Question

Required ports for admin access and tools

  • 20 August 2019
  • 7 replies
  • 10086 views

Userlevel 1
Badge +2
Not sure why but there appears to be an absence of documentation pertaining to required ports that might need to be opened in a firewall to access the CVMs. Perhaps Nutanix thinks that organizations aren't going to firewall off the cluster to protect access from malicious users. If I'm wrong why don't I see a list of ports that are needed to access the CVMs rather than KB articles showing what outgoing ports are needed in a perimeter firewall?

In order to properly protect a cluster the CVMs should sit behind a firewall, which in my architecture this will be the case before we go live with anything.

In order for admins to access the CVMs through a firewall TCP 22 is needed for SSH, and 80 and 9440 are needed for accessing the web console.

Is this is? or are there more ports that would need to be opened up for the various types of admin interactions?

  • how about running cli tools against the cluster?
  • how about downloading support files?

and I'm sure I'm missing more here.

I do see there is an attempt to close this gap here: https://vmwaremine.com/2014/09/19/nutanix-network-port-diagram/#sthash.dercC2j9.dpbs

However, when you look at the diagram on this resource I see a large list of ports without a single explanation, and in some cases I see additional ports shown that aren't documented by Nutanix. here they are: TCP (22,2009,2010,2030
2100,2222,8000,9440)
UDP (13000)

This topic has been closed for comments

7 replies

hello theGman,

The primary document that *should* cover this is the Security Guide. The link there goes to the firewall recommendations. 

If you think something is missing there, please clarify. I can work with the documentation team, and security team if necessary, to close the gap. 

There is also this article “Port numbers used for inter CVM communication” which lists what services on the CVM use which ports. These do not all need to be open to the outside, many of them definitely should not be, so I only mention the KB as a knowledge reference. The firewall rules requirements, with explanation, should be in the security guide as I indicated earlier so if anything is missing there we can address it in that document. 

I think in writing the documentation, there is an expectation that Prism access would be from within the corporate network.

You mentioned 

TCP 22 is needed for SSH, and 80 and 9440 are needed for accessing the web console. 

Is this is? or are there more ports that would need to be opened up for the various types of admin interactions? 
 

  • how about running cli tools against the cluster?
  • how about downloading support files?


I think you have it covered for admin access. CLI tools such as NCLI use the Nutanix REST API, which needs port 9440. SSH needs port 22, and for collecting files locally I generally recommend SCP which uses the same port. There is also the option of exporting logs via SFTP using logbay on a CVM, and here again we use port 22.

I could think of various other scenarios, such as remote access to the Nutanix containers to upload files, or remote iSCSI access, but if you don’t mind please let me know what scenarios I’ve missed and what’s not covered in the security guide and let’s see if I can’t get the security guide to cover it.

Hi, I just came across this and am having the same issue. The document you list above shows what is need to get out of my network to access Nutanix for downloads and support. 

 

What is missing are the firewall ports I would need to open to manage a Nutanix when the user is separated from the hardware by a firewall. 

 

For example,

As an admin I need to get to the ILO IP and login. Does that only require port 443?

 

 

Userlevel 3
Badge +4

hello theGman,

The primary document that *should* cover this is the Security Guide. The link there goes to the firewall recommendations. 

If you think something is missing there, please clarify. I can work with the documentation team, and security team if necessary, to close the gap. 

There is also this article “Port numbers used for inter CVM communication” which lists what services on the CVM use which ports. These do not all need to be open to the outside, many of them definitely should not be, so I only mention the KB as a knowledge reference. The firewall rules requirements, with explanation, should be in the security guide as I indicated earlier so if anything is missing there we can address it in that document. 

I think in writing the documentation, there is an expectation that Prism access would be from within the corporate network.

You mentioned 

TCP 22 is needed for SSH, and 80 and 9440 are needed for accessing the web console. 

Is this is? or are there more ports that would need to be opened up for the various types of admin interactions? 
 

  • how about running cli tools against the cluster?
  • how about downloading support files?


I think you have it covered for admin access. CLI tools such as NCLI use the Nutanix REST API, which needs port 9440. SSH needs port 22, and for collecting files locally I generally recommend SCP which uses the same port. There is also the option of exporting logs via SFTP using logbay on a CVM, and here again we use port 22.

I could think of various other scenarios, such as remote access to the Nutanix containers to upload files, or remote iSCSI access, but if you don’t mind please let me know what scenarios I’ve missed and what’s not covered in the security guide and let’s see if I can’t get the security guide to cover it.

Userlevel 6
Badge +5

I know this is not what you were looking for but I came across this and thought you might find it useful

https://portal.nutanix.com/#/page/docs/details?targetId=Field-Installation-Guide-v4-5:set-network-reqs-c.html#concept_1mm_xwq_nh

Userlevel 6
Badge +5
Hi @theGman, we recognize there is room for improvement in relation to documentation. Please check the post below and let me know if that brings you any closer to the sought after information. Please share your suggestions as they helps us improve documentation.

There is no such thing as too many layers of security - Nutanix network ports
Userlevel 1
Badge +2
Note, I am going to leave this post unanswered until I see good documentation pertaining to all ports in use by Nutanix CVMs which includes both incoming and outgoing details. No offense to Nutanix engineering but I'm about sick and tired of piece-meal documentation that is scattered about from vendors that are getting wealthy on the sale of products that leave engineers and architects in a constant state of searching around for the required details they seek, often to come up short.
Userlevel 1
Badge +2
Hi Richard - I have seen the KB you presented already, it states the following:

"Use these firewall requirements to configure rules in your external firewall to allow Nutanix Remote Support, Pulse, SMTP, 1-click upgrades, and LCM updates."

I am looking for the documentation that shows the complete listing of all ports in use by the product and not a subset based on specific services.
Userlevel 3
Badge +5
Hi @theGman

There is a documentation talking about firewall requirements: https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-Upgrade-Guide-v511:wc-support-firewall-wc-c.html

But all these ports are from CVM to external networks, like for instance to download 1-Click and LCM upgrade bundles, send Pulse data to Nutanix and so on.

From different network to CVMs, for management purpose, you may have to open 22 (SSH) and 9440 (Prism), which for sure are the most used management interfaces.

But keep in mind that you will may need to open additional ports also for IPMI like 443 (HTTPS) and 5900 (console) and there are also many other ports to CVM like 2009 (Stargate page), 8000 (Foundation page), 2222 (SFTP), 2010 (Curator page)... but in most of the cases once support access the CVM SSH, we use the links tools on CVM to access the Stargate, Curator and other diagnostic pages locally.