Networking
The platform uses specific network ports to enable communication between Kubernetes clusters, the platform API, and external services. These ports support API requests, webhook execution, and cost monitoring.
If these ports are blocked by firewall rules, some platform features—such as role-based access control (RBAC) enforcement, cost monitoring, or webhook validation—might fail. Ensure these ports are open to prevent connectivity issues.
Required open ports​
Connect Kubernetes to the platform​
Kubernetes must connect to the platform’s API extensions and webhooks to process requests, enforce policies, and perform management operations. The following ports must be open to allow for communication:
| Port | Description | Purpose |
|---|---|---|
8443 | API service extension (v1.cluster.loft.sh) | Enables Kubernetes API integration with the platform |
9443 | Webhook validation (loft webhook) | Validates requests and enforces policies |
9444 | Management API (v1.management.loft.sh) | Handles platform-wide administration and cluster management |
In private GKE clusters, Kubernetes control plane and worker nodes might reside in separate subnetworks. You might need to explicitly allow traffic on these ports using a firewall rule.
Connect the platform to Prometheus​
The platform retrieves cost metrics from Prometheus running inside connected clusters. The platform's cost control dashboard uses these metrics to provide insights into resource usage.
To collect this data, the local cluster agent acts as a proxy between the platform and Prometheus. This requires an open connection over TCP port 9090. If cost metrics are missing or unavailable, verify that the platform can reach Prometheus on this port.
| Port | Description | Purpose |
|---|---|---|
9090 | Cost control dashboard metrics | Enables cost monitoring and visualization |
If your environment has strict firewall rules or network policies, you might need to explicitly allow traffic over TCP 9090 between the platform and Prometheus.
Firewall rules configuration​
If your firewall blocks ports, you must create rules to allow required traffic. You can configure access using network security settings such as VPC firewall rules or AWS Security Groups.
Allow Kubernetes to connect to the platform​
Run the following command to allow Kubernetes to communicate with the platform:
gcloud compute firewall-rules create allow-k8s-api-to-vcluster-platform \
--allow tcp:8443,tcp:9443,tcp:9444 \
--source-ranges=<KUBERNETES_API_IP_RANGE> \
--target-tags=vcluster-platform
- Replace
<KUBERNETES_API_IP_RANGE>with the actual IP range of the Kubernetes API server.
In private GKE clusters, the Kubernetes control plane and nodes are not in the same subnetwork. Without this rule, Kubernetes cannot communicate with platform components.
Allow the platform to connect to Prometheus​
vCluster Platform collects cost metrics from Prometheus running inside connected clusters. To enable this, the local cluster agent proxies requests to Prometheus over TCP port 9090. If the platform cannot access Prometheus, cost monitoring might fail.
Run the following command to allow the platform to communicate with Prometheus:
gcloud compute firewall-rules create allow-vcluster-platform-to-prometheus \
--allow tcp:9090 \
--source-ranges=<VCLUSTER_PLATFORM_IP> \
--target-tags=prometheus
- Replace
<VCLUSTER_PLATFORM_IP>with the IP address of the platform instance.
Verify firewall rules​
After setting up firewall rules, test the connection between the platform and Prometheus:
nc -zv <PROMETHEUS_IP> 9090
If successful, the output confirm with the following message:
Connection to <PROMETHEUS_IP> 9090 port [tcp/http] succeeded!