feat(ec): document firewalld configuration (#3064)

emosbaugh · paigecalvert · web-flow · commit 8882a45925c4 · 2025-02-19T11:52:26.000-06:00
* feat(ec): document firewalld configuration

* docs edits

---------

Co-authored-by: Paige Calvert &lt;paige@replicated.com&gt;
diff --git a/docs/enterprise/installing-embedded-requirements.mdx b/docs/enterprise/installing-embedded-requirements.mdx
@@ -38,3 +38,52 @@ This topic lists the installation requirements for Replicated Embedded Cluster.
 </table>
 
 &#42; Required only if the application uses the [Replicated private registry](/vendor/private-images-replicated).
+
+## About Firewalld Configuration
+
+When Firewalld is enabled in the installation environment, Embedded Cluster modifies the Firewalld config to allow traffic over the pod and service networks and to open the required ports on the host. No additional configuration is required.
+
+The following rule is added to Firewalld:
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <interface name="cali+"/>
+  <interface name="tunl+"/>
+  <interface name="vxlan-v6.calico"/>
+  <interface name="vxlan.calico"/>
+  <interface name="wg-v6.cali"/>
+  <interface name="wireguard.cali"/>
+  <source address="[pod-network-cidr]"/>
+  <source address="[service-network-cidr]"/>
+</zone>
+```
+
+The following ports are opened in the default zone:
+
+<table>
+<tr>
+  <th>Port</th>
+  <th>Protocol</th>
+</tr>
+<tr>
+  <td>6443</td>
+  <td>TCP</td>
+</tr>
+<tr>
+  <td>10250</td>
+  <td>TCP</td>
+</tr>
+<tr>
+  <td>9443</td>
+  <td>TCP</td>
+</tr>
+<tr>
+  <td>2380</td>
+  <td>TCP</td>
+</tr>
+<tr>
+  <td>4789</td>
+  <td>UDP</td>
+</tr>
+</table>
diff --git a/docs/partials/embedded-cluster/_port-reqs.mdx b/docs/partials/embedded-cluster/_port-reqs.mdx
@@ -40,4 +40,4 @@ If port 30000 is occupied, you can select a different port for the Admin Console
 
 In addition to the ports above, air gap installations also require that port 50000/TCP is open and available for the Local Artifact Mirror (LAM).
 
-If port 50000 is occupied, you can select a different port for the LAM during installation. For more information, see [Embedded Cluster Install Command Options](/reference/embedded-cluster-install).
+If port 50000 is occupied, you can select a different port for the LAM during installation. For more information, see [Embedded Cluster Install Command Options](/reference/embedded-cluster-install).

Original file line number	Diff line number	Diff line change
`@@ -40,4 +40,4 @@ If port 30000 is occupied, you can select a different port for the Admin Console`
`40`	`40`
`41`	`41`	`In addition to the ports above, air gap installations also require that port 50000/TCP is open and available for the Local Artifact Mirror (LAM).`
`42`	`42`
`43`		`-If port 50000 is occupied, you can select a different port for the LAM during installation. For more information, see [Embedded Cluster Install Command Options](/reference/embedded-cluster-install).`
	`43`	`+If port 50000 is occupied, you can select a different port for the LAM during installation. For more information, see [Embedded Cluster Install Command Options](/reference/embedded-cluster-install).`