Architecture

Standard Deployment

The following image displays the communication between components in the Standard deployment:

Standard

Connection Source and Destination Traffic Protocol Default Ports

  • Ingress Controller → Controller UI
  • Controller UI → Ingress Controller
 UI Calls and Responses HTTPS 443

Agents → Ingress Controller APM Reported Data HTTPS 443

Hybrid Deployment

The following image displays the communication between components in the Hybrid deployment:

Standalone Controller
Hybrid Deployment for the Standalone Controller
Controller HA with Virtual IP
HA-with-Virtual-IP-address
Controller HA without Virtual IP
Note: If you use a load balancer with a virtual IP address, make sure to open 3388, 443, 32101, 32102, 32103 ports so the Virtual Appliance can send and receive traffic. For more information, see Load Balancer Requirements and Considerations.
Connection Source and Destination Traffic Protocol Default Ports

  • Ingress Controller in Kubernetes → Controller UI
  • Controller UI → Ingress Controller in Kubernetes
 UI Calls and Responses HTTPS 443

Agents → Ingress  Controller in Kubernetes HTTPS 443

MySQL Service → MySQL Database of the standalone Controller

 Controller Database calls HTTPS

3388
Note:

  • If you have set up the Virtual Appliance without a load-balancer or virtual IP address, the connection will not automatically switch to the active node during high-availability failover.

    Therefore, update the IP address, edit hybrid.controller.domainName and hybrid.mysql.dbhost in the global.yaml.gotmpl file after failover.

  • If you have set up the Virtual Appliance with a load-balancer (virtual IP address), enter the load-balancer's domain name and port in the hybrid.controller.domainName, hybrid.controller.port, and hybrid.mysql.dbhost sections of the global.yaml.gotmpl file.

    This domain name should resolve to the load-balancer's virtual IP address.

Standalone Controller → Kafka Service in Kubernetes Kafka Calls for Anomaly Detection and Root Cause Analysis HTTPS 32101, 32102, and 32103
Note: Secure Application requires HTTPS/TLS connectivity between the Virtual Appliance and the On-Premises Controller. Secure Application is not supported over HTTP.

Port Requirements

Ensure the following ports are open for communication in Virtual Appliance:

Port Protocol Service Scope / Interface Description
22 TCP OpenSSH 0.0.0.0

This port enables the exchange of encryption configurations and Helm values between peers during scale-out and upgrade tasks.
16443 TCP MicroK8s kube-apiserver (kubelite) - Used by the kubelet, controller, scheduler, and Helm on each node.
19001 TCP k8s-dqlite Node Internal IP address only Used for Raft consensus between the three dqlite voters; this port supersedes etcd ports 2379 and 2380.
25000 TCP MicroK8s cluster-agent - Used for node registration, configuration synchronization, and certificate distribution.
10250 TCP kubelet (kubelite) -

Enables communication from the API server to the kubelet, supporting kubectl operations (logs, exec, port-forward), metrics-server scraping, and cross-node health probes.
10257 TCP kube-controller-manager (kubelite) - Used for high availability leader election.
10259 TCP kube-scheduler (kubelite) - Used for high availability leader election.
8443 TCP appd-os admin UI (appdos.bin) - Used for platform admin UI on every node.
4789 UDP Calico VXLAN overlay kernel vxlan.calico Handles all pod-to-pod traffic; consolidates communication into a single UDP port and eliminates the need to open multiple application-specific ports.
30000–32767 TCP and UDP Kubernetes NodePort range NAT

The NodePort range supports ingress, events, discovery, registry, and health check services. As these port assignments are dynamic, the entire range must be permitted to ensure consistent cross-node communication.