Tanzu Platform for Cloud Foundry 4.0

MySQL network communications

Last Updated March 13, 2025

The following tables show MySQL internal network communication paths with other VMware Tanzu Application Service for VMs (TAS for VMs) components.

These communications only apply to deployments where internal MySQL is selected as the TAS for VMs database.

Inbound communications

The following table lists network communication paths that are inbound to MySQL VMs:

Source VMDestination VMPortTransport Layer ProtocolApp Layer ProtocolSecurity and Authentication
cloud_controllermysql_proxy3306TCPMySQLMySQL authentication*
cloud_controller_workermysql_proxy3306TCPMySQLMySQL authentication*
clock_globalmysql_proxy3306TCPMySQLMySQL authentication*
credhubmysql_proxy3306TCPMySQLMySQL authentication*
diego_cell (VXLAN Policy Agent)mysql_proxy3306TCPMySQLMySQL authentication*
diego_database (Policy Server)mysql_proxy3306TCPMySQLMySQL authentication*
diego_database (BBS)mysql_proxy3306TCPMySQLMySQL authentication*
diego_database (Locket)mysql_proxy3306TCPMySQLMySQL authentication*
uaamysql_proxy3306TCPMySQLMySQL authentication*

* MySQL authentication uses the MySQL native password method.

Internal communications

The following table lists network communication paths that are internal to MySQL VMs:

Source VMDestination VMPortTransport Layer ProtocolApp Layer ProtocolSecurity and Authentication
mysqlmysql (Galera)4567TCPMySQLMySQL authentication*
mysql_monitormysql (MySQL Server)3306TCPHTTPBasic authentication
mysql_monitormysql_proxy (Proxy health check)443/8080**TCPHTTPBasic authentication
mysql_proxymysql (MySQL Server)3306TCPHTTPMySQL authentication*
mysql_proxymysql (Galera health check)9200TCPHTTPBasic authentication

*MySQL authentication uses the MySQL native password method.

**Port 443 is used if mysql_proxy is registered with the Gorouter. If not registered, mysql_proxy uses port 8080 instead.

Outbound communications

The following table lists network communication paths that are outbound from MySQL:

Source VMDestination VMPortTransport Layer ProtocolApp Layer ProtocolSecurity and Authentication
mysql_monitoruaa8443TCPHTTPSOAuth
mysql_proxy (Route Registrar)nats4222TCPNATSBasic authentication

If you select the Enable inactive mysql port check box on the Internal MySQL pane of the TAS for VMs tile, you can run auditing and reporting queries on an inactive MySQL node over port 3336. For more information, see Configure Internal MySQL in Configuring TAS for VMs.

BOSH DNS communications

By default, TAS for VMs components and app containers look up services using the BOSH DNS service discovery mechanism. To support this lookup, BOSH Director co-locates a BOSH DNS server on every deployed VM. For more information, see BOSH DNS network communications.