="cce_faq_00265__section726682184019"><a name="cce_faq_00265__section726682184019"></a><a name="section726682184019"></a><h4 class="sectiontitle">Security Group Rules of a Cluster Using a VPC Network</h4><p id="cce_faq_00265__p398111212210"><strong id="cce_faq_00265__b14761216211">Security group of a worker node</strong></p>
<p id="cce_faq_00265__p1538542417185">A security group named <em id="cce_faq_00265__i146441666211">{Cluster name}</em><strong id="cce_faq_00265__b10645963217">-cce-node-</strong><em id="cce_faq_00265__i1164515672117">{Random ID}</em> is automatically created for each worker node. For details about the default ports, see <a href="#cce_faq_00265__table171121082412">Table 1</a>.</p>
<div class="tablenoborder"><a name="cce_faq_00265__table171121082412"></a><a name="table171121082412"></a><table cellpadding="4" cellspacing="0" summary="" id="cce_faq_00265__table171121082412" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Default ports in the security group for a worker node that uses a VPC network</caption><thead align="left"><tr id="cce_faq_00265__row171111020245"><th align="left" class="cellrowborder" valign="top" width="7.519248075192481%" id="mcps1.3.6.4.2.7.1.1"><p id="cce_faq_00265__p542910339444">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="17.648235176482352%" id="mcps1.3.6.4.2.7.1.2"><p id="cce_faq_00265__p411910112411">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.34856514348565%" id="mcps1.3.6.4.2.7.1.3"><p id="cce_faq_00265__p011510192410">Default Source Address</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25.61743825617438%" id="mcps1.3.6.4.2.7.1.4"><p id="cce_faq_00265__p915104246">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.108989101089891%" id="mcps1.3.6.4.2.7.1.5"><p id="cce_faq_00265__p101101052419">Modifiable</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.75752424757524%" id="mcps1.3.6.4.2.7.1.6"><p id="cce_faq_00265__p917104249">Modification Suggestion</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_faq_00265__row711610132417"><td class="cellrowborder" rowspan="8" valign="top" width="7.519248075192481%" headers="mcps1.3.6.4.2.7.1.1 "><p id="cce_faq_00265__p1742913314445">Inbound rules</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.6.4.2.7.1.2 "><p id="cce_faq_00265__p21101012415">All UDP ports</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" width="14.34856514348565%" headers="mcps1.3.6.4.2.7.1.3 "><p id="cce_faq_00265__p89962113558">VPC CIDR block</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" width="25.61743825617438%" headers="mcps1.3.6.4.2.7.1.4 "><p id="cce_faq_00265__p17141062416">Used for mutual access between worker nodes and between a worker node and a master node.</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" width="10.108989101089891%" headers="mcps1.3.6.4.2.7.1.5 "><p id="cce_faq_00265__p10117107242">No</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" width="24.75752424757524%" headers="mcps1.3.6.4.2.7.1.6 "><p id="cce_faq_00265__p13118100245">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row538361118257"><td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.1 "><p id="cce_faq_00265__p1021153820549">All TCP ports</p>
</td>
</tr>
<tr id="cce_faq_00265__row62121711185518"><td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.1 "><p id="cce_faq_00265__p17212201175513">All ICMP ports</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.2 "><p id="cce_faq_00265__p16212811125519">Security group of the master node</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.3 "><p id="cce_faq_00265__p1321211112550">Used for the master node to access worker nodes.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.4 "><p id="cce_faq_00265__p1921231105510">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.5 "><p id="cce_faq_00265__p12212181145510">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row131710182416"><td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.1 "><p id="cce_faq_00265__p28241843152415">TCP port range: 30000 to 32767</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.6.4.2.7.1.2 "><p id="cce_faq_00265__p41121032416">All IP addresses: <strong id="cce_faq_00265__b1146652892120">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.6.4.2.7.1.3 "><p id="cce_faq_00265__p11346185522417">Allow access from NodePort.</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.6.4.2.7.1.4 "><p id="cce_faq_00265__p2999192102519">Yes</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.6.4.2.7.1.5 "><p id="cce_faq_00265__p17445657172420">These ports must permit requests from VPC, container, and ELB CIDR blocks.</p>
</td>
</tr>
<tr id="cce_faq_00265__row6642184282510"><td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.1 "><p id="cce_faq_00265__p15824164314243">UDP port range: 30000 to 32767</p>
</td>
</tr>
<tr id="cce_faq_00265__row8348840165611"><td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.1 "><p id="cce_faq_00265__p12348144016563">All</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.2 "><p id="cce_faq_00265__p1348154020565">Container CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.3 "><p id="cce_faq_00265__p1734819405567">Used for mutual access between nodes and containers.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.4 "><p id="cce_faq_00265__p6829171012414">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.5 "><p id="cce_faq_00265__p1130711717414">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row128581527115713"><td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.1 "><p id="cce_faq_00265__p185972745711">All</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.2 "><p id="cce_faq_00265__p78591927155712">Security group of worker nodes</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.3 "><p id="cce_faq_00265__p7859122745717">Used for mutual access between worker nodes.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.4 "><p id="cce_faq_00265__p163957129416">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.5 "><p id="cce_faq_00265__p980314171416">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row3141052415"><td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.1 "><p id="cce_faq_00265__p612965020248">TCP port 22</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.2 "><p id="cce_faq_00265__p3221019240">All IP addresses: <strong id="cce_faq_00265__b127413365218">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.3 "><p id="cce_faq_00265__p1734505518240">Port that allows remote access to Linux ECSs using SSH.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.4 "><p id="cce_faq_00265__p29977211254"><strong id="cce_faq_00265__b2595835161719">Recommended</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.4.2.7.1.5 "><p id="cce_faq_00265__p482910192041">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row1283714580447"><td class="cellrowborder" valign="top" width="7.519248075192481%" headers="mcps1.3.6.4.2.7.1.1 "><p id="cce_faq_00265__p20837145810441">Outbound rule</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.6.4.2.7.1.2 "><p id="cce_faq_00265__p583715804414">All</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.6.4.2.7.1.3 "><p id="cce_faq_00265__p226613294515">All IP addresses: <strong id="cce_faq_00265__b050443142115">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25.61743825617438%" headers="mcps1.3.6.4.2.7.1.4 "><p id="cce_faq_00265__p148371958174415">Allow traffic on all ports by default. You are advised to retain this setting.</p>
</td>
<td class="cellrowborder" valign="top" width="10.108989101089891%" headers="mcps1.3.6.4.2.7.1.5 "><p id="cce_faq_00265__p13837558194412">Yes</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.6.4.2.7.1.6 "><p id="cce_faq_00265__p1283715814411">If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see <a href="#cce_faq_00265__section153292054619">Hardening Outbound Rules</a>.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="cce_faq_00265__p5286614132110"><strong id="cce_faq_00265__b61544432218">Security group of the master node</strong></p>
<p id="cce_faq_00265__p8286111422115">A security group named <em id="cce_faq_00265__i5785198142212">{Cluster name}</em><strong id="cce_faq_00265__b187861815226">-cce-control-</strong><em id="cce_faq_00265__i1378612842214">{Random ID}</em> is automatically created for the master node. For details about the default ports, see <a href="#cce_faq_00265__table16149351122118">Table 2</a>.</p>
<div class="tablenoborder"><a name="cce_faq_00265__table16149351122118"></a><a name="table16149351122118"></a><table cellpadding="4" cellspacing="0" summary="" id="cce_faq_00265__table16149351122118" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Default ports in the security group for the master node that uses a VPC network</caption><thead align="left"><tr id="cce_faq_00265__row1114917513218"><th align="left" class="cellrowborder" valign="top" width="7.519248075192481%" id="mcps1.3.6.7.2.7.1.1"><p id="cce_faq_00265__p07951348244">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="17.648235176482352%" id="mcps1.3.6.7.2.7.1.2"><p id="cce_faq_00265__p614935111217">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.34856514348565%" id="mcps1.3.6.7.2.7.1.3"><p id="cce_faq_00265__p111491251182117">Default Source Address</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25.577442255774425%" id="mcps1.3.6.7.2.7.1.4"><p id="cce_faq_00265__p014918515212">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.148985101489853%" id="mcps1.3.6.7.2.7.1.5"><p id="cce_faq_00265__p514935122113">Modifiable</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.75752424757524%" id="mcps1.3.6.7.2.7.1.6"><p id="cce_faq_00265__p5149195113213">Modification Suggestion</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_faq_00265__row514965182114"><td class="cellrowborder" rowspan="6" valign="top" width="7.519248075192481%" headers="mcps1.3.6.7.2.7.1.1 "><p id="cce_faq_00265__p16795144122416">Inbound rules</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.6.7.2.7.1.2 "><p id="cce_faq_00265__p111499519217">TCP port 5444</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.6.7.2.7.1.3 "><p id="cce_faq_00265__p91498510211">VPC CIDR block</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" width="25.577442255774425%" headers="mcps1.3.6.7.2.7.1.4 "><p id="cce_faq_00265__p1314985142117">Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" width="10.148985101489853%" headers="mcps1.3.6.7.2.7.1.5 "><p id="cce_faq_00265__p41491451122110">No</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" width="24.75752424757524%" headers="mcps1.3.6.7.2.7.1.6 "><p id="cce_faq_00265__p5149125112110">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row2149165112120"><td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.1 "><p id="cce_faq_00265__p29611840132810">TCP port 5444</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.2 "><p id="cce_faq_00265__p2961440172819">Container CIDR block</p>
</td>
</tr>
<tr id="cce_faq_00265__row111497511214"><td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.1 "><p id="cce_faq_00265__p2014945152113">TCP port 9443</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.2 "><p id="cce_faq_00265__p61491651142119">VPC CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.3 "><p id="cce_faq_00265__p14149155116215">Allow the network add-on of a worker node to access the master node.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.4 "><p id="cce_faq_00265__p51491651112114">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.5 "><p id="cce_faq_00265__p10149151172119">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row2014925120214"><td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.1 "><p id="cce_faq_00265__p1414925111212">TCP port 5443</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.2 "><p id="cce_faq_00265__p2149151122116">All IP addresses: <strong id="cce_faq_00265__b18529166230">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.3 "><p id="cce_faq_00265__p314945142118">Allow kube-apiserver of the master node to listen to the worker nodes.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.4 "><p id="cce_faq_00265__p8149155110219"><strong id="cce_faq_00265__b1575296180">Recommended</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.5 "><p id="cce_faq_00265__p1115015113211">The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh.</p>
</td>
</tr>
<tr id="cce_faq_00265__row1415065111215"><td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.1 "><p id="cce_faq_00265__p9150165117216">TCP port 8445</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.2 "><p id="cce_faq_00265__p181504517212">VPC CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.3 "><p id="cce_faq_00265__p31500514218">Allow the storage add-on of a worker node to access the master node.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.4 "><p id="cce_faq_00265__p51508519215">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.5 "><p id="cce_faq_00265__p515055182112">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row181508512219"><td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.1 "><p id="cce_faq_00265__p715017518212">All</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.2 "><p id="cce_faq_00265__p1015015119212">IP addresses of this security group</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.3 "><p id="cce_faq_00265__p1215015113214">Allow traffic from all IP addresses of this security group.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.4 "><p id="cce_faq_00265__p2015010518212">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.6.7.2.7.1.5 "><p id="cce_faq_00265__p415095112210">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row10441191512293"><td class="cellrowborder" valign="top" width="7.519248075192481%" headers="mcps1.3.6.7.2.7.1.1 "><p id="cce_faq_00265__p7442615172911">Outbound rule</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.6.7.2.7.1.2 "><p id="cce_faq_00265__p2159199174010">All</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.6.7.2.7.1.3 "><p id="cce_faq_00265__p1023418233404">All IP addresses: <strong id="cce_faq_00265__b1844117425234">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25.577442255774425%" headers="mcps1.3.6.7.2.7.1.4 "><p id="cce_faq_00265__p56732033164015">Allow traffic on all ports by default.</p>
</td>
<td class="cellrowborder" valign="top" width="10.148985101489853%" headers="mcps1.3.6.7.2.7.1.5 "><p id="cce_faq_00265__p367311339406">No</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.6.7.2.7.1.6 "><p id="cce_faq_00265__p191391411144110">N/A</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="cce_faq_00265__section1427413563337"><a name="cce_faq_00265__section1427413563337"></a><a name="section1427413563337"></a><h4 class="sectiontitle">Security Group Rules of a Cluster Using the Tunnel Network</h4><p id="cce_faq_00265__p178238501415"><strong id="cce_faq_00265__b986416519232">Security group of a worker node</strong></p>
<p id="cce_faq_00265__p15598948164116">A security group named <em id="cce_faq_00265__i14394185516237">{Cluster name}</em><strong id="cce_faq_00265__b2394145515239">-cce-node-</strong><em id="cce_faq_00265__i6395555152320">{Random ID}</em> is automatically created for each worker node. For details about the default ports, see <a href="#cce_faq_00265__table07551928134215">Table 3</a>.</p>
<div class="tablenoborder"><a name="cce_faq_00265__table07551928134215"></a><a name="table07551928134215"></a><table cellpadding="4" cellspacing="0" summary="" id="cce_faq_00265__table07551928134215" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Default ports in the security group for a worker node that uses a tunnel network</caption><thead align="left"><tr id="cce_faq_00265__row1756132824215"><th align="left" class="cellrowborder" valign="top" width="7.519248075192481%" id="mcps1.3.7.4.2.7.1.1"><p id="cce_faq_00265__p187595812456">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="17.648235176482352%" id="mcps1.3.7.4.2.7.1.2"><p id="cce_faq_00265__p16756142819424">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.34856514348565%" id="mcps1.3.7.4.2.7.1.3"><p id="cce_faq_00265__p17756528194210">Default Source Address</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25.61743825617438%" id="mcps1.3.7.4.2.7.1.4"><p id="cce_faq_00265__p1575612285423">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.108989101089891%" id="mcps1.3.7.4.2.7.1.5"><p id="cce_faq_00265__p075632844212">Modifiable</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.75752424757524%" id="mcps1.3.7.4.2.7.1.6"><p id="cce_faq_00265__p1475652884218">Modification Suggestion</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_faq_00265__row375662884214"><td class="cellrowborder" rowspan="6" valign="top" width="7.519248075192481%" headers="mcps1.3.7.4.2.7.1.1 "><p id="cce_faq_00265__p137594824513">Inbound rules</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.7.4.2.7.1.2 "><p id="cce_faq_00265__p27561828154219">UDP port 4789</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.7.4.2.7.1.3 "><p id="cce_faq_00265__p1475615287426">All IP addresses: <strong id="cce_faq_00265__b115782102419">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25.61743825617438%" headers="mcps1.3.7.4.2.7.1.4 "><p id="cce_faq_00265__p157562281421">Allow access between containers.</p>
</td>
<td class="cellrowborder" valign="top" width="10.108989101089891%" headers="mcps1.3.7.4.2.7.1.5 "><p id="cce_faq_00265__p57568282423">No</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.7.4.2.7.1.6 "><p id="cce_faq_00265__p5756142894217">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row12756528184216"><td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.1 "><p id="cce_faq_00265__p9756152818421">TCP port 10250</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.2 "><p id="cce_faq_00265__p127561828154212">CIDR block of the master node</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.3 "><p id="cce_faq_00265__p17756228144218">Allow the master node to access kubelet on a worker node, for example, by running <strong id="cce_faq_00265__b1951353713241">kubectl exec</strong> <em id="cce_faq_00265__i1514837202413">{pod}</em>.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.4 "><p id="cce_faq_00265__p3756828164215">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.5 "><p id="cce_faq_00265__p16756172814429">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row1175615281425"><td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.1 "><p id="cce_faq_00265__p14756112819421">TCP port range: 30000 to 32767</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.7.4.2.7.1.2 "><p id="cce_faq_00265__p575602816428">All IP addresses: <strong id="cce_faq_00265__b15449547122419">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.7.4.2.7.1.3 "><p id="cce_faq_00265__p2756428184211">Allow access from NodePort.</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.7.4.2.7.1.4 "><p id="cce_faq_00265__p57561128164216">Yes</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.7.4.2.7.1.5 "><p id="cce_faq_00265__p37562028204212">These ports must permit requests from VPC, container, and ELB CIDR blocks.</p>
</td>
</tr>
<tr id="cce_faq_00265__row35559448443"><td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.1 "><p id="cce_faq_00265__p1875672813422">UDP port range: 30000 to 32767</p>
</td>
</tr>
<tr id="cce_faq_00265__row17756192815424"><td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.1 "><p id="cce_faq_00265__p67561328174217">TCP port 22</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.2 "><p id="cce_faq_00265__p3756228174214">All IP addresses: <strong id="cce_faq_00265__b43858494240">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.3 "><p id="cce_faq_00265__p67563283424">Port that allows remote access to Linux ECSs using SSH.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.4 "><p id="cce_faq_00265__p375682818420"><strong id="cce_faq_00265__b1464829919">Recommended</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.5 "><p id="cce_faq_00265__p177561828154220">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row19756162884210"><td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.1 "><p id="cce_faq_00265__p4757152812428">All</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.2 "><p id="cce_faq_00265__p1375782824214">IP addresses of this security group</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.3 "><p id="cce_faq_00265__p2757202814421">Allow traffic from all IP addresses of this security group.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.4 "><p id="cce_faq_00265__p1175718284429">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.4.2.7.1.5 "><p id="cce_faq_00265__p9757528164213">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row87141610194520"><td class="cellrowborder" valign="top" width="7.519248075192481%" headers="mcps1.3.7.4.2.7.1.1 "><p id="cce_faq_00265__p1171461016456">Outbound rule</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.7.4.2.7.1.2 "><p id="cce_faq_00265__p195211433204519">All</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.7.4.2.7.1.3 "><p id="cce_faq_00265__p152123334512">All IP addresses: <strong id="cce_faq_00265__b1264104122515">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25.61743825617438%" headers="mcps1.3.7.4.2.7.1.4 "><p id="cce_faq_00265__p872062064816">Allow traffic on all ports by default. You are advised to retain this setting.</p>
</td>
<td class="cellrowborder" valign="top" width="10.108989101089891%" headers="mcps1.3.7.4.2.7.1.5 "><p id="cce_faq_00265__p172032016486">Yes</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.7.4.2.7.1.6 "><p id="cce_faq_00265__p1172019203481">If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see <a href="#cce_faq_00265__section153292054619">Hardening Outbound Rules</a>.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="cce_faq_00265__p5573163916486"><strong id="cce_faq_00265__b7968162342517">Security group of the master node</strong></p>
<p id="cce_faq_00265__p1157315396488">A security group named <em id="cce_faq_00265__i13811426122510">{Cluster name}</em><strong id="cce_faq_00265__b2811026122519">-cce-control-</strong><em id="cce_faq_00265__i10812026102517">{Random ID}</em> is automatically created for the master node. For details about the default ports, see <a href="#cce_faq_00265__table657323917482">Table 4</a>.</p>
<div class="tablenoborder"><a name="cce_faq_00265__table657323917482"></a><a name="table657323917482"></a><table cellpadding="4" cellspacing="0" summary="" id="cce_faq_00265__table657323917482" frame="border" border="1" rules="all"><caption><b>Table 4 </b>Default ports in the security group for the master node that uses a tunnel network</caption><thead align="left"><tr id="cce_faq_00265__row7573173994813"><th align="left" class="cellrowborder" valign="top" width="7.519248075192481%" id="mcps1.3.7.7.2.7.1.1"><p id="cce_faq_00265__p1057363913482">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="17.648235176482352%" id="mcps1.3.7.7.2.7.1.2"><p id="cce_faq_00265__p145731839184812">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.34856514348565%" id="mcps1.3.7.7.2.7.1.3"><p id="cce_faq_00265__p157343919486">Default Source Address</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25.577442255774425%" id="mcps1.3.7.7.2.7.1.4"><p id="cce_faq_00265__p14573339114814">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.148985101489853%" id="mcps1.3.7.7.2.7.1.5"><p id="cce_faq_00265__p35731739114815">Modifiable</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.75752424757524%" id="mcps1.3.7.7.2.7.1.6"><p id="cce_faq_00265__p18574173934812">Modification Suggestion</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_faq_00265__row18574173914489"><td class="cellrowborder" rowspan="7" valign="top" width="7.519248075192481%" headers="mcps1.3.7.7.2.7.1.1 "><p id="cce_faq_00265__p8574173914818">Inbound rules</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.7.7.2.7.1.2 "><p id="cce_faq_00265__p72326107511">UDP port 4789</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.7.7.2.7.1.3 "><p id="cce_faq_00265__p528063175020">All IP addresses: <strong id="cce_faq_00265__b57111184091026">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25.577442255774425%" headers="mcps1.3.7.7.2.7.1.4 "><p id="cce_faq_00265__p172328101510">Allow access between containers.</p>
</td>
<td class="cellrowborder" valign="top" width="10.148985101489853%" headers="mcps1.3.7.7.2.7.1.5 "><p id="cce_faq_00265__p986710559519">No</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.7.7.2.7.1.6 "><p id="cce_faq_00265__p128675553512">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row095420155016"><td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.1 "><p id="cce_faq_00265__p20574113919487">TCP port 5444</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.2 "><p id="cce_faq_00265__p14574183984815">VPC CIDR block</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.7.7.2.7.1.3 "><p id="cce_faq_00265__p357433917483">Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.7.7.2.7.1.4 "><p id="cce_faq_00265__p1457443915481">No</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.7.7.2.7.1.5 "><p id="cce_faq_00265__p8574143944810">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row19574173964812"><td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.1 "><p id="cce_faq_00265__p18574103913484">TCP port 5444</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.2 "><p id="cce_faq_00265__p1574183919483">Container CIDR block</p>
</td>
</tr>
<tr id="cce_faq_00265__row19574133915484"><td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.1 "><p id="cce_faq_00265__p13574139164811">TCP port 9443</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.2 "><p id="cce_faq_00265__p11574193915485">VPC CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.3 "><p id="cce_faq_00265__p155742399481">Allow the network add-on of a worker node to access the master node.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.4 "><p id="cce_faq_00265__p145748393485">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.5 "><p id="cce_faq_00265__p1957493984811">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row165742392488"><td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.1 "><p id="cce_faq_00265__p3574539104810">TCP port 5443</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.2 "><p id="cce_faq_00265__p145742039184817">All IP addresses: <strong id="cce_faq_00265__b899318558254">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.3 "><p id="cce_faq_00265__p20574163984820">Allow kube-apiserver of the master node to listen to the worker nodes.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.4 "><p id="cce_faq_00265__p757443918489"><strong id="cce_faq_00265__b2041271462">Recommended</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.5 "><p id="cce_faq_00265__p19574193913482">The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh.</p>
</td>
</tr>
<tr id="cce_faq_00265__row257443984816"><td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.1 "><p id="cce_faq_00265__p11574183934816">TCP port 8445</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.2 "><p id="cce_faq_00265__p057443974819">VPC CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.3 "><p id="cce_faq_00265__p757493919486">Allow the storage add-on of a worker node to access the master node.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.4 "><p id="cce_faq_00265__p7574153964811">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.5 "><p id="cce_faq_00265__p1657443934816">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row125747392483"><td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.1 "><p id="cce_faq_00265__p1157433954816">All</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.2 "><p id="cce_faq_00265__p18575239164811">IP addresses of this security group</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.3 "><p id="cce_faq_00265__p14575133910486">Allow traffic from all IP addresses of this security group.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.4 "><p id="cce_faq_00265__p957543994815">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.7.7.2.7.1.5 "><p id="cce_faq_00265__p857519390483">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row1575939124819"><td class="cellrowborder" valign="top" width="7.519248075192481%" headers="mcps1.3.7.7.2.7.1.1 "><p id="cce_faq_00265__p757513912489">Outbound rule</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.7.7.2.7.1.2 "><p id="cce_faq_00265__p25751139124814">All</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.7.7.2.7.1.3 "><p id="cce_faq_00265__p257512399486">All IP addresses: <strong id="cce_faq_00265__b203191234152614">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25.577442255774425%" headers="mcps1.3.7.7.2.7.1.4 "><p id="cce_faq_00265__p0575133915489">Allow traffic on all ports by default.</p>
</td>
<td class="cellrowborder" valign="top" width="10.148985101489853%" headers="mcps1.3.7.7.2.7.1.5 "><p id="cce_faq_00265__p257517395482">No</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.7.7.2.7.1.6 "><p id="cce_faq_00265__p957514399487">N/A</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="cce_faq_00265__section94793418319"><a name="cce_faq_00265__section94793418319"></a><a name="section94793418319"></a><h4 class="sectiontitle">Security Group Rules of a CCE Turbo Cluster Using the Cloud Native Network 2.0</h4><p id="cce_faq_00265__p17436122575812"><strong id="cce_faq_00265__b167936492265">Security group of a worker node</strong></p>
<p id="cce_faq_00265__p1843632517582">A security group named <em id="cce_faq_00265__i196614531265">{Cluster name}</em><strong id="cce_faq_00265__b186685315266">-cce-node-</strong><em id="cce_faq_00265__i96695315268">{Random ID}</em> is automatically created for each worker node. For details about the default ports, see <a href="#cce_faq_00265__table15437132515819">Table 5</a>.</p>
<div class="tablenoborder"><a name="cce_faq_00265__table15437132515819"></a><a name="table15437132515819"></a><table cellpadding="4" cellspacing="0" summary="" id="cce_faq_00265__table15437132515819" frame="border" border="1" rules="all"><caption><b>Table 5 </b>Default ports in the security group for a worker node</caption><thead align="left"><tr id="cce_faq_00265__row10437192511588"><th align="left" class="cellrowborder" valign="top" width="7.519248075192481%" id="mcps1.3.8.4.2.7.1.1"><p id="cce_faq_00265__p943762519585">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="17.648235176482352%" id="mcps1.3.8.4.2.7.1.2"><p id="cce_faq_00265__p17437182535810">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.34856514348565%" id="mcps1.3.8.4.2.7.1.3"><p id="cce_faq_00265__p1743742513580">Default Source Address</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25.61743825617438%" id="mcps1.3.8.4.2.7.1.4"><p id="cce_faq_00265__p9437425175818">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.108989101089891%" id="mcps1.3.8.4.2.7.1.5"><p id="cce_faq_00265__p54371025205815">Modifiable</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.75752424757524%" id="mcps1.3.8.4.2.7.1.6"><p id="cce_faq_00265__p143762517588">Modification Suggestion</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_faq_00265__row7437825125813"><td class="cellrowborder" rowspan="6" valign="top" width="7.519248075192481%" headers="mcps1.3.8.4.2.7.1.1 "><p id="cce_faq_00265__p164372257587">Inbound rules</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.8.4.2.7.1.2 "><p id="cce_faq_00265__p1043714255588">TCP port 10250</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.8.4.2.7.1.3 "><p id="cce_faq_00265__p94371225135816">CIDR block of the master node</p>
</td>
<td class="cellrowborder" valign="top" width="25.61743825617438%" headers="mcps1.3.8.4.2.7.1.4 "><p id="cce_faq_00265__p1343710256586">Allow the master node to access kubelet on a worker node, for example, by running <strong id="cce_faq_00265__b8744192713273">kubectl exec</strong> <em id="cce_faq_00265__i1274472772717">{pod}</em>.</p>
</td>
<td class="cellrowborder" valign="top" width="10.108989101089891%" headers="mcps1.3.8.4.2.7.1.5 "><p id="cce_faq_00265__p1243772585819">No</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.8.4.2.7.1.6 "><p id="cce_faq_00265__p1843715251588">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row3437102513589"><td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.1 "><p id="cce_faq_00265__p13437225175815">TCP port range: 30000 to 32767</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.8.4.2.7.1.2 "><p id="cce_faq_00265__p443782519582">All IP addresses: <strong id="cce_faq_00265__b150268960591026">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.8.4.2.7.1.3 "><p id="cce_faq_00265__p74371125195815">Allow access from NodePort.</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.8.4.2.7.1.4 "><p id="cce_faq_00265__p143711255586">Yes</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" headers="mcps1.3.8.4.2.7.1.5 "><p id="cce_faq_00265__p943782517583">These ports must permit requests from VPC, container, and ELB CIDR blocks.</p>
</td>
</tr>
<tr id="cce_faq_00265__row14371225195817"><td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.1 "><p id="cce_faq_00265__p16437132525813">UDP port range: 30000 to 32767</p>
</td>
</tr>
<tr id="cce_faq_00265__row10437825135811"><td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.1 "><p id="cce_faq_00265__p7437725135818">TCP port 22</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.2 "><p id="cce_faq_00265__p2043782512587">All IP addresses: <strong id="cce_faq_00265__b194045411991026">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.3 "><p id="cce_faq_00265__p15437112512588">Port that allows remote access to Linux ECSs using SSH.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.4 "><p id="cce_faq_00265__p1437425175810"><strong id="cce_faq_00265__b1515181709">Recommended</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.5 "><p id="cce_faq_00265__p15438172517587">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row1443852512584"><td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.1 "><p id="cce_faq_00265__p84381725175811">All</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.2 "><p id="cce_faq_00265__p1643814253585">IP addresses of this security group</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.3 "><p id="cce_faq_00265__p9438102525815">Allow traffic from all IP addresses of this security group.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.4 "><p id="cce_faq_00265__p16438182555818">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.5 "><p id="cce_faq_00265__p54381225135812">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row16836114735920"><td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.1 "><p id="cce_faq_00265__p6374165255913">All</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.2 "><p id="cce_faq_00265__p2270729025">Container subnet CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.3 "><p id="cce_faq_00265__p5335754417">Allow traffic from all source IP addresses in the container subnet CIDR block.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.4 "><p id="cce_faq_00265__p1356616311227">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.4.2.7.1.5 "><p id="cce_faq_00265__p19566163117218">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row15438132525815"><td class="cellrowborder" valign="top" width="7.519248075192481%" headers="mcps1.3.8.4.2.7.1.1 "><p id="cce_faq_00265__p343812575819">Outbound rule</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.8.4.2.7.1.2 "><p id="cce_faq_00265__p14438425175818">All</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.8.4.2.7.1.3 "><p id="cce_faq_00265__p043862511581">All IP addresses: <strong id="cce_faq_00265__b210715481091026">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25.61743825617438%" headers="mcps1.3.8.4.2.7.1.4 "><p id="cce_faq_00265__p1043814257584">Allow traffic on all ports by default. You are advised to retain this setting.</p>
</td>
<td class="cellrowborder" valign="top" width="10.108989101089891%" headers="mcps1.3.8.4.2.7.1.5 "><p id="cce_faq_00265__p114383251580">Yes</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.8.4.2.7.1.6 "><p id="cce_faq_00265__p743819258584">If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see <a href="#cce_faq_00265__section153292054619">Hardening Outbound Rules</a>.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="cce_faq_00265__p15396315165810"><strong id="cce_faq_00265__b1797528172819">Security group of the master node</strong></p>
<p id="cce_faq_00265__p1547572910439">A security group named <em id="cce_faq_00265__i16783151162817">{Cluster name}</em><strong id="cce_faq_00265__b10783111112288">-cce-control-</strong><em id="cce_faq_00265__i137831811172813">{Random ID}</em> is automatically created for the master node. For details about the default ports, see <a href="#cce_faq_00265__table623018122618">Table 6</a>.</p>
<div class="tablenoborder"><a name="cce_faq_00265__table623018122618"></a><a name="table623018122618"></a><table cellpadding="4" cellspacing="0" summary="" id="cce_faq_00265__table623018122618" frame="border" border="1" rules="all"><caption><b>Table 6 </b>Default ports in the security group for the master node</caption><thead align="left"><tr id="cce_faq_00265__row1123012123618"><th align="left" class="cellrowborder" valign="top" width="7.519248075192481%" id="mcps1.3.8.7.2.7.1.1"><p id="cce_faq_00265__p1923021215610">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="17.648235176482352%" id="mcps1.3.8.7.2.7.1.2"><p id="cce_faq_00265__p142302124613">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.34856514348565%" id="mcps1.3.8.7.2.7.1.3"><p id="cce_faq_00265__p1823081218616">Default Source Address</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25.577442255774425%" id="mcps1.3.8.7.2.7.1.4"><p id="cce_faq_00265__p1230512368">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.148985101489853%" id="mcps1.3.8.7.2.7.1.5"><p id="cce_faq_00265__p2023019127612">Modifiable</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.75752424757524%" id="mcps1.3.8.7.2.7.1.6"><p id="cce_faq_00265__p192309121163">Modification Suggestion</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_faq_00265__row1723141212612"><td class="cellrowborder" rowspan="7" valign="top" width="7.519248075192481%" headers="mcps1.3.8.7.2.7.1.1 "><p id="cce_faq_00265__p18231191210614">Inbound rules</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.8.7.2.7.1.2 "><p id="cce_faq_00265__p56958583615">TCP port 5444</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.8.7.2.7.1.3 "><p id="cce_faq_00265__p16231512261">All IP addresses: <strong id="cce_faq_00265__b203046742691026">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" width="25.577442255774425%" headers="mcps1.3.8.7.2.7.1.4 "><p id="cce_faq_00265__p102314121269">Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.</p>
</td>
<td class="cellrowborder" valign="top" width="10.148985101489853%" headers="mcps1.3.8.7.2.7.1.5 "><p id="cce_faq_00265__p3231612263">No</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.8.7.2.7.1.6 "><p id="cce_faq_00265__p1523113121269">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row1023131216620"><td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.1 "><p id="cce_faq_00265__p12313121166">TCP port 5444</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.2 "><p id="cce_faq_00265__p122312012063">VPC CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.3 "><p id="cce_faq_00265__p162311712662">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.4 "><p id="cce_faq_00265__p623121216612">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row1123121217612"><td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.1 "><p id="cce_faq_00265__p8231111211613">TCP port 9443</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.2 "><p id="cce_faq_00265__p19231512163">VPC CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.3 "><p id="cce_faq_00265__p12231912363">Allow the network add-on of a worker node to access the master node.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.4 "><p id="cce_faq_00265__p723117127617">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.5 "><p id="cce_faq_00265__p102311121969">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row192311812962"><td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.1 "><p id="cce_faq_00265__p1223113129613">TCP port 5443</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.2 "><p id="cce_faq_00265__p13231121215619">All IP addresses: <strong id="cce_faq_00265__b162413162812">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.3 "><p id="cce_faq_00265__p1023191216616">Allow kube-apiserver of the master node to listen to the worker nodes.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.4 "><p id="cce_faq_00265__p1523118121566"><strong id="cce_faq_00265__b1290456538">Recommended</strong></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.5 "><p id="cce_faq_00265__p023116128620">The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh.</p>
</td>
</tr>
<tr id="cce_faq_00265__row523281215612"><td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.1 "><p id="cce_faq_00265__p623217121764">TCP port 8445</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.2 "><p id="cce_faq_00265__p14232101219616">VPC CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.3 "><p id="cce_faq_00265__p1923217121663">Allow the storage add-on of a worker node to access the master node.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.4 "><p id="cce_faq_00265__p223219121468">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.5 "><p id="cce_faq_00265__p22321112462">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row14232212661"><td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.1 "><p id="cce_faq_00265__p19232101217613">All</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.2 "><p id="cce_faq_00265__p162321128618">IP addresses of this security group</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.3 "><p id="cce_faq_00265__p62327122619">Allow traffic from all IP addresses of this security group.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.4 "><p id="cce_faq_00265__p182322121166">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.5 "><p id="cce_faq_00265__p22324128620">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row13374193113815"><td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.1 "><p id="cce_faq_00265__p1882333510818">All</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.2 "><p id="cce_faq_00265__p872311437915">Container subnet CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.3 "><p id="cce_faq_00265__p5724144319916">Allow traffic from all source IP addresses in the container subnet CIDR block.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.4 "><p id="cce_faq_00265__p77241243190">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.7.2.7.1.5 "><p id="cce_faq_00265__p1572416439919">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row7232171214617"><td class="cellrowborder" valign="top" width="7.519248075192481%" headers="mcps1.3.8.7.2.7.1.1 "><p id="cce_faq_00265__p82322123611">Outbound rule</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.8.7.2.7.1.2 "><p id="cce_faq_00265__p18232131219611">All</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.8.7.2.7.1.3 "><p id="cce_faq_00265__p16232412767">All IP addresses: <strong id="cce_faq_00265__b43344884591026">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25.577442255774425%" headers="mcps1.3.8.7.2.7.1.4 "><p id="cce_faq_00265__p323201218616">Allow traffic on all ports by default.</p>
</td>
<td class="cellrowborder" valign="top" width="10.148985101489853%" headers="mcps1.3.8.7.2.7.1.5 "><p id="cce_faq_00265__p142323126619">No</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.8.7.2.7.1.6 "><p id="cce_faq_00265__p823291218617">N/A</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="cce_faq_00265__p113201312151118"><strong id="cce_faq_00265__b7149125542916">Security group of an ENI</strong></p>
<p id="cce_faq_00265__p7996133593412">In a CCE Turbo cluster, an additional security group named <em id="cce_faq_00265__i118868365572">{Cluster name}</em><strong id="cce_faq_00265__b8818144365715">-cce-eni-</strong><em id="cce_faq_00265__i762324945720">{Random ID}</em> is created. By default, containers in the cluster are bound to this security group. For details about the default ports, see <a href="#cce_faq_00265__table499619352347">Table 7</a>.</p>
<div class="tablenoborder"><a name="cce_faq_00265__table499619352347"></a><a name="table499619352347"></a><table cellpadding="4" cellspacing="0" summary="" id="cce_faq_00265__table499619352347" frame="border" border="1" rules="all"><caption><b>Table 7 </b>Default ports of the ENI security group</caption><thead align="left"><tr id="cce_faq_00265__row209961635173415"><th align="left" class="cellrowborder" valign="top" width="7.519248075192481%" id="mcps1.3.8.10.2.7.1.1"><p id="cce_faq_00265__p55981429101212">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="17.648235176482352%" id="mcps1.3.8.10.2.7.1.2"><p id="cce_faq_00265__p1999619356349">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.34856514348565%" id="mcps1.3.8.10.2.7.1.3"><p id="cce_faq_00265__p16996123533412">Default Source Address</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25.61743825617438%" id="mcps1.3.8.10.2.7.1.4"><p id="cce_faq_00265__p1299613353349">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.108989101089891%" id="mcps1.3.8.10.2.7.1.5"><p id="cce_faq_00265__p599620359346">Modifiable</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.75752424757524%" id="mcps1.3.8.10.2.7.1.6"><p id="cce_faq_00265__p3996035103415">Modification Suggestion</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_faq_00265__row3996193583411"><td class="cellrowborder" rowspan="2" valign="top" width="7.519248075192481%" headers="mcps1.3.8.10.2.7.1.1 "><p id="cce_faq_00265__p15987296124">Inbound rules</p>
</td>
<td class="cellrowborder" rowspan="2" valign="top" width="17.648235176482352%" headers="mcps1.3.8.10.2.7.1.2 "><p id="cce_faq_00265__p12997935123417">All</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.8.10.2.7.1.3 "><p id="cce_faq_00265__p6997133515348">IP addresses of this security group</p>
</td>
<td class="cellrowborder" valign="top" width="25.61743825617438%" headers="mcps1.3.8.10.2.7.1.4 "><p id="cce_faq_00265__p1499793510344">Allow traffic from all IP addresses of this security group.</p>
</td>
<td class="cellrowborder" valign="top" width="10.108989101089891%" headers="mcps1.3.8.10.2.7.1.5 "><p id="cce_faq_00265__p89976358345">No</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.8.10.2.7.1.6 "><p id="cce_faq_00265__p139971635133415">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row15247172916137"><td class="cellrowborder" valign="top" headers="mcps1.3.8.10.2.7.1.1 "><p id="cce_faq_00265__p1424762941311">VPC CIDR block</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.10.2.7.1.2 "><p id="cce_faq_00265__p624782917137">Allow traffic from all IP addresses of the VPC CIDR block.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.10.2.7.1.3 "><p id="cce_faq_00265__p61578551135">No</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.8.10.2.7.1.4 "><p id="cce_faq_00265__p715705591316">N/A</p>
</td>
</tr>
<tr id="cce_faq_00265__row5399133761210"><td class="cellrowborder" valign="top" width="7.519248075192481%" headers="mcps1.3.8.10.2.7.1.1 "><p id="cce_faq_00265__p12399737101212">Outbound rule</p>
</td>
<td class="cellrowborder" valign="top" width="17.648235176482352%" headers="mcps1.3.8.10.2.7.1.2 "><p id="cce_faq_00265__p20627447131217">All</p>
</td>
<td class="cellrowborder" valign="top" width="14.34856514348565%" headers="mcps1.3.8.10.2.7.1.3 "><p id="cce_faq_00265__p36271447151218">All IP addresses: <strong id="cce_faq_00265__b893002091026">0.0.0.0/0</strong></p>
</td>
<td class="cellrowborder" valign="top" width="25.61743825617438%" headers="mcps1.3.8.10.2.7.1.4 "><p id="cce_faq_00265__p1562744781211">Allow traffic on all ports by default.</p>
</td>
<td class="cellrowborder" valign="top" width="10.108989101089891%" headers="mcps1.3.8.10.2.7.1.5 "><p id="cce_faq_00265__p1662711479125">No</p>
</td>
<td class="cellrowborder" valign="top" width="24.75752424757524%" headers="mcps1.3.8.10.2.7.1.6 "><p id="cce_faq_00265__p14627847151210">N/A</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="cce_faq_00265__section153292054619"><a name="cce_faq_00265__section153292054619"></a><a name="section153292054619"></a><h4 class="sectiontitle">Hardening Outbound Rules</h4><p id="cce_faq_00265__p536222144614">By default, all security groups created by CCE allow all the <strong id="cce_faq_00265__b10934631133013">outbound</strong> traffic. You are advised to retain this configuration. To harden outbound rules, ensure that the ports listed in the following table are enabled.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_faq_00265__table12369224466" frame="border" border="1" rules="all"><caption><b>Table 8 </b>Minimum configurations of outbound security group rules for a worker node</caption><thead align="left"><tr id="cce_faq_00265__row636152215465"><th align="left" class="cellrowborder" valign="top" width="31.316868313168683%" id="mcps1.3.9.3.2.4.1.1"><p id="cce_faq_00265__p113632214616">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.92750724927507%" id="mcps1.3.9.3.2.4.1.2"><p id="cce_faq_00265__p1836122274615">Allowed CIDR</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="43.75562443755624%" id="mcps1.3.9.3.2.4.1.3"><p id="cce_faq_00265__p5361224461">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_faq_00265__row1136162213463"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p1236192210467">UDP port 53</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p113619225464">DNS server of the subnet</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p1336152264613">Allow traffic on the port for domain name resolution.</p>
</td>
</tr>
<tr id="cce_faq_00265__row53682294616"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p536192213465">UDP port 4789 (required only for clusters that use the tunnel networks)</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p73616224468">All IP addresses</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p2364220467">Allow access between containers.</p>
</td>
</tr>
<tr id="cce_faq_00265__row193613226464"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p936922134611">TCP port 5443</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p3361322124620">CIDR block of the master node</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p13662217467">Allow kube-apiserver of the master node to listen to the worker nodes.</p>
</td>
</tr>
<tr id="cce_faq_00265__row1736122212468"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p2375224469">TCP port 5444</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p18377226465">CIDR blocks of the VPC and container</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p1537322194619">Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.</p>
</td>
</tr>
<tr id="cce_faq_00265__row203710227468"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p183713221463">TCP port 6443</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p153720226464">CIDR block of the master node</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p1237122220466">None</p>
</td>
</tr>
<tr id="cce_faq_00265__row237622134618"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p1637142210468">TCP port 8445</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p18371422154616">VPC CIDR block</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p137102219465">Allow the storage add-on of a worker node to access the master node.</p>
</td>
</tr>
<tr id="cce_faq_00265__row173792214614"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p63722212469">TCP port 9443</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p143712224619">VPC CIDR block</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p113782217466">Allow the network add-on of a worker node to access the master node.</p>
</td>
</tr>
<tr id="cce_faq_00265__row1255031431615"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p955015146167">All ports</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p855031417167">198.19.128.0/17</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p18550114111613">Allow a worker node to access the VPC Endpoint (VPCEP) service.</p>
</td>
</tr>
<tr id="cce_faq_00265__row5127162731511"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p11121331191517">UDP port123</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p1912133111154">100.126.0.0/16</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p6121531151517">Allow a worker node to access the internal NTP server.</p>
</td>
</tr>
<tr id="cce_faq_00265__row51101028141519"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p1512133117156">TCP port 443</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p412123110156">100.126.0.0/16</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p16121183191517">Allow a worker node to access OBS over internal networks to pull the installation package.</p>
</td>
</tr>
<tr id="cce_faq_00265__row139954287155"><td class="cellrowborder" valign="top" width="31.316868313168683%" headers="mcps1.3.9.3.2.4.1.1 "><p id="cce_faq_00265__p13124153111156">TCP port 6443</p>
</td>
<td class="cellrowborder" valign="top" width="24.92750724927507%" headers="mcps1.3.9.3.2.4.1.2 "><p id="cce_faq_00265__p141241831151519">100.126.0.0/16</p>
</td>
<td class="cellrowborder" valign="top" width="43.75562443755624%" headers="mcps1.3.9.3.2.4.1.3 "><p id="cce_faq_00265__p0124731201514">Allow a worker node to report that the worker node is installed.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_faq_00146.html">Network Planning</a></div>
</div>
</div>
View Git Blame Copy Permalink