Skip to main content

Network Communication and Ports

Depending on what version of Palette you are using, the internal architecture and network communication will be different. Before Palette 4.0.0 the management platform communicated with the workload cluster via NATS. Starting with Palette 4.0.0, the management platform communicates with the workload cluster via gRPC. Use the tabs below to view the network communication and ports for each architecture.

SaaS Network Communications and Ports

The following ports must be reachable from a network perspective for Palette SaaS to function correctly.

SaaS Network Diagram with ports

SaaS Managed With Edge

SaaS network diagram displaying the network paths for edge

Network Ports

The following ports must be reachable from a network perspective for Palette to operate properly.

Management Platform

PortDirectionPurpose
HTTPS (tcp/443)INBOUNDBrowser/API access to management platform .
HTTPS (tcp/443)INBOUNDgRPC communication between Palette and the workload cluster.
NATS (tcp/4222)INBOUNDAgent running inside connecting to management platform [Deprecated]

Workload Cluster

PortDirectionPurpose
HTTPS (tcp/443)OUTBOUNDAPI access to management platform and gRPC
HTTPS (tcp/443)OUTBOUNDgRPC, Registry (packs, integrations), Pack containers, Application Updates
NATS (tcp/4222)OUTBOUNDRegistry (packs, integrations), Pack containers, Application Updates [Deprecated]
info

You can expose inbound port 22 for SSH if you would like to access your cluster nodes for troubleshooting remotely. This is entirely optional and not required for Palette to operate appropriately.

Self-Hosted Network Communications and Ports

On-prem network diagram

The following ports must be reachable from a network perspective for Palette self-hosted to function correctly.

Management Platform

PortDirectionPurpose
HTTPS (tcp/443)INBOUNDBrowser/API access to management platform, gRPC
NATS (tcp/4222)INBOUNDMessage Bus for workload clusters [Deprecated]
HTTPS (tcp/443)OUTBOUNDvSphere vCenter API, Registry (packs, integrations), Pack containers, app updates, gRPC
HTTPS (tcp/6443)OUTBOUNDWorkload K8s cluster API Server

Workload Cluster

PortDirectionPurpose
HTTPS (tcp/443)OUTBOUNDAPI access to management platform
NATS (tcp/4222)OUTBOUNDAgent communication via message bus [Deprecated]
HTTPS (tcp/443)OUTBOUNDvSphere vCenter API, gRPC, Registry (packs, integrations), Pack containers, Application updates
info

You can expose inbound port 22 for SSH if you would like to access your cluster nodes for troubleshooting remotely. This is entirely optional and not required for Palette to operate appropriately.