Networking
The platform uses specific network ports to enable communication between Kubernetes clusters, the platform API, and external services. These ports support API requests, webhook execution, and cost monitoring.
If these ports are blocked by firewall rules, some platform features such as role-based access control (RBAC) enforcement, cost monitoring, or webhook validation might fail. Ensure these ports are open to prevent connectivity issues.
Required open portsβ
Connect Kubernetes to the platformβ
Kubernetes must connect to the platformβs API extensions and webhooks to process requests, enforce policies, and perform management operations. The following ports must be open to allow for communication:
| Port | Description | Purpose |
|---|---|---|
8443 | API service extension (v1.cluster.loft.sh) | Enables Kubernetes API integration with the platform |
9443 | Webhook validation (loft webhook) | Validates requests and enforces policies |
9444 | Management API (v1.management.loft.sh) | Handles platform-wide administration and cluster management |
In private GKE clusters, Kubernetes control plane and worker nodes might reside in separate subnetworks. You might need to explicitly allow traffic on these ports using a firewall rule.
Enable DNS resolution in virtual clustersβ
vCluster runs a CoreDNS component inside each virtual cluster to handle internal DNS queries. To avoid conflicts with the host cluster's DNS, CoreDNS in vCluster listens on port 1053 instead of the default port 53.
If this port is blocked, DNS queries from virtual cluster pods might not work, especially when the querying pod and the CoreDNS pod are on different nodes. This issue commonly affects EKS clusters created with Terraform, which set up separate security groups for the control plane and worker nodes. By default, the node security group does not allow inbound traffic on port 1053.
To enable proper DNS resolution within virtual clusters, allow inbound traffic on port 1053 between nodes.
| Port | Description | Purpose |
|---|---|---|
1053 | CoreDNS for vCluster | Enables internal DNS resolution across nodes in virtual clusters |
If you're using EKS with Terraform, check the default node security group and manually allow inbound traffic on TCP and UDP port 1053. This ensures DNS queries between pods and CoreDNS can succeed even when scheduled on different nodes.
Connect the platform to Prometheusβ
The platform retrieves cost metrics from Prometheus running inside connected clusters. The platform's cost control dashboard uses these metrics to provide insights into resource usage.
To collect this data, the local cluster agent acts as a proxy between the platform and Prometheus. This requires an open connection over TCP port 9090. If cost metrics are missing or unavailable, verify that the platform can reach Prometheus on this port.
| Port | Description | Purpose |
|---|---|---|
9090 | Cost control dashboard metrics | Enables cost monitoring and visualization |
If your environment has strict firewall rules or network policies, you might need to explicitly allow traffic over TCP 9090 between the platform and Prometheus.
Firewall rules configurationβ
If your firewall blocks ports, you must create rules to allow required traffic. You can configure access using network security settings such as VPC firewall rules or AWS Security Groups.
Allow Kubernetes to connect to the platformβ
Run the following command to allow Kubernetes to communicate with the platform:
gcloud compute firewall-rules create allow-k8s-api-to-vcluster-platform \
--allow tcp:8443,tcp:9443,tcp:9444 \
--source-ranges=<KUBERNETES_API_IP_RANGE> \
--target-tags=vcluster-platform
- Replace
<KUBERNETES_API_IP_RANGE>with the actual IP range of the Kubernetes API server.
In private GKE clusters, the Kubernetes control plane and nodes are not in the same subnetwork. Without this rule, Kubernetes cannot communicate with platform components.
Allow the platform to connect to Prometheusβ
vCluster Platform collects cost metrics from Prometheus running inside connected clusters. To enable this, the local cluster agent proxies requests to Prometheus over TCP port 9090. If the platform cannot access Prometheus, cost monitoring might fail.
Run the following command to allow the platform to communicate with Prometheus:
gcloud compute firewall-rules create allow-vcluster-platform-to-prometheus \
--allow tcp:9090 \
--source-ranges=<VCLUSTER_PLATFORM_IP> \
--target-tags=prometheus
- Replace
<VCLUSTER_PLATFORM_IP>with the IP address of the platform instance.
Verify firewall rulesβ
After setting up firewall rules, test the connection between the platform and Prometheus:
nc -zv <PROMETHEUS_IP> 9090
If successful, the output confirm with the following message:
Connection to <PROMETHEUS_IP> 9090 port [tcp/http] succeeded!