vCenter Server is accessed through predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.

Required Ports for vCenter Server and Platform Services Controller lists ports that are opened by the installer as part of a default installation. Some additional ports are required for certain services, such as NTP, or applications that are commonly installed with vCenter Server.

In addition to these ports, you can configure other ports depending on your needs.

Table 1. vCenter Server TCP and UDP Ports
Port Protocol Description
123 (UDP) UDP NTP Client. If you are deploying the vCenter Server Appliance on an ESXi host, the two must be time synchronized, usually through an NTP server, and the corresponding port must be open.
135 UDP For the vCenter Server Appliance, this port is designated for Active Directory authentication.

For a vCenter Server Windows installation, this port is used for Linked Mode and port 88 is used for Active Directory authentication.

161 UDP SNMP Server.
636 TCP vCenter Single Sign-On LDAPS (6.0 and later)
8084, 9084, 9087 TCP Used by vSphere Update Manager.
8109 TCP VMware Syslog Collector. This service is needed if you want to centralize log collection.
15007, 15008 TCP vService Manager (VSM). This service registers vCenter Server extensions. Open this port only if required by extensions that you intend to use.
31031, 44046 (Default) TCP vSphere Replication.
5355 UDP The systemd-resolve process uses this port to resolve domain names, IPv4 and IPv6 addresses, DNS resource records and services.
The following ports are used only internally.
Table 2. vCenter Server TCP and UDP Ports
Port Description
5443 vCenter Server graphical user interface internal port.
5444, 5432 Internal port for monitoring of vPostgreSQL.
5090 vCenter Server graphical user interface internal port.
7080 Secure Token Service internal port.
7081 Platform Services Controller internal port.
8000 ESXi Dump Collector internal port.
8006 Used for Virtual SAN health monitoring.
8085 Internal ports used by the vCenter service (vpxd) SDK.
8095 VMware vCenter services feed port.
8098, 8099 Used by VMware Image Builder Manager.
8190, 8191, 22000, 22100, 21100 VMware vSphere Profile-Driven Storage Service.
8200, 8201, 5480 Appliance management internal ports.
8300, 8301 Appliance management reserved ports.
8900 Monitoring API internal port.
9090 Internal port for vSphere Web Client.
10080 Inventory service internal port
10201 Message Bus Configuration Service internal port.
11080 vCenter Server Appliance internal ports for HTTP and for splash screen.
12721 Secure Token Service internal port.
12080 License service internal port.
12346, 12347, 4298 Internal port for VMware Cloud Management SDKs (vAPI).
13080, 6070 Used internally by the Performance Charts service.
14080 Used internally by the syslog service.
15005, 15006 ESX Agent Manager internal port.
16666, 16667 Content Library ports.
18090 Content Manager internal port.
18091 Component Manager internal port.

In addition, the vCenter Server Appliance uses ephemeral ports from 32768 through 60999 for vPostgres services.

The following ports are required between vCenter High Availability (VCHA) nodes.

Table 3. Firewall Port Requirement for VCHA Private IP
Port Protocol Nodes Description
22 TCP Between all three nodes Bidirectional. System port for SSHD
5432 TCP Between Primary and Secondary Bidirectional. Postgres
8182 TCP Between all three nodes Bidirectional. Fault Domain Manager
8182 UDP Between all three nodes Bidirectional. Fault Domain Manager