vSAN deployments require specific network ports and settings to provide access and services.

Requirements for vSAN Services

Consider the following service requirements when you configure ports for vSAN.
Table 1. vSAN Service Requirements



Storage Providers (VASA)

VASA is a set of application program interfaces (APIs) that enables vCenter Server to recognize the capabilities of storage arrays. When vSAN is enabled, each vSAN host registers a VASA provider to vCenter Server via TCP port 8080.

Reliable Datagram Transport (RDT)

RDT is a proprietary vSAN service for storage I/O. RDT uses TCP at the vSAN transport layer. RDT is built on top of the vSAN Clustering Service and uses TCP port 2233.

Clustering, Monitoring, Membership, and Directory Services (CMMDS)

CMMDS is responsible for discovery and maintenance of a cluster of networked node members. All nodes communicate via UDP port 12345, 23451.

Witness Host

TCP port 2233 and UDP Port 12321 needs to be open for witness traffic between the witness host and the vSAN cluster data nodes.

vSAN Observer

TCP port 8010 needs to be opened to view the vSAN observer graphs. You can customize this port with the following RVC command: vsan.observer

Firewall Considerations

When you enable vSAN on a cluster, all required ports are added to ESXi firewall rules and configured automatically. There is no need for an administrator to open any firewall ports or enable any firewall services manually.

You can view open ports for incoming and outgoing connections. Select the ESXi host, and click Configure > Security Profile.

vSAN Network Ports

Certain specific network ports are required for vSAN.

Table 2. vSAN Network Ports







Incoming and outgoing

vsanvp: Used by the Storage Management Service (SMS) that is part of vSphere vCenter Server. If disabled, vSAN Storage Profile Based Management (SPBM) does not work.



Incoming and outgoing

vSAN Transport: Used for storage I/O. If disabled, vSAN does not work.





Incoming and outgoing

vSAN Clustering Service.

If disabled, vSAN does not work.



Incoming and outgoing

Default iSCSI port for vSAN ISCSI target service.



Incoming and outgoing

Vsanhealth-multicasttest: vSAN Health Proactive Network test. This port is enabled on demand when Proactive Network Test is running.

8010 TCP


vSAN Observer default port number for live statistics. A custom port number can also be specified for vSAN Observer.