General networking requirements
For high availability (HA) setups, ensure that the VMs hosting the two redundant HA nodes and Load Balancers are reachable from the Global Controller host over the network.
Bare Metal Orchestrator uses whatever IPV4 IP address is set on the server. IPV6 is currently not supported. To avoid certificate errors, disable IPV6 on all Bare Metal Orchestrator servers: the Global Controller (CP1) and the two redundant HA nodes (CP2, and CP3), Load Balancers, as well as all worker nodes.
The DNS nameserver on the server that is hosting the Global Controller node must point to the IP address of a valid and working DNS server. For air-gapped environments, use 127.0.0.1 as the nameserver IP address.
Optionally, if you are using DHCP auto-discovery on the server that will host the Global Controller node, ensure that the primary interface (for example, ens33) is routable and that the second interface is not routable.
The following requirements are necessary for Bare Metal Orchestrator to connect to an Integrated Dell Remote Access Controller (iDRAC):
- Bare Metal Orchestrator and the iDRAC should be Layer 3 reachable.
- Bare Metal Orchestrator must be assigned an IP address that is accessible from the iDRACs of the servers that Bare Metal Orchestrator manages.
- Bare Metal Orchestrator cannot be behind a Network Address Translation (NAT) unless the iDRACs of the target servers are also in the same NATed network.
If you use a corporate DNS server and need to access Bare Metal Orchestrator using an FQDN.
For AWS cloud deployments, the network requirements are the same as a HA setup. For more information about using an AWS cloud deployment for Bare Metal Orchestrator, see Bare Metal Orchestrator Installation Guide.
Reserved IP addresses
Bare Metal Orchestrator reserves IP addresses in subnet ranges 10.42.0.0/16 and 10.43.0.0/16 by default for the Global Controller cluster communications.
If your workloads use IP addresses in subnets 10.42.0.0/16 and 10.43.0.0/16, you can run into an IP address conflict with the Bare Metal Orchestrator default installation. When installing Bare Metal Orchestrator, you can change the default cluster-cidr and service-cidr to resolve the conflict. For more information about changing the default cidr subnets, see Bare Metal Orchestrator Installation Guide.
Port requirements
If you are using a firewall, you must open all ports that are listed in the following table to ensure that Bare Metal Orchestrator functions correctly. The following table lists the ports that Bare Metal Orchestrator uses for on-premises deployments:
Port | Required on | Description |
22 | GC and remote sites | Used for SSH access to run Ansible playbooks. |
67 | GC and remote sites | Used when DHCP is configured. Optionally open on the remote site and the Global Controller. This port should be open if PXE or auto-discovery is used. |
69 | GC and remote sites | Used by the TFTP server. This port should be open and available at all times for the TFTP server. |
80 (TCP) | GC and remote sites | Used for HTTP traffic. |
TCP/81 (HTTP) | GC site | Used for downloading ESXi driver into the endpoint. |
123 | Remote site | Used for NTP synchronization. |
441 | GC site | Used by the global web server to store operating systems and firmware images. |
442 | GC site | Used by the internal web server. |
TCP/442 (HTTPS) | GC site | Used for downloading firmware and ESXi images. |
443 (TCP) | GC and remote sites | Used for HTTPS traffic. |
443 (HTTPS) and 80 (HTTP) | GC site | Used by the web user interface. |
2375 (TCP) | GC and remote sites | Used by the docker container repository. |
2379 (TCP) | GC site | Used by the ETCD client for data access and management. |
2380 (TCP) | GC site | Used by the ETCD peer for data access and management. |
5047 | GC site | Used by localregistry.io as a docker container repository. |
5113 (TCP) | GC and remote sites | Used for traffic to overcloudregistry.io. |
6443 (TCP) | GC site | Used for communicating with remote sites and the application programming interface (API). |
8081 | GC site | Used for setting up remote sites. |
8472 (UDP) | GC and remote sites | Used for Flannel VXLAN. |
9345 (TCP) | GC site | Used for API communications. |
10250 | GC and remote sites | Used by the kubelet node agent to register the node and manage containers. |
30000 - 32767 (TCP) | GC and remote sites | NodePort port range. |
30500 | GC site | Used by the global S3 to store the backups. |