BIG-IP Next and BIG-IP Next Central Manager Connectivity Requirements

Overview

This document discusses the network connectivity requirements for the BIG-IP Next Central Manager system, BIG-IP Next API engine, BIG-IP Next OTEL Collector and BIG-IP Next Instances to access remote BIG-IP Next devices and peer BIG-IP Next Central Manager devices.

BIG-IP Next Central Manager

Inbound

TCP Service Port

Purpose

Authentication Method

Encrypted

Source

Destination

HTTPS 443

UI and REST API endpoint for performing BIG-IP Next Central Manager management tasks

Username, password JSON Web Token (JWT)

Yes (TLS)

Any

BIG-IP Next Central Manager (CM)

GRPCS 443

OpenTelemetry endpoint for collecting analytics from managed BIG-IP Next instances

mTLS

Yes (TLS)

BIG-IP Next Instances

BIG-IP Next Central Manager (CM)

SSH 22

Command line access into CM for maintenance and debugging operations

Username, password

Yes (TLS)

Any

BIG-IP Next Central Manager (CM)

Outbound

Host

Purpose

Authentication Method

Encrypted

Source

Destination

NFS 2049 (TCP/UDP)

NFS external storage

N/A

No (default)

BIG-IP Next Central Manager (CM)

NFS server

SMB 137-139, 445 (TCP)

SMB external storage

Username, password

No (default)

BIG-IP Next Central Manager (CM)

SMB server

callhome.f5.com:443

WAF signature files download

Username, password

Yes (TLS)

BIG-IP Next Central Manager (CM)

callhome.f5.com:443

ihealth.f5.com:443

iHealth qkview uploads

Username, password

Yes (TLS)

BIG-IP Next Central Manager (CM)

ihealth.f5.com:443

activate.f5.com:443

F5 licensing, activation

N/A

Yes (TLS)

BIG-IP Next Central Manager (CM)

activate.f5.com:443

VELOS/rSeries provider:8888 (port is customizable to 443)

VELOS/rSeries provider

Username, password

Yes (TLS)

BIG-IP Next Central Manager (CM)

VELOS/rSeries provider:8888 (port is customizable to 443)

NTP 123 (UDP)

NTP server

N/A

No (default)

BIG-IP Next Central Manager (CM)

NTP server

DNS 53 (TCP/UDP)

DNS server

N/A

No (default)

BIG-IP Next Central Manager (CM)

DNS server

Note: In BIG-IP Next Central Manager High availability (HA) mode installation, TCP traffic must be opened between the CM VM instances.

BIG-IP Next Instance

Inbound

Service Service Port Purpose Authentication Method Encrypted Source Destination
FCDN TCP 22000 22000 is used as a container port to communicate with fcdn pod. mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Vault TCP 8445 TCP 8201 8445: used for https communication with vault. 8201: used for vault High Availability (HA) communication. mTLS Yes Control Plane Interface HA Instance Control Plane Interface
DSSM TCP 6379 Used to communicate with the Redis server and sync between master and slave Redis. mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Fluentd TCP 7443 7443: used for gRPC connection between NGNIX and observer\logpull mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Data Store TCP 5432 Used to communicate with the postgres database mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Module Provisioner TCP 8503 Used to perform module provisioning across both nodes in a HA setup. mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Upgrade Manager TCP 8091 Used to trigger upgrade & get upgrade status on standby node in a HA setup mTLS Yes Control Plane Interface HA Instance Control Plane Interface
Debug SSH TCP 2222 Used to provide BIG-IP bash shell access to the debug user via debug side-car on successful authentication. The 'debug user' does not have root permissions. Public key (public and private key pair) Yes Any MGMT
AVCL TCP 8443 TCP 8443 Is used to establish trust and HA communication between peers mTLS Yes Control Plane Interface HA Instance Control Plane Interface
AVCL UDP 9002 UDP 9002 Is used to tunnel HA heartbeat traffic between peers VRRP AH No Control Plane Interface HA Instance Control Plane Interface
BIG-IP Next API Engine TCP 5443 REST API endpoint used by CM for instance lifecycle management and application deployment tasks. mTLS Username, password JSON Web Token (JWT) Yes (TLS) Any (Can be restricted to CM and Control Plane Interface) MGMT / HA Instance Control Plane Interface

Outbound

Host Purpose Authentication Method Encrypted Source Destination
BIG-IP Next Central Manager (CM) 443 Telemetry and Instance Stats mTLS Yes (TLS) MGMT BIG-IP Next Central Manager (CM)
Outgoing Traffic port is Dynamic Used to export OTLP Resources (Logs and Metrics) to external clients e.g. CM using GRPC or HTTPS OTLP Exporters. The behaviour is configured by the service analytics server API, e.g export protocol, resources filters, and destination info and certificates. SSL/TLS TLS in GRPC protocol MGMT Dynamic