The following tables show the internal network communication paths of the routing subsystem with other VMware Tanzu Application Service for VMs (TAS for VMs) components.
HTTP routing
The following table lists network communication paths for HTTP routing:
| Source VM | Destination VM | Port | Transport Layer Protocol | App Layer Protocol | Security and Authentication |
|---|---|---|---|---|---|
| diego_cell (local Route Emitter) | nats | 4222 | TCP | NATS | Basic authentication |
| Load balancer | router (Gorouter) | 80 | TCP | HTTP | None |
| Load balancer | router (Gorouter) | 443 | TCP | HTTPS | TLS |
| router (Gorouter) | nats | 4222 | TCP | NATS | Basic authentication |
| router (Gorouter) | System components | Varies | TCP | Varies | None |
| router (Gorouter) | App containers | Varies | TCP | Varies | Optional TLS |
| Load balancer | router (Gorouter) | 80 | TCP | HTTP | None |
| Load balancer | router (Gorouter) | 443 | TCP | HTTPS | TLS |
TCP routing (optional)
The following table lists network communication paths for TCP routing:
| Source VM | Destination VM | Port | Transport Layer Protocol | App Layer Protocol | Security and Authentication |
|---|---|---|---|---|---|
| cloud_controller | cloud_controller (Routing API)* | 443 | TCP | HTTPS | TLS and OAuth 2.0 |
| cloud_controller (Routing API) | diego_database (Locket) | 8891 | TCP | HTTPS | Mutual TLS |
| cloud_controller (Routing API) | mysql_proxy | 3306 | TCP | MySQL | MySQL authentication** |
| cloud_controller (Routing API) | uaa | 8443 | TCP | HTTPS | TLS |
| diego_brain (global TCP Emitter) | cloud_controller (Routing API) | 3000 | TCP | HTTP | OAuth 2.0 |
| diego_brain (global TCP Emitter) | cloud_controller (Routing API) | 3001 | TCP | HTTPS | Mutual TLS |
| diego_brain (global TCP Emitter) | uaa | 8443 | TCP | HTTPS | TLS |
| diego_cell (local Route Emitter) | cloud_controller (Routing API) | 3000 | TCP | HTTP | OAuth 2.0 |
| diego_cell (local Route Emitter) | cloud_controller (Routing API) | 3001 | TCP | HTTPS | Mutual TLS |
| diego_cell (local Route Emitter) | uaa | 8443 | TCP | HTTPS | TLS |
| Load balancer | tcp_router | 1024-65535† | TCP | TCP | None |
| router (Gorouter) | cloud_controller (Routing API) | 3000 | TCP | HTTP | OAuth 2.0 |
| router (Gorouter) | cloud_controller (Routing API) | 3001 | TCP | HTTPS | Mutual TLS |
| router (Gorouter) | uaa | 8443 | TCP | HTTPS | TLS |
| tcp_router | cloud_controller (Routing API) | 3000 | TCP | HTTP | OAuth 2.0 |
| tcp_router | cloud_controller (Routing API) | 3001 | TCP | HTTPS | Mutual TLS |
| tcp_router | uaa | 8443 | TCP | HTTPS | TLS |
* This communication happens through a load balancer and a Gorouter. Requests are received by Routing API on port 3000 or 3001. You can use Routing API Endpoint Protocol toggle when configuring TAS for VMs tile for enabling HTTPS only
† You can use this port range to configure the port in the TAS for VMs tile.
** MySQL authentication uses the MySQL native password method.
Service Mesh (optional)
The following table lists network communication paths for service mesh:
| Source VM | Destination VM | Port | Transport Layer Protocol | App Layer Protocol | Security and Authentication |
|---|---|---|---|---|---|
| cloud_controller (cloud_controller_ng) | istio_control (Copilot) | 9001 | TCP | GRPC | Mutual TLS |
| istio_control (Copilot) | diego_database (BBS) | 8889 | TCP | HTTP | Mutual TLS |
| istio_control (Pilot-Discovery) | istio_control (Copilot) | 9009 | TCP | GRPC | Mutual TLS |
| istio_router (Envoy) | App containers | Varies | TCP | HTTP/HTTPS | Optional TLS |
| istio_router (Envoy) | istio_control (Pilot-Discovery) | 15010 | TCP | GRPC | None |
| Load balancer | istio_router (Envoy) | 80 | TCP | HTTP | None |
| Load balancer | istio_router (Envoy) | 443 | TCP | HTTPS | TLS |
| Load balancer (health check) | istio_router (Envoy) | 8002 | TCP | HTTP | None |
| route_syncer (CC Route Syncer) | istio_control (Copilot) | 9001 | TCP | GRPC | Mutual TLS |
| route_syncer (CC Route Syncer) | mysql_proxy* | 3306 | TCP | MySQL | MySQL authentication* |
| N/A (admin) | istio_router (Envoy) | 8001 | TCP | HTTP | None |
| N/A (for Envoy secure GRPC communication) | istio_control (Pilot-Discovery) | 15012 | TCP | GRPC | Mutual TLS |
| N/A (for HTTP discovery service) | istio_control (Pilot-Discovery) | 8080 | TCP | HTTP | None |
| N/A (for Pilot’s self-monitoring) | istio_control (Pilot-Discovery) | 9093 | TCP | HTTP | None |
*Applies only to deployments where internal MySQL is selected as the database.
BOSH DNS communications
By default, TAS for VMs components and app containers look up services using the BOSH DNS service discovery mechanism. To support this lookup, BOSH Director co-locates a BOSH DNS server on every deployed VM. For more information, see BOSH DNS network communications.
Content feedback and comments