Question

Required ports for admin access and tools

  • 20 August 2019
  • 3 replies
  • 203 views

Badge +1
Not sure why but there appears to be an absence of documentation pertaining to required ports that might need to be opened in a firewall to access the CVMs. Perhaps Nutanix thinks that organizations aren't going to firewall off the cluster to protect access from malicious users. If I'm wrong why don't I see a list of ports that are needed to access the CVMs rather than KB articles showing what outgoing ports are needed in a perimeter firewall?

In order to properly protect a cluster the CVMs should sit behind a firewall, which in my architecture this will be the case before we go live with anything.

In order for admins to access the CVMs through a firewall TCP 22 is needed for SSH, and 80 and 9440 are needed for accessing the web console.

Is this is? or are there more ports that would need to be opened up for the various types of admin interactions?

  • how about running cli tools against the cluster?
  • how about downloading support files?

and I'm sure I'm missing more here.

I do see there is an attempt to close this gap here: https://vmwaremine.com/2014/09/19/nutanix-network-port-diagram/#sthash.dercC2j9.dpbs

However, when you look at the diagram on this resource I see a large list of ports without a single explanation, and in some cases I see additional ports shown that aren't documented by Nutanix. here they are: TCP (22,2009,2010,2030
2100,2222,8000,9440)
UDP (13000)

3 replies

Userlevel 3
Badge +5
Hi @theGman

There is a documentation talking about firewall requirements: https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-Upgrade-Guide-v511:wc-support-firewall-wc-c.html

But all these ports are from CVM to external networks, like for instance to download 1-Click and LCM upgrade bundles, send Pulse data to Nutanix and so on.

From different network to CVMs, for management purpose, you may have to open 22 (SSH) and 9440 (Prism), which for sure are the most used management interfaces.

But keep in mind that you will may need to open additional ports also for IPMI like 443 (HTTPS) and 5900 (console) and there are also many other ports to CVM like 2009 (Stargate page), 8000 (Foundation page), 2222 (SFTP), 2010 (Curator page)... but in most of the cases once support access the CVM SSH, we use the links tools on CVM to access the Stargate, Curator and other diagnostic pages locally.
Badge +1
Hi Richard - I have seen the KB you presented already, it states the following:

"Use these firewall requirements to configure rules in your external firewall to allow Nutanix Remote Support, Pulse, SMTP, 1-click upgrades, and LCM updates."

I am looking for the documentation that shows the complete listing of all ports in use by the product and not a subset based on specific services.
Badge +1
Note, I am going to leave this post unanswered until I see good documentation pertaining to all ports in use by Nutanix CVMs which includes both incoming and outgoing details. No offense to Nutanix engineering but I'm about sick and tired of piece-meal documentation that is scattered about from vendors that are getting wealthy on the sale of products that leave engineers and architects in a constant state of searching around for the required details they seek, often to come up short.

Reply