Tanzu Platform for Cloud Foundry 6.0

Cloud Controller Network communications

Last Updated March 13, 2025

The tables here show Cloud Controller internal network communication paths with other VMware Tanzu Application Service for VMs (TAS for VMs) components.

For more information about Cloud Controller, see Cloud Controller.

Inbound communications

The following table lists network communication paths that are inbound to the Cloud Controller:

Source VMDestination VMPortTransport Layer ProtocolApp Layer ProtocolSecurity and Authentication
cloud_controllercloud_controller (Routing API)443TCPHTTPSOAuth 2.0
clock_global (Syslog Binding Cache)cloud_controller9023TCPHTTPSMutual TLS
diego_braincloud_controller9023TCPHTTPSMutual TLS
diego_brain (SSH Proxy)cloud_controller9024TCPHTTPSOAuth 2.0
diego_cell (Rep)cloud_controller9023TCPHTTPSMutual TLS
diego_database (BBS)cloud_controller9023TCPHTTPSMutual TLS
log_cache (Log Cache CF Auth Proxy)cloud_controller9023TCPHTTPSMutual TLS
loggregator_trafficcontroller (Traffic Controller)cloud_controller9023TCPHTTPSMutual TLS
loggregator_trafficcontroller (Reverse Log Proxy)cloud_controller9023TCPHTTPSMutual TLS
routercloud_controller9024TCPHTTPSOAuth 2.0

Outbound communications

The following table lists network communication paths that are outbound from the Cloud Controller:

Source VMDestination VMPortTransport Layer ProtocolApp Layer ProtocolSecurity and Authentication
cloud_controllermysql_proxy*3306TCPMySQLMySQL authentication**
cloud_controllernfs_server or other blobstore4443TCPHTTPSTLS and basic authentication
cloud_controlleruaa8443TCPHTTPSOAuth 2.0 or none‡
cloud_controllerdiego_database (BBS)8889TCPHTTPSMutual TLS
cloud_controller (Route Registrar)nats4222TCPNATSBasic authentication
cloud_controller (Routing API)diego_database (Locket)8891TCPHTTPSMutual TLS
cloud_controller_workermysql_proxy*3306TCPMySQLMySQL authentication**
cloud_controller_workernfs_server or other blobstore4443TCPHTTPSTLS and basic authentication
clock_globalmysql_proxy*3306TCPMySQLMySQL authentication**

*Applies only to deployments where internal MySQL is selected as the database.

**MySQL authentication uses the MySQL native password method.

The destination depends on your file storage or blobstore configuration.

‡The authentication method depends on the type of request.

BOSH DNS communications

By default, TAS for VMs components and app containers look up services using the BOSH DNS service discovery mechanism. To support this lookup, BOSH Director co-locates a BOSH DNS server on every deployed VM. For more information, see BOSH DNS network communications.