You open required ports on your firewall to ensure that VMware Integrated OpenStack can operate properly.

Note:

In a compact deployment, controllers, load balancers, and database nodes are deployed as a single virtual machine.

Virtual Machine

Port Number

Network

Service or Product

Description

Load balancers, controllers, database nodes, and compute nodes

22

Internal

SSH

SSH (used by Ansible)

OpenStack Management Server

123 (UDP)

Internal

NTP

NTP service

Load balancers

443

Public and internal

OpenStack dashboard service

Horizon

OpenStack Management Server

443

Internal

OpenStack Management Server

OpenStack Management Server

ESXi hosts

443

Internal

ESXi hosts

ESXi API endpoint

NSX Manager

443

Internal

NSX Manager

NSX Manager endpoint

vCenter Server appliance

443

Internal

vCenter Server

vCenter Server API endpoint

Load balancers and database nodes

3306

Public and internal

OpenStack API services

Database cluster

Database nodes

4369

Internal

OpenStack RPC bus

RabbitMQ port mapper daemon (epmd) service

Database nodes

4444

Internal

OpenStack database

MariaDB Galera state snapshot transfers

Database nodes

4567

Internal

OpenStack database

MariaDB Galera replication traffic

Database nodes

4568

Internal

OpenStack database

MariaDB Galera incremental state transfers

Load balancers and controllers

5000

Public and internal

OpenStack API services

Keystone API endpoint

Database nodes

5672

Internal

OpenStack RPC bus

RabbitMQ message bus

Load balancers and controllers

6080

Public and internal

OpenStack console services

novnc proxy

Load balancers and controllers

6083

Public and internal

OpenStack console services

Serial proxy

Load balancers and controllers

6090

Public and internal

OpenStack console services

MKS proxy

Load balancers and controllers

8000

Public and internal

OpenStack API services

Heat CloudFormation API endpoint

Load balancers and controllers

8004

Public and internal

OpenStack API services

Heat API endpoint

Load balancers

8080

Internal

OpenStack load balancer UI

HAProxy web UI

OpenStack Management Server

8088

Internal

OpenStack Management Server

Jarvis

OpenStack Management Server

8443

Internal

OpenStack Management Server

OpenStack Management Server API documentation (OpenAPI/Swagger)

Load balancers and controllers

8774

Public and internal

OpenStack API services

Nova API endpoint

Controllers

8775

Internal

OpenStack metadata

Metadata service (required unless config drive is used)

Load balancers and controllers

8776

Public and internal

OpenStack API services

Cinder API endpoint

Load balancers and controllers

8778

Public and internal

OpenStack API services

Nova Placement API

Load balancers and controllers

9191

Internal

OpenStack API services

Glance Registry endpoint

Load balancers and controllers

9292

Public and internal

OpenStack API services

Glance API endpoint

vCenter Server appliance

9443

Internal

vCenter Server

vCenter Server

OpenStack Management Server

9449

Internal

vAPI

vAPI

Load balancers and controllers

9696

Public and internal

OpenStack API services

Neutron API endpoint

Database nodes

11211

Internal

OpenStack control plane cache

Memory cache services for controller nodes

Load balancers and controllers

35357

Public and internal

OpenStack API services

Keystone Admin API endpoint

If you want to use LDAP or Active Directory, the following ports must also be open.

Virtual Machine

Port Number

Network

Service or Product

Description

Active Directory or LDAP hosts

389

Internal

Domain controller or LDAP server

Serving LDAP requests (non-secured)

Active Directory or LDAP hosts

636

Internal

Domain controller or LDAP server (LDAPS)

Serving LDAP requests (secured)

Active Directory or LDAP hosts

3268

Internal

Domain controller

Serving LDAP requests with global catalog (non-secured)

Active Directory or LDAP hosts

3269

Internal

Domain controller (LDAPS)

Serving LDAP requests with global catalog (secured)

If you want to forward logs to vRealize Log Insight, the following port must also be open.

Virtual Machine

Port Number

Network

Service or Product

Description

vRealize Log Insight syslog server

514 (TCP or UDP)

Internal

Syslog server

Syslog service

If you deploy Ceilometer, the following ports must also be open.

Virtual Machine

Port Number

Network

Service or Product

Description

Ceilometer and Gnocchi storage nodes

22

Internal

SSH

SSH (used by Ansible)

Load balancers and Gnocchi storage nodes

8041

Public and internal

OpenStack API services

Gnocchi API endpoint

Load balancers and Ceilometer nodes

8042

Public and internal

OpenStack API services

Aodh API endpoint

Load balancers and Ceilometer nodes

8779

Public and internal

OpenStack API services

Panko API endpoint

If you deploy Designate, the following port must also be open.

Virtual Machine

Port Number

Network

Service or Product

Description

Load balancers and controllers

9001

Public and internal

OpenStack API services

Designate endpoint