Ports and Protocols

This section explains the protocol and ports used for management communication.

Protocols and ports are used by the Controller and Service Engines for:

For the latest information about ports and protocols used by the NSX Advanced Load Balancer, see VMware Ports and Protocols.

Ensure that the firewall allows traffic for the ports used by the Controller and SEs for management communication.

Note:

You do not have to open a firewall port from the Controller to the SE. The SE initiates communication to the Controller.
Even if the cluster IP is configured, the source IP is derived from the Controller IP and not from the cluster IP.
The secure channel on port 22 (or 5098 in container environments) is used for communication between components for configuration sync, metrics and logs transfer, heartbeats and other management processes.
OpenStack mode does not support 5098 port on the container side.
Service Engines and Controllers display a login banner that shows basic connectivity status, when accessed through SSH. Connectivity checks are made with a simple ICMP Echo (PING). If PING is not allowed between a Controller or Service Engine and its Management default gateway, the status of Gateway will be shown as DOWN. Similarly, if PING is not allowed between Service Engine and Controller, the status of Controller will be shown as DOWN. There is no operational impact if these reachability checks fail and so, the messages can be ignored if it is not possible to allow PING between these components.

Ports Used for Management Communication

The NSX Advanced Load Balancer Controller and SEs use the following ports for management. The firewall must also allow traffic for these ports.


Traffic Source	Traffic Destination	Ports to Allow
NSX Advanced Load Balancer Controller	NSX Advanced Load Balancer Controller	TCP 22 (SSH) TCP 443 (HTTPS) TCP 8443 (HTTPS) TCP 5098 (SSH) (if the Controller is a docker container, SSH is on port 5098).
	External Entities	Refer to the sections below the table.
	NSX Advanced Load Balancer Service Engine	Not Required.
NSX Advanced Load Balancer Service Engine	NSX Advanced Load Balancer Service Engine	TCP 4001 for AWS, Azure, GCP, and OpenStack clouds. TCP 9001 for VMware, LSC, and NSX-T cloud. TCP4001/TCP 9001 is for ObjStore or SE distributed object store. For more details on TCP 9001, see Service Engine Group section.
NSX Advanced Load Balancer Service Engine	NSX Advanced Load Balancer Controller	TCP 22 (SSH) TCP 8443 (HTTPS) UDP 123 (NTP) TCP 5098 (SSH) (if the Controller is a docker container, SSH is on port 5098)
External Network Services	NSX Advanced Load Balancer Controller	TCP 25 (SMTP) TCP 49 (TACACS+) UDP 53 (DNS) UDP 123 (NTP) UDP 162 (SNMP traps) TCP or UDP 389 (LDAP) UDP 514 (syslog) TCP or UDP 636 (LDAPS) TCP 22 (SSH) TCP 80 (HTTP) (optional) TCP 443 (HTTPS) TCP 5054 (CLI Server) (if using the optional CLI shell for remote management access.) UDP 161 (SNMP agent listens to this port.)


Cloud Orchestrators	Protocols/ Ports Used
GCP	Port 443 is needed for the GCP cloud to connect to NSX Advanced Load Balancer.
OpenStack	Some or all of the following ports might be required: Keystone: TCP 5000, 35357 Glance: TCP 9292 Nova: TCP 8774 Neutron: TCP 9696 Heat (optional). Used for autoscaling back-end members): TCP 8004
VMware vCenter	Controller-to-ESXi hosts: port 443
OpenShift Master	Port 8443
Kubernetes Master	Port 8080 for unauthenticated masters
Mesos or DC/OS Masters	Port 5050 for masters Port 80 for unauthenticated Marathon services
AWS	Port 443 for AWS cloud to connect to NSX Advanced Load Balancer
Azure	Port 443 for Azure cloud to connect to NSX Advanced Load Balancer

The following protocols and ports are required for SE-SE management traffic:

To allow ingress traffic for SE to SE management traffic, see Configuring Service Engine Ingress Rules.

To allow egress traffic for SE to SE management traffic, see Configuring Controller Egress Rules.