Secure operation of vCloud Director requires a secure network environment. Configure and test this network environment before you begin installing vCloud Director
Connect all vCloud Director servers to a network that is secured and monitored. vCloud Director network connections have several additional requirements:
- Do not connect vCloud Director directly to the public Internet. Always protect vCloud Director network connections with a firewall. Only port 443 (HTTPS) must be open to incoming connections. Ports 22 (SSH) and 80 (HTTP) can also be opened for incoming connections if needed. In addition, the cell-management-tool requires access to the cell's loopback address. All other incoming traffic from a public network must be rejected by the firewall.
Table 1. Ports That Must Allow Incoming Packets From vCloud Director Hosts Port Protocol Comments 111 TCP, UDP NFS portmapper used by transfer service 920 TCP, UDP NFS rpc.statd used by transfer service 61611 TCP AMQP 61616 TCP AMQP
- Do not connect the ports used for outgoing connections to the public network.
Table 2. Ports That Must Allow Outgoing Packets From vCloud Director Hosts Port Protocol Comments 25 TCP, UDP SMTP 53 TCP, UDP DNS 111 TCP, UDP NFS portmapper used by transfer service 123 TCP, UDP NTP 389 TCP, UDP LDAP 443 TCP vCenter, NSX Manager, and ESXi connections 514 UDP Optional. Enables syslog use. 902 TCP vCenter and ESXi connections. 903 TCP vCenter and ESXi connections. 920 TCP, UDP NFS rpc.statd used by transfer service. 1433 TCP Default Microsoft SQL Server database port. 1521 TCP Default Oracle database port. 5672 TCP, UDP Optional. AMQP messages for task extensions. 61611 TCP AMQP 61616 TCP AMQP
- Route traffic between vCloud Director servers and the vCloud Director database server over a dedicated private network if possible.
- Virtual switches and distributed virtual switches that support provider networks must be isolated from each other. They cannot share the same level 2 physical network segment.