Secure operation of vCloud Director requires a secure network environment. Configure and test this network environment before you begin installing vCloud Director
Connect all vCloud Director servers to a network that is secured and monitored. vCloud Director network connections have several additional requirements:
- Do not connect vCloud Director directly to the public Internet. Always protect vCloud Director network connections with a firewall. Only port 443 (HTTPS) must be open to incoming connections. Ports 22 (SSH) and 80 (HTTP) can also be opened for incoming connections if needed. In addition, the cell-management-tool requires access to the cell's loopback address. All other incoming traffic from a public network, including requests to JMX (port 8999) must be rejected by the firewall.
Table 1. Ports That Must Allow Incoming Packets From vCloud Director Hosts Port Protocol Comments 111 TCP, UDP NFS portmapper used by transfer service 920 TCP, UDP NFS rpc.statd used by transfer service 61611 TCP AMQP 61616 TCP AMQP
- Do not connect the ports used for outgoing connections to the public network.
Table 2. Ports That Must Allow Outgoing Packets From vCloud Director Hosts Port Protocol Comments 25 TCP, UDP SMTP 53 TCP, UDP DNS 111 TCP, UDP NFS portmapper used by transfer service 123 TCP, UDP NTP 389 TCP, UDP LDAP 443 TCP vCenter, NSX Manager, and ESXi connections using the standard port. If you have chosen a different port for these services, disable connection to port 443 and enable them for the port you have chosen. 514 UDP Optional. Enables syslog use. 902 TCP vCenter and ESXi connections. 903 TCP vCenter and ESXi connections. 920 TCP, UDP NFS rpc.statd used by transfer service. 5432 TCP Default PostgreSQL database port 5672 TCP, UDP Optional. AMQP messages for task extensions. 61611 TCP AMQP 61616 TCP AMQP
- Route traffic between vCloud Director servers and the following servers over a dedicated private network.
- vCloud Director database server
- If possible, route traffic between vCloud Director servers, vSphere, and NSX over a dedicated private network.
- Virtual switches and distributed virtual switches that support provider networks must be isolated from each other. They cannot share the same layer 2 physical network segment.
- Use NFSv4 for transfer service storage. The most common NFS version, NFSv3, does not offer on transit encryption which in some configurations might enable in-flight sniffing or tampering with data being transferred. Threats inherent in NFSv3 are described in the SANS white paper NFS Security in Both Trusted and Untrusted Environments. Additional information about configuring and securing the vCloud Director transfer service is available lin VMware Knowledge Base article 2086127.