Connectivity requirements for BIG-IP Next and BIG-IP Next Central Manager¶
Overview¶
This document discusses the network connectivity requirements for the BIG-IP Next Central Manager system, BIG-IP Next API engine, BIG-IP Next OTEL Collector and BIG-IP Next Instances to access remote BIG-IP Next devices and peer BIG-IP Next Central Manager devices.
BIG-IP Next Central Manager¶
Inbound
TCP Service Port |
Purpose |
Authentication Method |
Encrypted |
Source |
Destination |
|---|---|---|---|---|---|
HTTPS 443 |
UI and REST API endpoint for performing BIG-IP Next Central Manager management tasks |
Username, password JSON Web Token (JWT) |
Yes (TLS) |
Any |
BIG-IP Next Central Manager (CM) |
GRPCS 443 |
OpenTelemetry endpoint for collecting analytics from managed BIG-IP Next instances |
mTLS |
Yes (TLS) |
BIG-IP Next Instances |
BIG-IP Next Central Manager (CM) |
SSH 22 |
Command line access into CM for maintenance and debugging operations |
Username, password |
Yes (TLS) |
Any |
BIG-IP Next Central Manager (CM) |
Outbound
Host |
Purpose |
Authentication Method |
Encrypted |
Source |
Destination |
|---|---|---|---|---|---|
NFS 2049 (TCP/UDP) |
NFS external storage |
N/A |
No (default) |
BIG-IP Next Central Manager (CM) |
NFS server |
SMB 137-139, 445 (TCP) |
SMB external storage |
Username, password |
No (default) |
BIG-IP Next Central Manager (CM) |
SMB server |
callhome.f5.com:443 |
WAF signature files download |
Username, password |
Yes (TLS) |
BIG-IP Next Central Manager (CM) |
callhome.f5.com:443 |
ihealth.f5.com:443 |
iHealth qkview uploads |
Username, password |
Yes (TLS) |
BIG-IP Next Central Manager (CM) |
ihealth.f5.com:443 |
activate.f5.com:443 |
F5 licensing, activation |
N/A |
Yes (TLS) |
BIG-IP Next Central Manager (CM) |
activate.f5.com:443 |
VELOS/rSeries provider:8888 (port is customizable to 443) |
VELOS/rSeries provider |
Username, password |
Yes (TLS) |
BIG-IP Next Central Manager (CM) |
VELOS/rSeries provider:8888 (port is customizable to 443) |
NTP 123 (UDP) |
NTP server |
N/A |
No (default) |
BIG-IP Next Central Manager (CM) |
NTP server |
DNS 53 (TCP/UDP) |
DNS server |
N/A |
No (default) |
BIG-IP Next Central Manager (CM) |
DNS server |
Note: In BIG-IP Next Central Manager High availability (HA) mode installation, TCP traffic must be opened between the CM VM instances.
BIG-IP Next Instance¶
Inbound
| Service | Service Port | Purpose | Authentication Method | Encrypted | Source | Destination |
|---|---|---|---|---|---|---|
| FCDN | TCP 22000 | 22000 is used as a container port to communicate with fcdn pod. | mTLS | Yes | Control Plane Interface | HA Instance Control Plane Interface |
| Vault | TCP 8445 TCP 8201 | 8445: used for https communication with vault. 8201: used for vault High Availability (HA) communication. | mTLS | Yes | Control Plane Interface | HA Instance Control Plane Interface |
| DSSM | TCP 6379 | Used to communicate with the Redis server and sync between master and slave Redis. | mTLS | Yes | Control Plane Interface | HA Instance Control Plane Interface |
| Fluentd | TCP 7443 | 7443: used for gRPC connection between NGNIX and observer\logpull | mTLS | Yes | Control Plane Interface | HA Instance Control Plane Interface |
| Data Store | TCP 5432 | Used to communicate with the postgres database | mTLS | Yes | Control Plane Interface | HA Instance Control Plane Interface |
| Module Provisioner | TCP 8503 | Used to perform module provisioning across both nodes in a HA setup. | mTLS | Yes | Control Plane Interface | HA Instance Control Plane Interface |
| Upgrade Manager | TCP 8091 | Used to trigger upgrade & get upgrade status on standby node in a HA setup | mTLS | Yes | Control Plane Interface | HA Instance Control Plane Interface |
| Debug SSH | TCP 2222 | Used to provide BIG-IP bash shell access to the debug user via debug side-car on successful authentication. The 'debug user' does not have root permissions. | Public key (public and private key pair) | Yes | Any | MGMT |
| AVCL | TCP 8443 | TCP 8443 Is used to establish trust and HA communication between peers | mTLS | Yes | Control Plane Interface | HA Instance Control Plane Interface |
| AVCL | UDP 9002 | UDP 9002 Is used to tunnel HA heartbeat traffic between peers | VRRP AH | No | Control Plane Interface | HA Instance Control Plane Interface |
| BIG-IP Next API Engine | TCP 5443 | REST API endpoint used by CM for instance lifecycle management and application deployment tasks. | mTLS Username, password JSON Web Token (JWT) | Yes (TLS) | Any (Can be restricted to CM and Control Plane Interface) | MGMT / HA Instance Control Plane Interface |
Outbound
| Host | Purpose | Authentication Method | Encrypted | Source | Destination |
|---|---|---|---|---|---|
| BIG-IP Next Central Manager (CM) 443 | Telemetry and Instance Stats | mTLS | Yes (TLS) | MGMT | BIG-IP Next Central Manager (CM) |
| Outgoing Traffic port is Dynamic | Used to export OTLP Resources (Logs and Metrics) to external clients e.g. CM using GRPC or HTTPS OTLP Exporters. The behaviour is configured by the service analytics server API, e.g export protocol, resources filters, and destination info and certificates. | SSL/TLS | TLS in GRPC protocol | MGMT | Dynamic |