You open required ports on your firewall to ensure that VMware Integrated OpenStack can operate properly.
All ports listed are TCP unless otherwise specified.
| Object | Port Number | Protocol | Network | Service or Product | Description |
|---|---|---|---|---|---|
| Manager and Controllers | 22 | Internal | SSH | SSH | |
| Manager | 53 | TCP or UDP | Internal | DNS | FQDN resolution |
| Controllers | 53 | TCP or UDP | Public and Internal | DNS | FQDN resolution |
| Manager | 443 | Internal | VIO Web UI | VIO Web UI service | |
| Controllers | 443 | Public and Internal | OpenStack dashboard service | VMware Integrated OpenStack dashboard | |
| ESXi hosts | 443 | Internal | ESXi hosts | ESXi API endpoint | |
| NSX Manager | 443 | Internal | NSX Manager | NSX Manager endpoint | |
| vCenter Server Appliance | 443 | Internal | vCenter Server | vCenter Server API endpoint | |
| Manager | 2379 | Internal | Etcd Server | Etcd API endpoint | |
| Manager | 2380 | Internal | Etcd Server | Etcd API endpoint | |
| Controllers | 3306 | Internal | OpenStack database | Database cluster | |
| Controllers | 4567 | Internal | OpenStack database | MariaDB Galera replication traffic | |
| Manager | 5000 | Internal | Docker Registry | Docker Registry service endpoint | |
| Controllers | 5000 | Public and Internal | OpenStack API services | Keystone API endpoint | |
| Controllers | 5672 | Internal | OpenStack RPC bus | RabbitMQ message bus | |
| Controllers | 6090 | Public and Internal | OpenStack console services | MKS proxy | |
| Manager | 6443 | Internal | Kubernetes apiserver | Kubernetes apiserver endpoint | |
| Controllers | 8000 | Public and Internal | OpenStack API services | Heat CloudFormation API endpoint | |
| Controllers | 8004 | Public and Internal | OpenStack API services | Heat API endpoint | |
| Manager | 8443 | Internal | VIO API | VIO API endpoint | |
| Controllers | 8774 | Public and Internal | OpenStack API services | Nova API endpoint | |
| Controllers | 8775 | Internal | OpenStack metadata | Metadata service (required unless config drive is used) | |
| Controllers | 8776 | Public and Internal | OpenStack API services | Cinder API endpoint | |
| Controllers | 8778 | Public and Internal | OpenStack API services | Nova Placement API endpoint | |
| Manager | 8879 | Internal | Helm Repo Server | Helm Repo service endpoint | |
| Manager | 9000 | Internal | VIO Web UI Authentication Proxy | VIO Web UI Authentiation Proxy | |
| Manager | 9090 | Internal | VIO API swagger | VIO API swagger endpoint | |
| Manager and Controllers | 9099 | Internal | Calico CNI | Calico CNI | |
| Controllers | 9292 | Public and Internal | OpenStack API services | Glance API endpoint | |
| Controllers | 9311 | Public and Internal | OpenStack API services | Barbican API endpoint | |
| vCenter Server Appliance | 9443 | Internal | vCenter Server | vCenter Server | |
| Manager | 9449 | Internal | vAPI | vAPI | |
| Controllers | 9696 | Public and Internal | OpenStack API services | Neutron API endpoint | |
| Controllers | 9876 | Public and Internal | OpenStack API services | Octavia API endpoint | |
| Manager and Controllers | 10250 | Internal | Kubernetes kubelet | Kubernetes kubelet | |
| Manager | 10251 | Internal | Kubernetes scheduler | Kubernetes scheduler | |
| Manager | 10252 | Internal | Kubrernetes controller manager | Kubernetes controller manager | |
| Controllers | 11211 | Internal | OpenStack control plane cache | Memory cache services for controller nodes | |
| Controllers | 35357 | Public and Internal | OpenStack API services | Keystone administrator API endpoint | |
| Manager and Controllers | 44134 | Internal | Tiller Server | Tiller service endpoint |
If you want to use LDAP or Active Directory, the following ports must also be open.
| Object | Port Number | Network | Service or Product | Description |
|---|---|---|---|---|
| Active Directory or LDAP hosts |
389 | Internal |
Domain controller or LDAP server |
Serving LDAP requests (non-secured) |
| Active Directory or LDAP hosts |
636 | Internal |
Domain controller or LDAP server (LDAPS) |
Serving LDAP requests (secured) |
| Active Directory or LDAP hosts |
3268 | Internal |
Domain controller |
Serving LDAP requests with global catalog (non-secured) |
| Active Directory or LDAP hosts |
3269 | Internal |
Domain controller (LDAPS) |
Serving LDAP requests with global catalog (secured) |
If you want to forward logs to vRealize Log Insight, the following port must also be open.
| Object | Port Number | Network | Service or Product | Description |
|---|---|---|---|---|
| vRealize Log Insight syslog server | 9000 (TCP or UDP) | Internal |
Syslog server |
Syslog service |
If you deploy Ceilometer, the following ports must also be open.
| Object | Port Number | Network | Service or Product | Description |
|---|---|---|---|---|
| Controllers |
8041 | Public and Internal |
OpenStack API services |
Gnocchi API endpoint |
| Controllers |
8042 | Public and Internal |
OpenStack API services |
Aodh API endpoint |
| Controllers |
8779 | Public and Internal |
OpenStack API services |
Panko API endpoint |
If you deploy Designate, the following ports must also be open.
| Object | Port Number | Network | Service or Product | Description |
|---|---|---|---|---|
| Controllers |
53 (UDP) | Public and Internal |
DNS |
Designate MiniDNS service |
| Controllers |
9001 | Public and Internal |
OpenStack API services |
Designate endpoint |
If you deploy Swift, the following port must also be open.
| Object | Port Number | Network | Service or Product | Description |
|---|---|---|---|---|
| Controllers |
8080 | Public and Internal |
OpenStack API services |
Swift endpoint |
