There is no such thing as too many layers of security - Nutanix network ports

  • 10 October 2019
  • 2 replies

Userlevel 6
Badge +5
  • Nutanix Employee
  • 433 replies
Looking to strengthen security of your HCL cluster? Consider keeping only necessary ports open.

Following is the list of firewall ports that must be kept open to successfully access the Nutanix cluster.
  • Prism web console: 9440, 80
  • SSH to both CVM and Hypervisor: 22
  • Cluster remote support: 80, 8443
  • vCenter remote console: 443, 902, 903 from both the user host and vCenter
  • vCenter from Prism web console: 443, 80
  • Citrix MCS: virtual IP, Port 9440 (TCP)
  • Xtract for VMs (Move): ESXi hosts (TCP 443, 902); AHV (TCP and UDP 2049, 111)
Following is the list of ports that must be kept open for the 1-Click upgrade.
  • *.compute-*,443
  • and s3*
Information above is extracted from KB-1478 which also explains what to do when configuring the entire range of IP address for AWS is not acceptable and using FQDN wildcards is not an option supported by the firewall the environment.

KB-1202 Lists port numbers used for inter CVM communication.

NX-series owners may find NX Series Hardware Administration Guide on Firewall Port Requirements for IPMI useful as well.

This topic has been closed for comments

2 replies

Userlevel 1
Badge +2

Thanks for paying attention to this.    

My comments:

“vCenter remote console: 443, 902, 903 from both the user host and vCenter”

What is this being listed at all?   What does accessing a vCenter remote console for a VM, which can also be opened on a vSphere host without vCenter, have anything to do with accessing Nutanix and securing Nutanix CVMs behind a firewall?  

Next, an explanation of what the ports are for, and traffic flow details, which in some cases you have loosely defined.   

My advise:  Try a table format, and have all Nutanix products in the list in an organized fashion, this way there is a single resource for all ports needed for all Nutanix services.   




Userlevel 6
Badge +5

Hi @theGman,

Thank you for providing suggestions, most valuable.