Secure operation of VMware Cloud Director requires a secure network environment. Configure and test this network environment before you begin installing VMware Cloud Director.
Connect all VMware Cloud Director servers to a network that is secured and monitored.
For information on the network ports and protocols used by VMware Cloud Director, see VMware Ports and Protocols.
- Do not connect VMware Cloud Director directly to the public Internet. Always protect VMware Cloud Director network connections with a firewall. Only port 443 (HTTPS) must be open to incoming connections. If needed, ports 22 (SSH) and 80 (HTTP) can also be opened for incoming connections. In addition, the cell-management-tool requires access to the cell's loopback address. The firewall must reject all other incoming traffic from a public network, including requests to JMX (port 8999).
Table 1. Ports That Must Allow Incoming Packets from VMware Cloud Director Hosts Port Protocol Comments 111 TCP, UDP NFS portmapper used by transfer service 920 TCP, UDP NFS rpc.statd used by transfer service 61611 TCP AMQP messaging bus that is used for communication between cells 61616 TCP AMQP Artemis Messaging bus for inter-cell communication over JMS
- Do not connect the ports used for outgoing connections to the public network.
Table 2. Ports That Must Allow Outgoing Packets from VMware Cloud Director Hosts Port Protocol Comments 25 TCP, UDP SMTP for sending outbound notification emails 53 TCP, UDP Name resolution over DNS 111 TCP, UDP NFS portmapper used by transfer service 123 TCP, UDP Time Synchronization over NTP 389 TCP, UDP Query active directory using LDAP 443 TCP vCenter Server, NSX Manager, and ESXi connections using the standard port. If you have chosen a different port for these services, disable the connection to port 443 and enable them for the port you have chosen. 514 UDP Optional. Enables syslog use. 689 TCP, UDP LDAP over SSL (LDAPS) connections. 902 TCP ESXi host network communication. 903 TCP Network communication to vCenter Server instances 920 TCP, UDP NFS rpc.statd used by transfer service. 5432 TCP Default PostgreSQL database port 5672 TCP, UDP Optional port at which the broker listens for messages. RabbitMQ Messaging for task extensions 61611 TCP AMQP Messaging bus for inter-cell communication 61616 TCP ActiveMQ Artemis Messaging bus for inter-cell communication over JMS
- Starting with version 10.1, service providers and tenants can use the VMware Cloud Director API to test connections to remote servers, and to verify the server identity as part of an SSL handshake. To protect VMware Cloud Director network connections, configure a denylist of internal hosts that are unreachable to tenants who are using the VMware Cloud Director API for connection testing. Configure the denylist after the VMware Cloud Director installation or upgrade and before granting tenants access to VMware Cloud Director. See Configure a Test Connection Denylist.
- Route traffic between VMware Cloud Director servers and the following servers over a dedicated private network.
- VMware Cloud Director database server
- If possible, route traffic between VMware Cloud Director servers, vSphere, and NSX over a dedicated private network.
- Virtual switches and distributed virtual switches that support provider networks must be isolated from each other. They cannot share the same layer 2 physical network segment.
- Use NFSv4 for the transfer service storage. NFSv3 does not offer in-transit encryption for integrity and confidentiality. NFSv3 services cannot authenticate users to enforce the proper access control to files. Additional information about configuring and securing the VMware Cloud Director transfer service is available in VMware Knowledge Base article 2086127.
- If you decide to join VMware’s Customer Experience Improvement Program (CEIP), create a firewall rule that allows the outgoing traffic to the VMware Analytics Cloud at https://vcsa.vmware.com/.
VMware Cloud Director Appliance-Specific Network Security Requirements
The VMware Cloud Director appliance is deployed with two networks,
eth1so that you can isolate the HTTP traffic from the database traffic. Different services listen on one or both of the corresponding network interfaces.
Service Port on
SSH 22 22 HTTP 80 n/a HTTPS 443 n/a PostgreSQL n/a 5432 Management UI 5480 5480 Console proxy 8443 n/a JMX 8998, 8999 n/a JMS/ActiveMQ 61616 n/a
The VMware Cloud Director appliance supports user customization of firewall rules by using
iptables. To add custom
iptablesrules, you can add your own configuration data to the end of the /etc/systemd/scripts/iptables file.
- Traffic routing
Route traffic between VMware Cloud Director servers and the following servers over the network attached to the
If possible, route the traffic between VMware Cloud Director servers, vSphere, and NSX over the
Use NFSv4 for the transfer service storage. NFSv3, does not offer in-transit encryption for integrity and confidentiality. NFSv3 services cannot authenticate users to enforce the proper access control to files. Additional information about configuring and securing the VMware Cloud Director transfer service is available in VMware Knowledge Base article 2086127.
The appliance takes additional advantage of the available NFS server to store metadata for the database HA feature, and to act as a target for embedded database backups.