To operate properly, Rancher requires a number of ports to be open on Rancher nodes and on downstream Kubernetes cluster nodes.

Rancher Nodes

The following table lists the ports that need to be open to and from nodes that are running the Rancher server container for Docker installs or pods for installing Rancher on Kubernetes.

Protocol Port Source Destination Description
TCP 80 Load Balancer / Reverse Proxy HTTP traffic to Rancher UI / API.
TCP 443 Load Balancer / Reverse Proxy

Otherwise IPs of all cluster nodes and other Rancher API / UI clients.		 HTTPS traffic to Rancher UI / API.
TCP 443 35.160.43.145
35.167.242.46
52.33.59.17		 Rancher catalog (git.rancher.io).
TCP 22 Any node created using node driver. SSH provisioning of node by node driver.
TCP 2376 Any node created using node driver. Docker daemon TLS port used by node driver.
TCP Provider Dependent Port of the Kubernetes API endpoint in hosted clusters. Kubernetes API.

Note Rancher nodes may also require additional outbound access for any external authentication provider which is configured (LDAP for example).

Downstream Kubernetes Cluster Nodes

The ports required to be open for cluster nodes changes depending on how the cluster was launched. Each of the tabs below list the ports that need to be opened for different cluster creation options.

Tip:

If security isn’t a large concern and you’re okay with opening a few additional ports, you can use the table in Commonly Used Ports as your port reference instead of the comprehensive tables below.

    The following table depicts the port requirements for Rancher Launched Kubernetes with nodes created in an Infrastructure Provider.

    Note: The required ports are automatically opened by Rancher during creation of clusters in cloud providers like Amazon EC2 or DigitalOcean.

    From / To Rancher Nodes etcd Plane Nodes Control Plane Nodes Worker Plane Nodes External Load Balancer Internet
    Rancher Nodes (1) 22 TCP git.rancher.io (2):
    35.160.43.145:32
    35.167.242.46:32
    52.33.59.17:32
    2376 TCP
    etcd Plane Nodes 443 TCP (3) 2379 TCP 443 TCP
    2380 TCP
    6443 TCP
    8472 UDP
    9099 TCP (4)
    Control Plane Nodes 443 TCP (3) 2379 TCP 443 TCP
    2380 TCP
    6443 TCP
    8472 UDP
    10250 TCP
    9099 TCP (4)
    10254 TCP (4)
    Worker Plane Nodes 443 TCP (3) 6443 TCP 443 TCP
    8472 UDP
    9099 TCP (4)
    10254 TCP (4)
    External Load Balancer (5) 80 TCP
    443 TCP (6)
    API / UI Clients 80 TCP (3) 80 TCP
    443 TCP (3) 443 TCP
    Workload Clients 30000-32767 TCP / UDP
    (nodeport)
    80 TCP (Ingress)
    443 TCP (Ingress)
    Notes:

    1. Nodes running standalone server or Rancher HA deployment.
    2. Required to fetch Rancher chart library.
    3. Only without external load balancer.
    4. Local traffic to the node itself (not across nodes).
    5. Load balancer / proxy that handles tragging to the Rancher UI / API.
    6. Only if SSL is not terminated at external load balancer.

    The following table depicts the port requirements for Rancher Launched Kubernetes with Custom Nodes.

    From / To Rancher Nodes etcd Plane Nodes Control Plane Nodes Worker Plane Nodes External Load Balancer Internet
    Rancher Nodes (1) git.rancher.io (2):
    35.160.43.145:32
    35.167.242.46:32
    52.33.59.17:32
    etcd Plane Nodes 443 TCP (3) 2379 TCP 443 TCP
    2380 TCP
    6443 TCP
    8472 UDP
    4789 UDP (7)
    9099 TCP (4)
    Control Plane Nodes 443 TCP (3) 2379 TCP 443 TCP
    2380 TCP
    6443 TCP
    8472 UDP
    4789 UDP (7)
    10250 TCP
    9099 TCP (4)
    10254 TCP (4)
    Worker Plane Nodes 443 TCP (3) 6443 TCP 443 TCP
    8472 UDP
    4789 UDP (7)
    9099 TCP (4)
    10254 TCP (4)
    External Load Balancer (5) 80 TCP
    443 TCP (6)
    API / UI Clients 80 TCP (3) 80 TCP
    443 TCP (3) 443 TCP
    Workload Clients 30000-32767 TCP / UDP
    (nodeport)
    80 TCP (Ingress)
    443 TCP (Ingress)
    Notes:

    1. Nodes running standalone server or Rancher HA deployment.
    2. Required to fetch Rancher chart library.
    3. Only without external load balancer.
    4. Local traffic to the node itself (not across nodes).
    5. Load balancer / proxy that handles tragging to the Rancher UI / API.
    6. Only if SSL is not terminated at external load balancer.
    7. Only if using Overlay mode on Windows cluster.

    The following table depicts the port requirements for hosted clusters.

    From / To Rancher Nodes Hosted / Imported Cluster External Load Balancer Internet
    Rancher Nodes (1) Kubernetes API
    Endpoint Port (2)    		 git.rancher.io (3):
    35.160.43.145:32
    35.167.242.46:32
    52.33.59.17:32
    Hosted / Imported Cluster 443 TCP (4)(5) 443 TCP (5)
    External Load Balancer (5) 80 TCP
    443 TCP (6)
    API / UI Clients 80 TCP (4)
    443 TCP (4)    		 80 TCP
    443 TCP
    Workload Client Cluster / Provider Specific (7)
    Notes:

    1. Nodes running standalone server or Rancher HA deployment.
    2. Only for hosted clusters.
    3. Required to fetch Rancher chart library.
    4. Only without external load balancer.
    5. From worker nodes.
    6. Only if SSL is not terminated at external load balancer.
    7. Usually Ingress backed by infrastructure load balancer and/or nodeport.

    The following table depicts the port requirements for imported clusters.

    From / To Rancher Nodes Hosted / Imported Cluster External Load Balancer Internet
    Rancher Nodes (1) Kubernetes API
    Endpoint Port (2)    		 git.rancher.io (3):
    35.160.43.145:32
    35.167.242.46:32
    52.33.59.17:32
    Hosted / Imported Cluster 443 TCP (4)(5) 443 TCP (5)
    External Load Balancer (5) 80 TCP
    443 TCP (6)
    API / UI Clients 80 TCP (4)
    443 TCP (4)    		 80 TCP
    443 TCP
    Workload Client Cluster / Provider Specific (7)
    Notes:

    1. Nodes running standalone server or Rancher HA deployment.
    2. Only for hosted clusters.
    3. Required to fetch Rancher chart library.
    4. Only without external load balancer.
    5. From worker nodes.
    6. Only if SSL is not terminated at external load balancer.
    7. Usually Ingress backed by infrastructure load balancer and/or nodeport.

    Other Port Considerations

    Commonly Used Ports

    These ports are typically opened on your Kubernetes nodes, regardless of what type of cluster it is.

    Protocol Port Description
    TCP 22 Node driver SSH provisioning
    TCP 2376 Node driver Docker daemon TLS port
    TCP 2379 etcd client requests
    TCP 2380 etcd peer communication
    UDP 8472 Canal/Flannel VXLAN overlay networking
    UDP 4789 Flannel VXLAN overlay networking on Windows cluster
    TCP 9099 Canal/Flannel livenessProbe/readinessProbe
    TCP 6783 Weave Port
    UDP 6783-6784 Weave UDP Ports
    TCP 10250 kubelet API
    TCP 10254 Ingress controller livenessProbe/readinessProbe
    TCP/UDP 30000-
    32767    		 NodePort port range

    Local Node Traffic

    Ports marked as local traffic (i.e., 9099 TCP) in the above requirements are used for Kubernetes healthchecks (livenessProbe andreadinessProbe). These healthchecks are executed on the node itself. In most cloud environments, this local traffic is allowed by default.

    However, this traffic may be blocked when:

    • You have applied strict host firewall policies on the node.
    • You are using nodes that have multiple interfaces (multihomed).

    In these cases, you have to explicitly allow this traffic in your host firewall, or in case of public/private cloud hosted machines (i.e. AWS or OpenStack), in your security group configuration. Keep in mind that when using a security group as source or destination in your security group, explicitly opening ports only applies to the private interface of the nodes / instances.

    Rancher AWS EC2 security group

    When using the AWS EC2 node driver to provision cluster nodes in Rancher, you can choose to let Rancher create a security group called rancher-nodes. The following rules are automatically added to this security group.

    Type Protocol Port Range Source/Destination Rule Type
    SSH TCP 22 0.0.0.0/0 Inbound
    HTTP TCP 80 0.0.0.0/0 Inbound
    Custom TCP Rule TCP 443 0.0.0.0/0 Inbound
    Custom TCP Rule TCP 2376 0.0.0.0/0 Inbound
    Custom TCP Rule TCP 2379-2380 sg-xxx (rancher-nodes) Inbound
    Custom UDP Rule UDP 4789 sg-xxx (rancher-nodes) Inbound
    Custom TCP Rule TCP 6443 0.0.0.0/0 Inbound
    Custom UDP Rule UDP 8472 sg-xxx (rancher-nodes) Inbound
    Custom TCP Rule TCP 10250-10252 sg-xxx (rancher-nodes) Inbound
    Custom TCP Rule TCP 10256 sg-xxx (rancher-nodes) Inbound
    Custom TCP Rule TCP 30000-32767 0.0.0.0/0 Inbound
    Custom UDP Rule UDP 30000-32767 0.0.0.0/0 Inbound
    All traffic All All 0.0.0.0/0 Outbound