Firewall Requirements

  • 29 June 2021
  • 0 replies
  • 32 views

Userlevel 3
Badge +2

Use these firewall requirements to configure rules in your external firewall to allow Nutanix Remote Support, Pulse, SMTP, 1-click upgrades, and LCM updates.

Source

Controller VM / Prism Central IP addresses

Destination

nsc01.nutanix.net and nsc02.nutanix.net

Protocol - Port

TCP - 80 and 8443

Action

ALLOW

 

Source

Controller VM / Prism Central IP addresses

Allows Pulse messages from the cluster to Nutanix support servers.

  • Each Controller VM in your cluster collects Pulse configuration data continuously and sends Pulse metric data every 15 minutes to insights.nutanix.com over port 443 once every 15 minutes over HTTPS. Ports 80 and 8443 are the default ports that the cluster uses to connect to the Nutanix support servers nsc01.nutanix.net and nsc02.nutanix.net. Nutanix recommends that you open both ports. If one port is disabled, the cluster automatically tries to connect on the other. You can open the ports directly or make them available through an HTTP proxy.

  • Pulse messages are not HTTP formatted, so if you use a firewall that only allows HTTP traffic through port 80, Pulse requires access through port 8443.

  • Pulse uses the SSH protocol for communication through the firewall.

  • Firewall port requirements are automatically met if you have a Prism Central deployment, see "Prism Central Proxy for Pulse Data" in the Prism Central Guide.

Destination

insights.nutanix.com

Protocol - Port

For insights.nutanix.com: TCP - 443

For nsc01.nutanix.net and nsc02.nutanix.net:

  • TCP - 80

  • TCP - 8443

Action

ALLOW

 

Source

Controller VM / Prism Central IP addresses

Destination

insights.nutanix.com and designated email addresses (if any)

Protocol - Port

TCP - 443

Action

ALLOW

 

Source

Primary Site Controller VM IP addresses (including Virtual IP Addresses)

Destination

Replication Site Controller VM IP addresses (including Virtual IP Addresses)

Protocol - Port

  • TCP ports 2009/2020 - AOS communications

  • UDP port 53 - DNS

  • HTTPS port 443 - AWS or Azure communication

  • TCP port 22 - SSH communication to Nutanix Controller VM

  • TCP port 3000

Action

ALLOW

 

Source

SMTP Server IP Address

Allows cluster e-mails to be sent to Nutanix Support for Pulse.

If your security policy does not allow ports 80 and 8443 to be opened, Pulse can send messages using any accessible SMTP server.

If you do not have an SMTP server, you can use an HTTP proxy.

Destination

nos-alerts@nutanix.com and nos-asups@nutanix.com

Protocol - Port

SMTP - 25,465, or 587 (standard)

Action

ALLOW

 

Source

Controller VM / Prism Central IP addresses

Note: The destination IP address ranges are controlled by the external service provider (AWS). See the AWS documentation topic AWS IP Address Ranges.

Destination

  • *.compute-*.amazonaws.com:80, 443

  • release-api.nutanix.com:80, 443

  • ntnx-portal.s3.amazonaws.com

  • s3*.amazonaws.com

  • download.nutanix.com

Protocol - Port

HTTP - 80

HTTPS - 443

Action

ALLOW

 

Source

Controller VM IP addresses

Destination

  • release-api.nutanix.com:80, 443

  • download.nutanix.com

Protocol - Port

  • HTTP: 80 (both download.nutanix.com and release-api.nutanix.com)

  • HTTPS: 443 (both download.nutanix.com and release-api.nutanix.com)

Action

ALLOW

 

Source

Clients accessing the cluster where Nutanix Volumes is enabled

Destination

Nutanix cluster, through the cluster iSCSI Data Services IP Address

Ports on clients

3260 and 3205

Action

ALLOW

 


This topic has been closed for comments