You open required ports on your firewall to ensure that VMware Integrated OpenStack can operate properly.
All ports listed are TCP unless otherwise specified.
| Object | Port Number | Network | Service or Product | Description |
|---|---|---|---|---|
| Load balancer, controller, database, and compute nodes |
22 | Internal |
SSH |
SSH (used by Ansible) |
| OpenStack Management Server |
53 (TCP or UDP) | Internal |
DNS |
FQDN resolution |
| OpenStack Management Server |
123 (UDP) | Internal |
NTP |
NTP service |
| Load balancer nodes |
443 | Public and internal |
OpenStack dashboard service |
VMware Integrated OpenStack dashboard |
| OpenStack Management Server |
443 | Internal |
OpenStack Management Server |
OpenStack Management Server |
| ESXi hosts |
443 | Internal |
ESXi hosts |
ESXi API endpoint |
| NSX Manager |
443 | Internal |
NSX Manager |
NSX Manager endpoint |
| vCenter Server Appliance |
443 | Internal |
vCenter Server |
vCenter Server API endpoint |
| Load balancer and database nodes |
3306 | Public and internal |
OpenStack API services |
Database cluster |
| Database nodes |
4369 | Internal |
OpenStack RPC bus |
RabbitMQ port mapper daemon (epmd) service |
| Database nodes |
4444 | Internal |
OpenStack database |
MariaDB Galera state snapshot transfers |
| Database nodes |
4567 | Internal |
OpenStack database |
MariaDB Galera replication traffic |
| Database nodes |
4568 | Internal |
OpenStack database |
MariaDB Galera incremental state transfers |
| Load balancer and controller nodes |
5000 | Public and internal |
OpenStack API services |
Keystone API endpoint |
| Database nodes |
5672 | Internal |
OpenStack RPC bus |
RabbitMQ message bus |
| Load balancer and controller nodes |
6080 | Public and internal |
OpenStack console services |
novnc proxy |
| Load balancer and controller nodes |
6083 | Public and internal |
OpenStack console services |
Serial proxy |
| Load balancer and controller nodes |
6090 | Public and internal |
OpenStack console services |
MKS proxy |
| Load balancer and controller nodes |
8000 | Public and internal |
OpenStack API services |
Heat CloudFormation API endpoint |
| Load balancer and controller nodes |
8004 | Public and internal |
OpenStack API services |
Heat API endpoint |
| Load balancer nodes |
8080 | Internal |
OpenStack load balancer UI |
HAProxy web UI |
| OpenStack Management Server |
8088 | Internal |
OpenStack Management Server |
Jarvis |
| OpenStack Management Server |
8443 | Internal |
OpenStack Management Server |
OpenStack Management Server OpenAPI documentation |
| Load balancer and controller nodes |
8774 | Public and internal |
OpenStack API services |
Nova API endpoint |
| Controller nodes |
8775 | Internal |
OpenStack metadata |
Metadata service (required unless config drive is used) |
| Load balancer and controller nodes |
8776 | Public and internal |
OpenStack API services |
Cinder API endpoint |
| Load balancer and controller nodes |
8778 | Public and internal |
OpenStack API services |
Nova placement API |
| Load balancer and controller nodes |
9191 | Internal |
OpenStack API services |
Glance registry endpoint |
| Load balancer and controller nodes |
9292 | Public and internal |
OpenStack API services |
Glance API endpoint |
| vCenter Server appliance |
9443 | Internal |
vCenter Server |
vCenter Server |
| OpenStack Management Server |
9449 | Internal |
vAPI |
vAPI |
| Load balancer and controller nodes |
9696 | Public and internal |
OpenStack API services |
Neutron API endpoint |
| Database nodes |
11211 | Internal |
OpenStack control plane cache |
Memory cache services for controller nodes |
| Load balancer and controller nodes |
35357 | Public and internal |
OpenStack API services |
Keystone administrator API endpoint |
If you want to use LDAP or Active Directory, the following ports must also be open.
| Object | Port Number | Network | Service or Product | Description |
|---|---|---|---|---|
| Active Directory or LDAP hosts |
389 | Internal |
Domain controller or LDAP server |
Serving LDAP requests (non-secured) |
| Active Directory or LDAP hosts |
636 | Internal |
Domain controller or LDAP server (LDAPS) |
Serving LDAP requests (secured) |
| Active Directory or LDAP hosts |
3268 | Internal |
Domain controller |
Serving LDAP requests with global catalog (non-secured) |
| Active Directory or LDAP hosts |
3269 | Internal |
Domain controller (LDAPS) |
Serving LDAP requests with global catalog (secured) |
If you want to forward logs to vRealize Log Insight, the following port must also be open.
| Object | Port Number | Network | Service or Product | Description |
|---|---|---|---|---|
| vRealize Log Insight syslog server |
514 (TCP or UDP) | Internal |
Syslog server |
Syslog service |
If you deploy Ceilometer, the following ports must also be open.
| Object | Port Number | Network | Service or Product | Description |
|---|---|---|---|---|
| Ceilometer and Gnocchi storage nodes |
22 | Internal |
SSH |
SSH (used by Ansible) |
| Load balancer and Gnocchi storage nodes |
8041 | Public and internal |
OpenStack API services |
Gnocchi API endpoint |
| Load balancer and Ceilometer nodes |
8042 | Public and internal |
OpenStack API services |
Aodh API endpoint |
| Load balancer and Ceilometer nodes |
8779 | Public and internal |
OpenStack API services |
Panko API endpoint |
If you deploy Designate, the following ports must also be open.
| Object | Port Number | Network | Service or Product | Description |
|---|---|---|---|---|
| Load balancer nodes |
53 (UDP) | Public |
DNS |
Designate MiniDNS service |
| Load balancer and controller nodes |
9001 | Public and internal |
OpenStack API services |
Designate endpoint |
