Tanzu Platform for Cloud Foundry 6.0

Diego network communications

Last Updated March 13, 2025

The tables here show Diego internal network communication paths with other VMware Tanzu Application Service for VMs (TAS for VMs) components.

For more information about Diego components and architecture, see How Diego pushes an app in Diego Components and Architecture.

Inbound communications

The following table lists network communication paths that are inbound to Diego:

Source VMDestination VMPortTransport Layer ProtocolApp Layer ProtocolSecurity and Authentication
cloud_controllerdiego_database (BBS)8889TCPHTTPSMutual TLS
cloud_controller (Routing API)diego_database (Locket)8891TCPHTTPSMutual TLS

Diego internal communications

The following table lists network communication paths that are internal for Diego:

Source VMDestination VMPortTransport Layer ProtocolApp Layer ProtocolSecurity and Authentication
diego_brain (Auctioneer)diego_cell (Rep)1801TCPHTTPSMutual TLS
diego_brain (Auctioneer)diego_database (BBS)8889TCPHTTPSMutual TLS
diego_brain (Auctioneer)diego_database (Locket)8891TCPHTTPSMutual TLS
diego_brain (SSH Proxy)diego_database (BBS)8889TCPHTTPSMutual TLS
diego_brain (SSH Proxy)diego_cell (App instances)VariesTCPSSHSSH
diego_brain (TPS Watcher)diego_database (Locket)8891TCPHTTPSMutual TLS
diego_cell (local Route Emitter)diego_database (BBS)8889TCPHTTPSMutual TLS
diego_cell (Rep)diego_brain (CC Uploader)9091TCPHTTPSMutual TLS
diego_cell (Rep)diego_brain (File Server)8447TCPHTTPSTLS
diego_cell (Rep)diego_database (BBS)8889TCPHTTPSMutual TLS
diego_cell (Rep)diego_database (Locket)8891TCPHTTPSMutual TLS
diego_database (BBS)diego_brain (Auctioneer)9016TCPHTTPSMutual TLS
diego_database (BBS)diego_cell (Rep)1801TCPHTTPSMutual TLS
diego_database (BBS)diego_database (Locket)8891TCPHTTPSMutual TLS

These are the host-side ports that map to port 2222 in app instance containers and are typically within the range 61001 to 65534.

The Diego File Server is responsible for distributing non-sensitive, static platform assets to internal platform components.

Outbound communications

The following table lists network communication paths that are outbound from Diego:

Source VMDestination VMPortTransport Layer ProtocolApp Layer ProtocolSecurity and Authentication
diego_braincloud_controller9023TCPHTTPSMutual TLS
diego_brain (SSH Proxy)cloud_controller9024TCPHTTPSOAuth 2.0
diego_brain (SSH Proxy)uaa443TCPHTTPSTLS and OAuth 2.0
diego_cell (local Route Emitter)nats4222, 4223, 4224, 4225TCPNATSBasic authentication
diego_cell (Rep)cloud_controller9023TCPHTTPSMutual TLS
diego_cell (Rep)nfs_server or other blobstore*VariesTCPHTTPSigned URLs/TLS
diego_database (BBS)cloud_controller9023TCPHTTPSMutual TLS
diego_database (BBS)mysql_proxy3306TCPMySQLMySQL authentication**
diego_database (Locket)mysql_proxy3306TCPMySQLMySQL authentication**

*The destination depends on your TAS for VMs blobstore configuration. If you use the internal blobstore, the Diego Cell communicates to the blobstore using TLS on port 4443.

**MySQL authentication uses the MySQL native password method.

Applies only to deployments where internal MySQL is selected as the database.

BOSH DNS communications

By default, TAS for VMs components and app containers look up services using the BOSH DNS service discovery mechanism. To support this lookup, BOSH Director co-locates a BOSH DNS server on every deployed VM. For more information, see BOSH DNS network communications.