Networking and Firewall Rules
This document outlines the necessary networking and firewall rules to enable communication between various components of the Kubesense deployment, as well as external services required for proper functionality.
External Services​
Ensure the following external services are accessible from your Kubernetes cluster for the Kubesense server and sensor components:
ECR Registry​
- ECR URL:
365639915496.dkr.ecr.us-east-1.amazonaws.com - Purpose: Used for pulling container images from AWS Elastic Container Registry.
Amazon SES for Email​
- Service URLs:
https://email.ap-south-1.amazonaws.com/https://signin.aws.amazon.com/https://sts.amazonaws.com/
- Purpose: Used for sending notification emails and secure token services (STS) in AWS.
Server-Sensor Deployment Ports​
For proper communication between the Kubesense Server and Sensor components, the following ports must be exposed and accessible:
| Component | Port | Purpose | Firewall Rule |
|---|---|---|---|
| Kubecol Controller | 32033 | Captures Kubernetes info and infrastructure attributes | Allow inbound traffic from kubesensors |
| Kubecol Ingestor | 32133 | Processes traces and pushes data to the database | Allow inbound traffic from kubesensors |
| Metrics Collector | 30060 | Captures infrastructure metrics like CPU, memory usage | Allow inbound traffic from otel-agent |
| Events Port | 30051 | Captures Kubernetes event information | Allow inbound traffic from otel-agent |
| LogAggregator | 30052 | Captures, processes, transforms logs and pushes to the DB | Allow inbound traffic from logsensors |
| ECR Access | 443 | Access to ECR for pulling container images | Allow outbound traffic to 365639915496.dkr.ecr.us-east-1.amazonaws.com |
| Amazon SES | 443 | Access to SES for email notifications | Allow outbound traffic to email.ap-south-1.amazonaws.com |
Firewall Considerations​
Ensure that firewall rules allow inbound and outbound traffic to the following:
- ECR Registry: Traffic should be allowed to
365639915496.dkr.ecr.us-east-1.amazonaws.comfor pulling container images. - Amazon SES: Allow traffic to the email service at
https://email.ap-south-1.amazonaws.com/for email notifications. - AWS Services: Allow connections to
https://signin.aws.amazon.comandhttps://sts.amazonaws.comfor authentication and secure token management.
Additionally, ensure that the ports for the Kubesense components (32033, 32133, 30060, 30051, and 30052) are open for internal communication between the server and sensors.
By configuring these network and firewall rules, you ensure that the Kubesense deployment can communicate with both internal components and external services efficiently and securely.