Secure operation of VMware Cloud Director requires a secure network environment. Configure and test this network environment before you begin installing VMware Cloud Director.

Connect all VMware Cloud Director servers to a network that is secured and monitored.

For information on the network ports and protocols used by VMware Cloud Director, see VMware Ports and Protocols.

VMware Cloud Director network connections have several additional requirements:
  • Do not connect VMware Cloud Director directly to the public Internet. Always protect VMware Cloud Director network connections with a firewall. Only port 443 (HTTPS) must be open to incoming connections. If needed, ports 22 (SSH) and 80 (HTTP) can also be opened for incoming connections. In addition, the cell-management-tool requires access to the cell's loopback address. The firewall must reject all other incoming traffic from a public network, including requests to JMX (port 8999).
    Table 1. Ports That Must Allow Incoming Packets from VMware Cloud Director Hosts
    Port Protocol Comments
    111 TCP, UDP NFS portmapper used by transfer service
    920 TCP, UDP NFS rpc.statd used by transfer service
    61611 TCP AMQP messaging bus that is used for communication between cells
    61616 TCP AMQP Artemis Messaging bus for inter-cell communication over JMS
  • Do not connect the ports used for outgoing connections to the public network.
    Table 2. Ports That Must Allow Outgoing Packets from VMware Cloud Director Hosts
    Port Protocol Comments
    25 TCP, UDP SMTP for sending outbound notification emails
    53 TCP, UDP Name resolution over DNS
    111 TCP, UDP NFS portmapper used by transfer service
    123 TCP, UDP Time Synchronization over NTP
    389 TCP, UDP Query active directory using LDAP
    443 TCP vCenter Server, NSX Manager, and ESXi connections using the standard port. If you have chosen a different port for these services, disable the connection to port 443 and enable them for the port you have chosen.
    514 UDP Optional. Enables syslog use.
    689 TCP, UDP LDAP over SSL (LDAPS) connections.
    902 TCP ESXi host network communication.
    903 TCP Network communication to vCenter Server instances
    920 TCP, UDP NFS rpc.statd used by transfer service.
    5432 TCP Default PostgreSQL database port
    5672 TCP, UDP Optional port at which the broker listens for messages. RabbitMQ Messaging for task extensions
    61611 TCP AMQP Messaging bus for inter-cell communication
    61616 TCP ActiveMQ Artemis Messaging bus for inter-cell communication over JMS
  • Starting with version 10.1, service providers and tenants can use the VMware Cloud Director API to test connections to remote servers, and to verify the server identity as part of an SSL handshake. To protect VMware Cloud Director network connections, configure a denylist of internal hosts that are unreachable to tenants who are using the VMware Cloud Director API for connection testing. Configure the denylist after the VMware Cloud Director installation or upgrade and before granting tenants access to VMware Cloud Director. See Configure a Test Connection Denylist.
  • Route traffic between VMware Cloud Director servers and the following servers over a dedicated private network.
    • VMware Cloud Director database server
    • RabbitMQ
    • Cassandra
  • If possible, route traffic between VMware Cloud Director servers, vSphere, and NSX over a dedicated private network.
  • Virtual switches and distributed virtual switches that support provider networks must be isolated from each other. They cannot share the same layer 2 physical network segment.
  • Use NFSv4 for the transfer service storage. NFSv3 does not offer in-transit encryption for integrity and confidentiality. NFSv3 services cannot authenticate users to enforce the proper access control to files. Additional information about configuring and securing the VMware Cloud Director transfer service is available in VMware Knowledge Base article 2086127.
  • If you decide to join VMware’s Customer Experience Improvement Program (CEIP), create a firewall rule that allows the outgoing traffic to the VMware Analytics Cloud at https://vcsa.vmware.com/.

VMware Cloud Director Appliance-Specific Network Security Requirements

  • Ports

    The VMware Cloud Director appliance is deployed with two networks, eth0 and eth1 so that you can isolate the HTTP traffic from the database traffic. Different services listen on one or both of the corresponding network interfaces.

    Service Port on eth0 Port on eth1
    SSH 22 22
    HTTP 80 n/a
    HTTPS 443 n/a
    PostgreSQL n/a 5432
    Management UI 5480 5480
    Console proxy 8443 n/a
    JMX 8998, 8999 n/a
    JMS/ActiveMQ 61616 n/a

    The VMware Cloud Director appliance supports user customization of firewall rules by using iptables. To add custom iptables rules, you can add your own configuration data to the end of the /etc/systemd/scripts/iptables file.

  • Traffic routing

    Route traffic between VMware Cloud Director servers and the following servers over the network attached to the eth1 interface:

    • RabbitMQ
    • Cassandra
    • NFS

    If possible, route the traffic between VMware Cloud Director servers, vSphere, and NSX over the eth1 interface.

  • NFS

    Use NFSv4 for the transfer service storage. NFSv3, does not offer in-transit encryption for integrity and confidentiality. NFSv3 services cannot authenticate users to enforce the proper access control to files. Additional information about configuring and securing the VMware Cloud Director transfer service is available in VMware Knowledge Base article 2086127.

    The appliance takes additional advantage of the available NFS server to store metadata for the database HA feature, and to act as a target for embedded database backups.