You open required ports on your firewall to ensure that VMware Integrated OpenStack can operate properly.

Note:

In a compact deployment, controller, load balancer, and database nodes are deployed as a single virtual machine. In a tiny deployment, controller, load balancer, database, and compute nodes are deployed as a single virtual machine.

All ports listed are TCP unless otherwise specified.

Object

Port Number

Network

Service or Product

Description

Load balancer, controller, database, and compute nodes

22

Internal

SSH

SSH (used by Ansible)

OpenStack Management Server

123 (UDP)

Internal

NTP

NTP service

Load balancer nodes

443

Public and internal

OpenStack dashboard service

Horizon

OpenStack Management Server

443

Internal

OpenStack Management Server

OpenStack Management Server

ESXi hosts

443

Internal

ESXi hosts

ESXi API endpoint

NSX Manager

443

Internal

NSX Manager

NSX Manager endpoint

vCenter Server appliance

443

Internal

vCenter Server

vCenter Server API endpoint

Load balancer and database nodes

3306

Public and internal

OpenStack API services

Database cluster

Database nodes

4369

Internal

OpenStack RPC bus

RabbitMQ port mapper daemon (epmd) service

Database nodes

4444

Internal

OpenStack database

MariaDB Galera state snapshot transfers

Database nodes

4567

Internal

OpenStack database

MariaDB Galera replication traffic

Database nodes

4568

Internal

OpenStack database

MariaDB Galera incremental state transfers

Load balancer and controller nodes

5000

Public and internal

OpenStack API services

Keystone API endpoint

Database nodes

5672

Internal

OpenStack RPC bus

RabbitMQ message bus

Load balancer and controller nodes

6080

Public and internal

OpenStack console services

novnc proxy

Load balancer and controller nodes

6083

Public and internal

OpenStack console services

Serial proxy

Load balancer and controller nodes

6090

Public and internal

OpenStack console services

MKS proxy

Load balancer and controller nodes

8000

Public and internal

OpenStack API services

Heat CloudFormation API endpoint

Load balancer and controller nodes

8004

Public and internal

OpenStack API services

Heat API endpoint

Load balancer nodes

8080

Internal

OpenStack load balancer UI

HAProxy web UI

OpenStack Management Server

8088

Internal

OpenStack Management Server

Jarvis

OpenStack Management Server

8443

Internal

OpenStack Management Server

OpenStack Management Server API documentation (OpenAPI/Swagger)

Load balancer and controller nodes

8774

Public and internal

OpenStack API services

Nova API endpoint

Controller nodes

8775

Internal

OpenStack metadata

Metadata service (required unless config drive is used)

Load balancer and controller nodes

8776

Public and internal

OpenStack API services

Cinder API endpoint

Load balancer and controller nodes

8778

Public and internal

OpenStack API services

Nova Placement API

Load balancer and controller nodes

9191

Internal

OpenStack API services

Glance Registry endpoint

Load balancer and controller nodes

9292

Public and internal

OpenStack API services

Glance API endpoint

vCenter Server appliance

9443

Internal

vCenter Server

vCenter Server

OpenStack Management Server

9449

Internal

vAPI

vAPI

Load balancer and controller nodes

9696

Public and internal

OpenStack API services

Neutron API endpoint

Database nodes

11211

Internal

OpenStack control plane cache

Memory cache services for controller nodes

Load balancer and controller nodes

35357

Public and internal

OpenStack API services

Keystone Admin API endpoint

If you want to use LDAP or Active Directory, the following ports must also be open.

Object

Port Number

Network

Service or Product

Description

Active Directory or LDAP hosts

389

Internal

Domain controller or LDAP server

Serving LDAP requests (non-secured)

Active Directory or LDAP hosts

636

Internal

Domain controller or LDAP server (LDAPS)

Serving LDAP requests (secured)

Active Directory or LDAP hosts

3268

Internal

Domain controller

Serving LDAP requests with global catalog (non-secured)

Active Directory or LDAP hosts

3269

Internal

Domain controller (LDAPS)

Serving LDAP requests with global catalog (secured)

If you want to forward logs to vRealize Log Insight, the following port must also be open.

Object

Port Number

Network

Service or Product

Description

vRealize Log Insight syslog server

514 (TCP or UDP)

Internal

Syslog server

Syslog service

If you deploy Ceilometer, the following ports must also be open.

Object

Port Number

Network

Service or Product

Description

Ceilometer and Gnocchi storage nodes

22

Internal

SSH

SSH (used by Ansible)

Load balancer and Gnocchi storage nodes

8041

Public and internal

OpenStack API services

Gnocchi API endpoint

Load balancer and Ceilometer nodes

8042

Public and internal

OpenStack API services

Aodh API endpoint

Load balancer and Ceilometer nodes

8779

Public and internal

OpenStack API services

Panko API endpoint

If you deploy Designate, the following port must also be open.

Object

Port Number

Network

Service or Product

Description

Load balancer and controller nodes

9001

Public and internal

OpenStack API services

Designate endpoint