Network Security and Access Controls

Contributors ebarcott

We recommend you secure your NetApp Kubernetes Service (NKS) clusters appropriately for your infrastructure and workload security requirements, regardless of where they are deployed.

In the case of NKS operating on-premises (such as NKS on NetApp HCI, and NKS on VMware), network access controls at the corporate firewall level may need take into account any secure channels which are required for communicating between the public-cloud-hosted NKS controller elements and your on-premises resources.

If you decide to restrict access to individual NKS clusters, you will need to whitelist the following ports, hostnames, and IP addresses so that the NetApp Kubernetes Service can operate correctly.

Outbound Traffic

Whitelist outbound traffic on port 443 for HTTPS.

Inbound Traffic

NKS Service IP addresses:








For these IP addresses, whitelist inbound traffic on the following ports:




HTTPS. Applies to securing individual NKS-provisioned Kubernetes cluster(s) in Public Clouds. All traffic flows outbound through 443 for on-premises deployed clusters.


Kubernetes API.


Proxy to dashboard.


Kubernetes upgrades and other local tasks.