From 3cff5082873481e776a91f5b88f6ccf6af90c06a Mon Sep 17 00:00:00 2001
From: Jim Galasyn <jim.galasyn@docker.com>
Date: Wed, 28 Feb 2018 11:50:18 -0800
Subject: [PATCH] Add section on firewall and Kube ports (#532)

* Add section on firewall and Kube ports

* Incorporate feedback
---
 ee/upgrade.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/ee/upgrade.md b/ee/upgrade.md
index bb249ec28d..3ab519c93d 100644
--- a/ee/upgrade.md
+++ b/ee/upgrade.md
@@ -38,6 +38,23 @@ You may also want to check the
 [Docker EE maintenance lifecycle](https://success.docker.com/Policies/Maintenance_Lifecycle),
 to understand until when your version may be supported.
 
+## Apply firewall rules
+
+Before you upgrade, make sure:
+
+- Your firewall rules are configured to allow traffic in the ports UCP uses
+  for communication. Learn about [UCP port requirements](ucp/admin/install/system-requirements.md#ports-used).
+- Make sure you don't have containers or services that are listening on ports
+  used by UCP.
+- Configure your load balancer to forward TCP traffic to the Kubernetes API
+  server port (6443/TCP by default) running on manager nodes.
+
+> Certificates
+>
+> Externally signed certificates are used by the Kubernetes API server and
+> the UCP controller.
+{: .important}
+
 ## Upgrade Docker Engine
 
 To avoid application downtime, you should be running Docker in Swarm mode and