This section explains the protocol and ports used for management communication.

Protocols and ports are used by the Controller and Service Engines for:

  • Management communication (used by the Controller and Service Engines)

  • Network services (used by the Controller)

  • Cloud orchestrators

  • Container Cluster nodes

For the latest information about ports and protocols used by the Avi Load Balancer, see VMware Ports and Protocols.

Ensure that the firewall allows traffic for the ports used by the Controller and SEs for management communication.

Note:
  • You do not have to open a firewall port from the Controller to the SE. The SE initiates communication to the Controller.

  • Even if the cluster IP is configured, the source IP is derived from the Controller IP and not from the cluster IP.

  • The secure channel on port 22 (or 5098 in container environments) is used for communication between components for configuration sync, metrics and logs transfer, heartbeats and other management processes.

  • OpenStack mode does not support 5098 port on the container side.

  • Service Engines and Controllers display a login banner that shows basic connectivity status, when accessed through SSH. Connectivity checks are made with a simple ICMP Echo (PING). If PING is not allowed between a Controller or Service Engine and its Management default gateway, the status of Gateway will be shown as DOWN. Similarly, if PING is not allowed between Service Engine and Controller, the status of Controller will be shown as DOWN. There is no operational impact if these reachability checks fail and so, the messages can be ignored if it is not possible to allow PING between these components.

For more information on the system port 8443 and port 22 usage, see Avi Load Balancer Service Engine to Controller Communication.

Ports Used for Management Communication

The Avi Load Balancer Controller and SEs use the following ports for management. The firewall must also allow traffic for these ports.

Traffic Source

Traffic Destination

Ports to Allow

Avi Load Balancer Controller

Avi Load Balancer Controller

  • TCP 22 (SSH)

  • TCP 443 (HTTPS)

  • TCP 8443 (HTTPS)

  • TCP 5098 (SSH) (if the Controller is a docker container, SSH is on port 5098).

External Entities

Refer to the sections below the table.

Avi Load Balancer Service Engine

Not Required.

Avi Load Balancer Service Engine

Avi Load Balancer Service Engine

  • TCP 4001 for AWS, Azure, GCP, and OpenStack clouds.

  • TCP 9001 for VMware, LSC, and NSX-T cloud.

  • TCP4001/TCP 9001 is for ObjStore or SE distributed object store.

    For more details on TCP 9001, see Service Engine Group section.

Avi Load Balancer Controller

  • TCP 22 (SSH)

  • TCP 8443 (HTTPS)

  • UDP 123 (NTP)

  • TCP 5098 (SSH) (if the Controller is a docker container, SSH is on port 5098)

External Network Services

Avi Load Balancer Controller

  • TCP 25 (SMTP)

  • TCP 49 (TACACS+)

  • UDP 53 (DNS)

  • UDP 123 (NTP)

  • UDP 162 (SNMP traps)

  • TCP or UDP 389 (LDAP)

  • UDP 514 (syslog)

  • TCP or UDP 636 (LDAPS)

  • TCP 22 (SSH)

  • TCP 80 (HTTP) (optional)

  • TCP 443 (HTTPS)

  • TCP 5054 (CLI Server) (if using the optional CLI shell for remote management access.)

  • UDP 161 (SNMP agent listens to this port.)

Protocols and Ports used by Cloud Orchestrators

Cloud Orchestrators

Protocols/ Ports Used

GCP

Port 443 is needed for the GCP cloud to connect to Avi Load Balancer.

OpenStack

Some or all of the following ports might be required:

  • Keystone: TCP 5000, 35357

  • Glance: TCP 9292

  • Nova: TCP 8774

  • Neutron: TCP 9696

  • Heat (optional). Used for autoscaling back-end members): TCP 8004

VMware vCenter

Controller-to-ESXi hosts: port 443

OpenShift Master

Port 8443

Kubernetes Master

Port 8080 for unauthenticated masters

Mesos or DC/OS Masters

  • Port 5050 for masters

  • Port 80 for unauthenticated Marathon services

AWS

Port 443 for AWS cloud to connect to Avi Load Balancer

Azure

Port 443 for Azure cloud to connect to Avi Load Balancer

Ports Used by Container Cluster Nodes

Container Cluster Node

Port Used

OpenShift

Port 22

Kubernetes Minions

Port 22

Mesos Nodes

Port 22

Service Engine Firewalls

The following protocols and ports are required for SE-SE management traffic:

Protocols

Ports

75

-

97

-

UDP

1550

To allow ingress traffic for SE to SE management traffic, see Configuring Service Engine Ingress Rules.

To allow egress traffic for SE to SE management traffic, see Configuring Controller Egress Rules.