Secure operation of vCloud Director requires a secure network environment. Configure and test this network environment before you begin installing vCloud Director

Connect all vCloud Director servers to a network that is secured and monitored. vCloud Director network connections have several additional requirements:

  • Do not connect vCloud Director directly to the public Internet. Always protect vCloud Director network connections with a firewall. Only port 443 (HTTPS) must be open to incoming connections. Ports 22 (SSH) and 80 (HTTP) can also be opened for incoming connections if needed. In addition, the cell-management-tool requires access to the cell's loopback address. All other incoming traffic from a public network, including requests to JMX (port 8999) must be rejected by the firewall.

    Table 1. Ports That Must Allow Incoming Packets From vCloud Director Hosts

    Port

    Protocol

    Comments

    111

    TCP, UDP

    NFS portmapper used by transfer service

    920

    TCP, UDP

    NFS rpc.statd used by transfer service

    61611

    TCP

    AMQP

    61616

    TCP

    AMQP

  • Do not connect the ports used for outgoing connections to the public network.

    Table 2. Ports That Must Allow Outgoing Packets From vCloud Director Hosts

    Port

    Protocol

    Comments

    25

    TCP, UDP

    SMTP

    53

    TCP, UDP

    DNS

    111

    TCP, UDP

    NFS portmapper used by transfer service

    123

    TCP, UDP

    NTP

    389

    TCP, UDP

    LDAP

    443

    TCP

    vCenter, NSX Manager, and ESXi connections using the standard port. If you have chosen a different port for these services, disable connection to port 443 and enable them for the port you have chosen.

    514

    UDP

    Optional. Enables syslog use.

    902

    TCP

    vCenter and ESXi connections.

    903

    TCP

    vCenter and ESXi connections.

    920

    TCP, UDP

    NFS rpc.statd used by transfer service.

    1433

    TCP

    Default Microsoft SQL Server database port.

    1521

    TCP

    Default Oracle database port.

    5672

    TCP, UDP

    Optional. AMQP messages for task extensions.

    61611

    TCP

    AMQP

    61616

    TCP

    AMQP

  • Route traffic between vCloud Director servers and the following servers over a dedicated private network.

    • vCloud Director database server

    • RabbitMQ

    • Cassandra

  • If possible, route traffic between vCloud Director servers, VMware vSphere ® , and VMware NSX ™ over a dedicated private network.

  • Virtual switches and distributed virtual switches that support provider networks must be isolated from each other. They cannot share the same level 2 physical network segment.