This section explains the protocol and ports used for management communication.

Protocols and ports are used by the Controller and Service Engines for:

  • Management communication (used by the Controller and Service Engines)

  • Network services (used by the Controller)

  • Cloud orchestrators

  • Container Cluster nodes

For the latest information about ports and protocols used by the NSX Advanced Load Balancer, see VMware Ports and Protocols.

Ensure that the firewall allows traffic for the ports used by the Controller and SEs for management communication.

  • You do not have to open a firewall port from the Controller to the SE. The SE initiates communication to the Controller.

  • Even if the cluster IP is configured, the source IP is derived from the Controller IP and not from the cluster IP.

  • The secure channel on port 22 (or 5098 in container environments) is used for communication between components for configuration sync, metrics and logs transfer, heartbeats and other management processes.

  • OpenStack mode does not support 5098 port on the container side.

  • Service Engines and Controllers display a login banner that shows basic connectivity status, when accessed through SSH. Connectivity checks are made with a simple ICMP Echo (PING). If PING is not allowed between a Controller or Service Engine and its Management default gateway, the status of Gateway will be shown as DOWN. Similarly, if PING is not allowed between Service Engine and Controller, the status of Controller will be shown as DOWN. There is no operational impact if these reachability checks fail and so, the messages can be ignored if it is not possible to allow PING between these components.

For more information on the system port 8443 and port 22 usage, see NSX Advanced Load Balancer Service Engine to Controller Communication.

Ports Used by Controller for Network Services

The Controller sends traffic to the following ports as part of network operation. The firewall must also allow traffic from the Controller to these ports.

Traffic Source

Traffic Destination

Ports to Allow

External Network Services

  • TCP 25 (SMTP)

  • TCP 49 (TACACS+)

  • UDP 53 (DNS)

  • UDP 123 (NTP)

  • UDP 162 (SNMP traps)

  • TCP or UDP 389 (LDAP)

  • UDP 514 (syslog)

  • TCP or UDP 636 (LDAPS)

Protocols and Ports used by Cloud Orchestrators

Cloud Orchestrators

Protocols/ Ports Used


Port 443 is needed for the GCP cloud to connect to NSX Advanced Load Balancer.


Some or all of the following ports might be required:

  • Keystone: TCP 5000, 35357

  • Glance: TCP 9292

  • Nova: TCP 8774

  • Neutron: TCP 9696

  • Heat (optional). Used for autoscaling back-end members): TCP 8004

VMware vCenter

Controller-to-ESXi hosts: port 443

OpenShift Master

Port 8443

Kubernetes Master

Port 8080 for unauthenticated masters

Mesos or DC/OS Masters

  • Port 5050 for masters

  • Port 80 for unauthenticated Marathon services


Port 443 for AWS cloud to connect to NSX Advanced Load Balancer


Port 443 for Azure cloud to connect to NSX Advanced Load Balancer

Ports Used by Container Cluster Nodes

Container Cluster Node

Port Used


Port 22

Kubernetes Minions

Port 22

Mesos Nodes

Port 22

Service Engine Firewalls

The following protocols and ports are required for SE-SE management traffic:









To allow ingress traffic for SE to SE management traffic, see Configuring Service Engine Ingress Rules.

To allow egress traffic for SE to SE management traffic, see Configuring Controller Egress Rules.