Distributed Cloud Ports Reference

A number of ports must be available for various Distributed Cloud components to function correctly.

Table 1. Distributed Cloud port requirements

Protocol

Port

Network

Description

System Controller

Subcloud

Initiator

Destination

Notes

tcp

22

oam

ssh

allowed

allowed

System Controller

Subclouds

For admin login

tcp

22

oam

ssh

allowed

allowed

Subclouds

System Controller

For admin login

tcp

22

mgmt

ssh

allowed

allowed

System Controller

Subclouds

tcp

22

mgmt

ssh

allowed

allowed

Subclouds

System Controller

udp

123

oam

ntp

allowed

allowed

Not used between System Controller and Subclouds

udp

123

mgmt

ntp

allowed

allowed

Not used between System Controller and Subclouds

udp

161

oam

snmp

allowed

allowed

Not used between System Controller and Subclouds

udp

161

mgmt

snmp

allowed

allowed

Not used between System Controller and Subclouds

udp

162

oam

snmp trap

allowed

allowed

System Controller

Subclouds

udp

162

oam

snmp trap

allowed

allowed

Subclouds

System Controller

udp

162

mgmt

snmp trap

allowed

allowed

System Controller

Subclouds

udp

162

mgmt

snmp trap

allowed

allowed

Subclouds

System Controller

tcp

162

oam

snmp trap

allowed

allowed

Not used between System Controller and Subclouds

tcp

162

mgmt

snmp trap

allowed

allowed

Not used between System Controller and Subclouds

tcp

389

oam

openLDAP

blocked(by gnp)

NA

Not used between System Controller and Subclouds

tcp

389

mgmt

openLDAP

allowed

NA

Subclouds

System Controller

LDAP service

tcp

636

oam

openLDAP

blocked(by gnp)

NA

Not used between System Controller and Subclouds

tcp

636

mgmt

openLDAP

allowed

NA

Subclouds

System Controller

LDAP service, https enable

tcp

873

oam

rsyncd

blocked(by gnp)

blocked(by gnp)

Not used between System Controller and Subclouds

Used for synchronizing patches among nodes

tcp

873

mgmt

rsyncd

allowed

allowed

Not used between System Controller and Subclouds

Used for synchronizing patches among nodes

tcp/udp

2049

oam

nfs

blocked (by gnp)

blocked (by gnp)

Not used between System Controller and Subclouds

Used for sharing data among nodes

tcp/udp

2049

mgmt

nfs

allowed

allowed

Not used between System Controller and Subclouds

Used for sharing data among nodes

udp

2222

oam

sm

allowed

allowed

Not used between System Controller and Subclouds

udp

2222

mgmt

sm

allowed

NA

Not used between System Controller and Subclouds

udp

2223

oam

sm

allowed

NA

Not used between System Controller and Subclouds

tcp6

3300

mgmt

ceph-mon

allowed

allowed

Not used between SystemController and Subclouds

tcp

4545

oam

stx-nfv

allowed(service public endpoint)

Not used between System Controller and Subclouds

vim-restapi public endpoint

tcp

4545

mgmt

stx-nfv

allowed(service internal endpoint)

Not used between System Controller and Subclouds

vim-restapi public endpoint

tcp

4546

mgmt

stx-nfv

allowed(service admin endpoint)

System Controller

Subclouds

vim-restapi admin endpoint, https enabled

tcp

4546

mgmt

stx-nfv

allowed(service admin endpoint)

Subclouds

System Controller

vim-restapi admin endpoint, https enabled

tcp

5000

oam

keystone-api

allowed(service public endpoint)

Not used between System Controller and Subclouds

tcp

5000

mgmt

keystone-api

allowed(service internal endpoint)

Not used between System Controller and Subclouds

tcp

5001

mgmt

keystone-api

allowed(service admin endpoint)

System Controller

Subclouds

https enabled

tcp

5001

mgmt

keystone-api

allowed(service admin endpoint)

Subclouds

System Controller

https enabled

tcp

5432

oam

postgres

blocked (by gnp)

blocked (by gnp)

Not used between System Controller and Subclouds

postgres db serving port

tcp

5432

mgmt

postgres

allowed(serving port)

Not used between System Controller and Subclouds

postgres db serving port

tcp

5491

oam

patching-api

blocked (by gnp)

blocked (by gnp)

Not used between System Controller and Subclouds

tcp

5491

mgmt

patching-api

allowed(service internal endpoint)

Not used between System Controller and Subclouds

patching-api internal endpoint

tcp

5492

mgmt

patching-api

allowed(service admin endpoint)

System Controller

Subclouds

patching-api admin endpoint,https enabled

tcp

5492

mgmt

patching-api

allowed(service admin endpoint)

Subclouds

System Controller

patching-api admin endpoint,https enabled

tcp

15491

oam

patching-api

allowed(service public endpoint)

Not used between System Controller and Subclouds

patching-api public endpoint

tcp

6385

oam

sysinv-api

allowed(service public endpoint)

Not used between System Controller and Subclouds

tcp

6385

mgmt

sysinv-api

allowed(service public endpoint)

Not used between System Controller and Subclouds

tcp

6386

mgmt

sysinv-api

allowed(service public endpoint)

System Controller

Subclouds

https enabled

tcp

6386

mgmt

sysinv-api

allowed(service public endpoint)

Subclouds

System Controller

https enabled

tcp

6443

oam

K8s API server

allowed

allowed

Not used between System Controller and Subclouds

https enabled

tcp

6443

mgmt

K8s API server

allowed

allowed

Not used between System Controller and Subclouds

https enabled

tcp6

6789

mgmt

ceph-mon

allowed

allowed

Not used between SystemController and Subclouds

tcp6

6800

mgmt

ceph-mgr

allowed

allowed

Not used between SystemController and Subclouds

tcp6

6801

mgmt

ceph-mgr

allowed

allowed

Not used between SystemController and Subclouds

tcp6

6802

mgmt

ceph-mds

allowed

allowed

Not used between SystemController and Subclouds

tcp6

6803

mgmt

ceph-mds

allowed

allowed

Not used between SystemController and Subclouds

tcp

6804

mgmt

ceph-mds

allowed

allowed

Not used between SystemController and Subclouds

tcp

6805

mgmt

ceph-mds

allowed

allowed

Not used between SystemController and Subclouds

tcp

7777

oam

stx-ha (sm)

allowed(service public endpoint)

Not used between System Controller and Subclouds

sm-api public endpoint

tcp

7777

mgmt

stx-ha (sm)

allowed(service internal endpoint)

Not used between System Controller and Subclouds

sm-api public endpoint

tcp

7778

mgmt

stx-ha (sm)

allowed(service admin endpoint)

Not used between System Controller and Subclouds

sm-api admin endpoint, https enabled

tcp6

7999

mgmt

ceph-mgr

allowed

allowed

Not used between System Controller and Subclouds

tcp

8080

oam

horizon http

allowed

blocked(by gnp)

Not used between System Controller and Subclouds

Not required if using https

tcp

8080

mgmt

horizon http

allowed

allowed

System Controller

Subclouds

Not required if using https

tcp

8080

mgmt

horizon http

allowed

allowed

Subclouds

System Controller

Not required if using https

tcp

8119

oam

stx-distcloud

allowed(service public endpoint)

NA

Not used between System Controller and Subclouds

dcmanager-api

tcp

8119

mgmt

stx-distcloud

allowed(service public endpoint)

NA

Not used between System Controller and Subclouds

dcmanager-api

tcp

8120

mgmt

stx-distcloud

allowed(service public endpoint)

NA

Not used between System Controller and Subclouds

dcmanager-api, https enabled

tcp

8219

mgmt

dcdbsync-api

allowed(service internal endpoint)

Not used between System Controller and Subclouds

tcp

8220

mgmt

dcdbsync-api

allowed(service admin endpoint)

System Controller

Subclouds

https enabled

tcp

8220

mgmt

dcdbsync-api

allowed(service admin endpoint)

Subclouds

System Controller

https enabled

tcp

8443

oam

horizon https

allowed

blocked(by gnp)

Not used between System Controller and Subclouds

tcp

8443

mgmt

horizon https

allowed

allowed

System Controller

Subclouds

tcp

8443

mgmt

horizon https

allowed

allowed

Subclouds

System Controller

tcp

9001

oam

Docker registry

allowed(serving port)

System Controller

Subclouds

https enabled

tcp

9001

oam

Docker registry

allowed(serving port)

Subclouds

System Controller

https enabled

tcp

9001

mgmt

Docker registry

allowed(serving port)

System Controller

Subclouds

https enabled

tcp

9001

mgmt

Docker registry

allowed(serving port)

Subclouds

System Controller

https enabled

tcp

9002

oam

Registry token server

allowed(serving port)

System Controller

Subclouds

https enabled

tcp

9002

oam

Registry token server

allowed(serving port)

Subclouds

System Controller

https enabled

tcp

9002

mgmt

Registry token server

allowed(serving port)

System Controller

Subclouds

https enabled

tcp

9002

mgmt

Registry token server

allowed(serving port)

Subclouds

System Controller

https enabled

tcp

9311

oam

barbican-api

allowed(service public endpoint)

Not used between System Controller and Subclouds

tcp

9311

mgmt

barbican-api

allowed(service internal endpoint)

Not used between System Controller and Subclouds

tcp

9312

mgmt

barbican-api

allowed(service admin endpoint)

System Controller

Subclouds

https enabled

tcp

9312

mgmt

barbican-api

allowed(service admin endpoint)

Subclouds

System Controller

https enabled

tcp

11211

mgmt

memcached

allowed(keystone cache backend)

Not used between System Controller and Subclouds

keystone cache backend

tcp

18002

oam

stx-fault

allowed(service public endpoint)

Not used between System Controller and Subclouds

tcp

18002

mgmt

stx-fault

allowed(service internal endpoint)

Not used between System Controller and Subclouds

tcp

18003

mgmt

stx-fault

allowed(service admin endpoint)

System Controller

Subclouds

https enabled

tcp

18003

mgmt

stx-fault

allowed(service admin endpoint)

Subclouds

System Controller

https enabled

icmp

NA

oam

icmp

allowed

allowed

Not used between System Controller and Subclouds

The only exception is when using ICMP during subcloud installs.

icmp

NA

mgmt

icmp

allowed

allowed

Not used between System Controller and Subclouds

The only exception is when using ICMP during subcloud installs.

tcp

25491

oam

dcorch-patch -api-proxy

allowed (service public endpoint)

NA

Not used between System Controller and Subclouds

dcorch-patch-api-proxy public endpoint

tcp

25491

mgmt

dcorch-patch -api-proxy

allowed(service internal endpoint)

NA

Not used between System Controller and Subclouds

dcorch-patch-api-proxy internal endpoint

tcp

25492

mgmt

dcorch-patch -api-proxy

allowed(service admin endpoint)

NA

Not used between System Controller and Subclouds

dcorch-patch-api-proxy admin endpoint

tcp

30001- 30004

mgmt

VIM

allowed

allowed

Not used between System Controller and Subclouds

tcp

30555

oam

OIDC Client

blocked(by gnp)

Not used between System Controller and Subclouds

Only when OIDC app is applied

tcp

30555

mgmt

OIDC Client

allowed(serving port)

Not used between System Controller and Subclouds

Only when OIDC app is applied

tcp

30556

oam

DEX OIDC Provider

blocked(by gnp)

Not used between System Controller and Subclouds

Only when OIDC app is applied

tcp

30556

mgmt

DEX OIDC Provider

allowed(serving port)

Not used between System Controller and Subclouds

Only when OIDC app is applied

tcp

31001

oam

Elastic Dashboard and API

allowed(NodePort)

NA

System Controller

Subclouds

Only when Analytics is applied, https enabled

tcp

31001

oam

Elastic Dashboard and API

allowed(NodePort)

NA

Subclouds

System Controller

Only when Analytics is applied, https enabled

tcp

31001

mgmt

Elastic Dashboard and API

allowed(NodePort)

NA

System Controller

Subclouds

Only when Analytics is applied, https enabled

tcp

31001

mgmt

Elastic Dashboard and API

allowed(NodePort)

NA

Subclouds

System Controller

Only when Analytics is applied, https enabled

tcp

31090- 31099

oam

Kafka Brokers (NodePort)

allowed(NodePort)

NA

Not used between System Controller and Subclouds

Only when Analytics is applied, https

enabled

tcp

31090- 31099

mgmt

Kafka Brokers (NodePort)

allowed(NodePort)

NA

Subclouds

System Controller

Only when Analytics is applied, https enabled

tcp

32000

oam

Kubernetes dashboard

allowed(NodePort)

allowed

Not used between System Controller and Subclouds

Only when Kubernetes Dashboard is installed

tcp

32000

mgmt

Kubernetes dashboard

allowed(NodePort)

allowed

Not used between System Controller and Subclouds

Only when Kubernetes Dashboard is installed

tcp

32323

oam

vim-webserver

blocked(by gnp)

blocked(by gnp)

Not used between System Controller and Subclouds