Ports and protocols allow node-to-node communication paths in NSX-T Data Center, the paths are secured and authenticated, and a storage location for the credentials are used to establish mutual authentication.


The required ports and protocols must be open on both the physical and host hypervisor firewalls.

Figure 1. NSX-T Data Center Ports and Protocols

By default, all certificates are self-signed certificates. The northbound GUI and API certificates and private keys can be replaced by CA signed certificates.

There are internal daemons that communicate over the loopback or UNIX domain sockets:
  • KVM: MPA, netcpa, nsx-agent, OVS
  • ESXi: netcpa, ESX-DP (in the kernel)
Note: To get access to NSX-T Data Center nodes, you must enable SSH on these nodes.
NSX Cloud Note: See Enable Access to ports and protocols on CSM for Hybrid Connectivity for a list of ports required for deploying NSX Cloud.