Connectivity requirements for BIG-IP Next and BIG-IP Next Central Manager

Overview

This document discusses the network connectivity requirements for the BIG-IP Next Central Manager system, BIG-IP Next API engine, BIG-IP Next OTEL Collector and BIG-IP Next Instances to access remote BIG-IP Next devices and peer BIG-IP Next Central Manager devices.

BIG-IP Next Central Manager

Table 1: Inbound

TCP Service Port Purpose Authentication Method Encrypted Source Destination
HTTPS 443 UI and REST API endpoint for performing BIG-IP Next Central Manager management tasks Username, password JSON Web Token (JWT) Yes (TLS) Any BIG-IP Next Central Manager (CM)
GRPCS 443 OpenTelemetry endpoint for collecting analytics from managed BIG-IP Next instances mTLS Yes (TLS) BIG-IP Next Instances BIG-IP Next Central Manager (CM)
SSH 22 Command line access into CM for maintenance and debugging operations Username, password Yes (TLS) Any BIG-IP Next Central Manager (CM)

Table 2: Outbound

Host Purpose Authentication Method Encrypted Source Destination
NFS 2049 (TCP/UDP) NFS external storage N/A No (default) BIG-IP Next Central Manager (CM) NFS server
SMB 137-139, 445 (TCP) SMB external storage Username, password No (default) BIG-IP Next Central Manager (CM) SMB server
callhome.f5.com:443 WAF signature files download Username, password Yes (TLS) BIG-IP Next Central Manager (CM) callhome.f5.com:443
ihealth.f5.com:443 iHealth qkview uploads Username, password Yes (TLS) BIG-IP Next Central Manager (CM) ihealth.f5.com:443
activate.f5.com:443 F5 licensing, activation N/A Yes (TLS) BIG-IP Next Central Manager (CM) activate.f5.com:443
VELOS/rSeries provider:8888 (port is customizable to 443) VELOS/rSeries provider Username, password Yes (TLS) BIG-IP Next Central Manager (CM) VELOS/rSeries provider:8888 (port is customizable to 443)
NTP 123 (UDP) NTP server N/A No (default) BIG-IP Next Central Manager (CM) NTP server
DNS 53 (TCP/UDP) DNS server N/A No (default) BIG-IP Next Central Manager (CM) DNS server

Note: In BIG-IP Next Central Manager High availability (HA) mode installation, TCP traffic must be opened between the CM VM instances.

BIG-IP Next Instance

Table 3: Inbound

Service Service Port Purpose Authentication Method Encrypted Source Destination
Debug SSH TCP 2222 Used to provide BIG-IP bash shell access to the debug user via debug side-car on successful authentication. The 'debug user' does not have root permissions. Public key (public and private key pair) Yes Any MGMT
BIG-IP Next API Engine TCP 5443 REST API endpoint used by CM for instance lifecycle management and application deployment tasks. mTLS Username, password JSON Web Token (JWT) 1 Yes (TLS) Any (Can be restricted to CM and Control Plane Interface) MGMT / HA Instance Control Plane Interface
FCDN TCP 22000 22000 is used as a container port to communicate with fcdn pod. mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Vault TCP 8445 TCP 8201 8445: used for https communication with vault. 8201: used for vault High Availability (HA) communication. mTLS Yes Control Plane Interface HA Instance Control Plane Interface
DSSM TCP 6379 Used to communicate with the Redis server and sync between master and slave Redis. mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Fluentd TCP 7443 7443: used for gRPC connection between NGNIX and observer\logpull mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Data Store TCP 5432 Used to communicate with the postgres database mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Module Provisioner TCP 8503 Used to perform module provisioning across both nodes in a HA setup. mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Upgrade Manager TCP 8091 Used to trigger upgrade & get upgrade status on standby node in a HA setup mTLS Yes Control Plane Interface HA Instance Control Plane Interface
AVCL TCP 8443 TCP 8443 Is used to establish trust and HA communication between peers mTLS Yes Control Plane Interface HA Instance Control Plane Interface
AVCL UDP 9002 UDP 9002 Is used to tunnel HA heartbeat traffic between peers VRRP AH No Control Plane Interface HA Instance Control Plane Interface

Table 4: Outbound

Host Purpose Authentication Method Encrypted Source Destination
BIG-IP Next Central Manager (CM) 443 Telemetry and Instance Stats mTLS Yes (TLS) MGMT BIG-IP Next Central Manager (CM)
Outgoing Traffic port is Dynamic Used to export OTLP Resources (Logs and Metrics) to external clients e.g. CM using GRPC or HTTPS OTLP Exporters. The behaviour is configured by the service analytics server API, e.g export protocol, resources filters, and destination info and certificates. SSL/TLS TLS in GRPC protocol MGMT Dynamic