Quick Summary:

Software Connecting to Direction Port Required
ZDE/ZME Controller OUTBOUND 443/TCP Yes
ZDE/ZME Edge Routers OUTBOUND 443/TCP Yes
Edge Router Controller OUTBOUND 443/TCP Yes
Edge Router Controller OUTBOUND 80/TCP Yes
Edge Router Controller OUTBOUND 6262/TCP/UDP Yes
Edge Router Edge Router OUTBOUND 443/TCP Yes
Edge Router Edge Router OUTBOUND 80/TCP/UDP Yes
Edge Router Edge Router INBOUND 443/TCP No
Edge Router Edge Router INBOUND 80/TCP/UDP No

*** Port numbers are default & can be change if necessary 

 

Ziti Desktop Edge & Ziti Mobile Edge

Outbound Requirements

Required Ports:

  • 443/TCP

Port 443 toward the the network control is for configuration, session & authentication.

Port 443 toward the edge router provides the data plane.

The ZDE/ZME products need outbound access to port 443/TCP to the network controller and any Edge Router that it's granted access to reach via the Edge Router Policy.

Diagram:  ZDE/ZME with NF Hosted Edge Router and Controller

Firewall-ZDE_NF_ER__1_.png

Diagram: ZDE/ZME with Customer Hosted Edge Router and Controller

Firewall-ZDE_Customer_ER__1_.png

Inbound Requirements

The ZDE/ZME products do not need any inbound ports.

 

NetFoundry Edge Routers

Connections between Edge Routers and the Network Controller are over TLS.

Connections between Edge Routers and other Routers are over TLS.

Outbound Requirements

Required Ports:

  • 80/TCP/UDP
  • 443/TCP
  • 6262/TCP/UDP

Connections to the Network Controller

Port 80/TCP/UDP toward the network controller are for the establishment of the fabric/data layer.  
Port 443 toward the the network control are for sessions & initial authentication.
Port 6262/TCP/UDP towards the network controller are a fabric/data layer for software maintenance.

Diagram: Edge Router and Network Controller

Firewall-ER.png

Connections to other Edge Routers

Port 80/TCP/UDP toward public edge routers are for the establishment of the fabric/data layer.  
Port 443/TCP toward public edge routers are for establishment of data plane.

Diagram: Edge Router to Edge Router

Firewall-Page-4__1_.png

VM Registration Requirements

In order to successfully register a customer hosted edge router port 443/TCP is required toward the following DNS names:

  • gateway.production.netfoundry.io
  • netfoundry.jfrog.io

Inbound Requirements

By default customer hosted edge router do not need any inbound ports open.

Optional Ports:

  • 80/TCP/UDP
  • 443/TCP

Port 80/TCP/UDP toward public edge routers are for the establishment of the fabric/data layer.  
Port 443/TCP toward public edge routers are for establishment of data plane.

Allowing Connections from other Edge Routers

Diagram: Public Customer ER connection

Firewall-ER_to_ER_Inbound.png

Enabling link listener

If you plan on creating a publicly accessible customer hosted edge router, you should enable the link listener option when creating the router in the console:

mceclip0.png

White Listing IP Addresses

How to find IP addresses

To find IP addresses from within the console, start by navigating to "Manage Networks" 

mceclip1.png

From here you can click on the hamburger menu for the network of you choice

mceclip5.png

You will be presented with all the IP address information:

mceclip6.png

 

 

 

 

Was this article helpful?
2 out of 2 found this helpful

Comments

2 comments

  • Edward Moscardini This looks great for inclusion into our documentation.  Some things I noticed (nothing technical)...

    1. Lots of whitespaces make the page way longer than it really is (makes it look like a longer read).  Can we collapse it into tables or some form of an index w/ anchors to specific scenarios?
    2. The images are where the money is at (in my mind).  I'll read the context once and likely only remember the images.  Would it be possible to add the port/proto at the end of the arrows as well?  
    3. These scenarios add very important context to the "Deployment Scenarios" you created.  Let's definitely cross them together in a page link to each other! (https://netfoundry.atlassian.net/wiki/spaces/CLOUDDEV/pages/1958412354/MOP%2BZiti%2BStandard%2BDeployment%2BModels)
    4. Might want to make a foot note that the ports/protos are DEFAULTS that can be customized with a professional service (maybe?).  If we are required to, we could modify them.
    0
  • Edward Moscardini Right as I posted that you updated with a quick view matrix.  PERFECT!

    0

Article is closed for comments.