Distributed Cloud Ports Reference¶
A number of ports must be available for various Distributed Cloud components to function correctly.
Protocol |
Port |
Network |
Description |
System Controller |
Subcloud |
Initiator |
Destination |
Notes |
|---|---|---|---|---|---|---|---|---|
tcp |
22 |
oam |
ssh |
allowed |
allowed |
System Controller |
Subclouds |
For admin login |
tcp |
22 |
oam |
ssh |
allowed |
allowed |
Subclouds |
System Controller |
For admin login |
tcp |
22 |
mgmt |
ssh |
allowed |
allowed |
System Controller |
Subclouds |
|
tcp |
22 |
mgmt |
ssh |
allowed |
allowed |
Subclouds |
System Controller |
|
udp |
123 |
oam |
ntp |
allowed |
allowed |
Not used between System Controller and Subclouds |
||
udp |
123 |
mgmt |
ntp |
allowed |
allowed |
Not used between System Controller and Subclouds |
||
udp |
161 |
oam |
snmp |
allowed |
allowed |
Not used between System Controller and Subclouds |
||
udp |
161 |
mgmt |
snmp |
allowed |
allowed |
Not used between System Controller and Subclouds |
||
udp |
162 |
oam |
snmp trap |
allowed |
allowed |
System Controller |
Subclouds |
|
udp |
162 |
oam |
snmp trap |
allowed |
allowed |
Subclouds |
System Controller |
|
udp |
162 |
mgmt |
snmp trap |
allowed |
allowed |
System Controller |
Subclouds |
|
udp |
162 |
mgmt |
snmp trap |
allowed |
allowed |
Subclouds |
System Controller |
|
tcp |
162 |
oam |
snmp trap |
allowed |
allowed |
Not used between System Controller and Subclouds |
||
tcp |
162 |
mgmt |
snmp trap |
allowed |
allowed |
Not used between System Controller and Subclouds |
||
tcp |
389 |
oam |
openLDAP |
blocked(by gnp) |
NA |
Not used between System Controller and Subclouds |
||
tcp |
389 |
mgmt |
openLDAP |
allowed |
NA |
Subclouds |
System Controller |
LDAP service |
tcp |
636 |
oam |
openLDAP |
blocked(by gnp) |
NA |
Not used between System Controller and Subclouds |
||
tcp |
636 |
mgmt |
openLDAP |
allowed |
NA |
Subclouds |
System Controller |
LDAP service, https enable |
tcp |
873 |
oam |
rsyncd |
blocked(by gnp) |
blocked(by gnp) |
Not used between System Controller and Subclouds |
Used for synchronizing patches among nodes |
|
tcp |
873 |
mgmt |
rsyncd |
allowed |
allowed |
Not used between System Controller and Subclouds |
Used for synchronizing patches among nodes |
|
tcp/udp |
2049 |
oam |
nfs |
blocked (by gnp) |
blocked (by gnp) |
Not used between System Controller and Subclouds |
Used for sharing data among nodes |
|
tcp/udp |
2049 |
mgmt |
nfs |
allowed |
allowed |
Not used between System Controller and Subclouds |
Used for sharing data among nodes |
|
udp |
2222 |
oam |
sm |
allowed |
allowed |
Not used between System Controller and Subclouds |
||
udp |
2222 |
mgmt |
sm |
allowed |
NA |
Not used between System Controller and Subclouds |
||
udp |
2223 |
oam |
sm |
allowed |
NA |
Not used between System Controller and Subclouds |
||
tcp6 |
3300 |
mgmt |
ceph-mon |
allowed |
allowed |
Not used between SystemController and Subclouds |
||
tcp |
4545 |
oam |
stx-nfv |
allowed(service public endpoint) |
Not used between System Controller and Subclouds |
vim-restapi public endpoint |
||
tcp |
4545 |
mgmt |
stx-nfv |
allowed(service internal endpoint) |
Not used between System Controller and Subclouds |
vim-restapi public endpoint |
||
tcp |
4546 |
mgmt |
stx-nfv |
allowed(service admin endpoint) |
System Controller |
Subclouds |
vim-restapi admin endpoint, https enabled |
|
tcp |
4546 |
mgmt |
stx-nfv |
allowed(service admin endpoint) |
Subclouds |
System Controller |
vim-restapi admin endpoint, https enabled |
|
tcp |
5000 |
oam |
keystone-api |
allowed(service public endpoint) |
Not used between System Controller and Subclouds |
|||
tcp |
5000 |
mgmt |
keystone-api |
allowed(service internal endpoint) |
Not used between System Controller and Subclouds |
|||
tcp |
5001 |
mgmt |
keystone-api |
allowed(service admin endpoint) |
System Controller |
Subclouds |
https enabled |
|
tcp |
5001 |
mgmt |
keystone-api |
allowed(service admin endpoint) |
Subclouds |
System Controller |
https enabled |
|
tcp |
5432 |
oam |
postgres |
blocked (by gnp) |
blocked (by gnp) |
Not used between System Controller and Subclouds |
postgres db serving port |
|
tcp |
5432 |
mgmt |
postgres |
allowed(serving port) |
Not used between System Controller and Subclouds |
postgres db serving port |
||
tcp |
5491 |
oam |
patching-api |
blocked (by gnp) |
blocked (by gnp) |
Not used between System Controller and Subclouds |
||
tcp |
5491 |
mgmt |
patching-api |
allowed(service internal endpoint) |
Not used between System Controller and Subclouds |
patching-api internal endpoint |
||
tcp |
5492 |
mgmt |
patching-api |
allowed(service admin endpoint) |
System Controller |
Subclouds |
patching-api admin endpoint,https enabled |
|
tcp |
5492 |
mgmt |
patching-api |
allowed(service admin endpoint) |
Subclouds |
System Controller |
patching-api admin endpoint,https enabled |
|
tcp |
15491 |
oam |
patching-api |
allowed(service public endpoint) |
Not used between System Controller and Subclouds |
patching-api public endpoint |
||
tcp |
6385 |
oam |
sysinv-api |
allowed(service public endpoint) |
Not used between System Controller and Subclouds |
|||
tcp |
6385 |
mgmt |
sysinv-api |
allowed(service public endpoint) |
Not used between System Controller and Subclouds |
|||
tcp |
6386 |
mgmt |
sysinv-api |
allowed(service public endpoint) |
System Controller |
Subclouds |
https enabled |
|
tcp |
6386 |
mgmt |
sysinv-api |
allowed(service public endpoint) |
Subclouds |
System Controller |
https enabled |
|
tcp |
6443 |
oam |
K8s API server |
allowed |
allowed |
Not used between System Controller and Subclouds |
https enabled |
|
tcp |
6443 |
mgmt |
K8s API server |
allowed |
allowed |
Not used between System Controller and Subclouds |
https enabled |
|
tcp6 |
6789 |
mgmt |
ceph-mon |
allowed |
allowed |
Not used between SystemController and Subclouds |
||
tcp6 |
6800 |
mgmt |
ceph-mgr |
allowed |
allowed |
Not used between SystemController and Subclouds |
||
tcp6 |
6801 |
mgmt |
ceph-mgr |
allowed |
allowed |
Not used between SystemController and Subclouds |
||
tcp6 |
6802 |
mgmt |
ceph-mds |
allowed |
allowed |
Not used between SystemController and Subclouds |
||
tcp6 |
6803 |
mgmt |
ceph-mds |
allowed |
allowed |
Not used between SystemController and Subclouds |
||
tcp |
6804 |
mgmt |
ceph-mds |
allowed |
allowed |
Not used between SystemController and Subclouds |
||
tcp |
6805 |
mgmt |
ceph-mds |
allowed |
allowed |
Not used between SystemController and Subclouds |
||
tcp |
7777 |
oam |
stx-ha (sm) |
allowed(service public endpoint) |
Not used between System Controller and Subclouds |
sm-api public endpoint |
||
tcp |
7777 |
mgmt |
stx-ha (sm) |
allowed(service internal endpoint) |
Not used between System Controller and Subclouds |
sm-api public endpoint |
||
tcp |
7778 |
mgmt |
stx-ha (sm) |
allowed(service admin endpoint) |
Not used between System Controller and Subclouds |
sm-api admin endpoint, https enabled |
||
tcp6 |
7999 |
mgmt |
ceph-mgr |
allowed |
allowed |
Not used between System Controller and Subclouds |
||
tcp |
8080 |
oam |
horizon http |
allowed |
blocked(by gnp) |
Not used between System Controller and Subclouds |
Not required if using https |
|
tcp |
8080 |
mgmt |
horizon http |
allowed |
allowed |
System Controller |
Subclouds |
Not required if using https |
tcp |
8080 |
mgmt |
horizon http |
allowed |
allowed |
Subclouds |
System Controller |
Not required if using https |
tcp |
8119 |
oam |
stx-distcloud |
allowed(service public endpoint) |
NA |
Not used between System Controller and Subclouds |
dcmanager-api |
|
tcp |
8119 |
mgmt |
stx-distcloud |
allowed(service public endpoint) |
NA |
Not used between System Controller and Subclouds |
dcmanager-api |
|
tcp |
8120 |
mgmt |
stx-distcloud |
allowed(service public endpoint) |
NA |
Not used between System Controller and Subclouds |
dcmanager-api, https enabled |
|
tcp |
8219 |
mgmt |
dcdbsync-api |
allowed(service internal endpoint) |
Not used between System Controller and Subclouds |
|||
tcp |
8220 |
mgmt |
dcdbsync-api |
allowed(service admin endpoint) |
System Controller |
Subclouds |
https enabled |
|
tcp |
8220 |
mgmt |
dcdbsync-api |
allowed(service admin endpoint) |
Subclouds |
System Controller |
https enabled |
|
tcp |
8443 |
oam |
horizon https |
allowed |
blocked(by gnp) |
Not used between System Controller and Subclouds |
||
tcp |
8443 |
mgmt |
horizon https |
allowed |
allowed |
System Controller |
Subclouds |
|
tcp |
8443 |
mgmt |
horizon https |
allowed |
allowed |
Subclouds |
System Controller |
|
tcp |
9001 |
oam |
Docker registry |
allowed(serving port) |
System Controller |
Subclouds |
https enabled |
|
tcp |
9001 |
oam |
Docker registry |
allowed(serving port) |
Subclouds |
System Controller |
https enabled |
|
tcp |
9001 |
mgmt |
Docker registry |
allowed(serving port) |
System Controller |
Subclouds |
https enabled |
|
tcp |
9001 |
mgmt |
Docker registry |
allowed(serving port) |
Subclouds |
System Controller |
https enabled |
|
tcp |
9002 |
oam |
Registry token server |
allowed(serving port) |
System Controller |
Subclouds |
https enabled |
|
tcp |
9002 |
oam |
Registry token server |
allowed(serving port) |
Subclouds |
System Controller |
https enabled |
|
tcp |
9002 |
mgmt |
Registry token server |
allowed(serving port) |
System Controller |
Subclouds |
https enabled |
|
tcp |
9002 |
mgmt |
Registry token server |
allowed(serving port) |
Subclouds |
System Controller |
https enabled |
|
tcp |
9311 |
oam |
barbican-api |
allowed(service public endpoint) |
Not used between System Controller and Subclouds |
|||
tcp |
9311 |
mgmt |
barbican-api |
allowed(service internal endpoint) |
Not used between System Controller and Subclouds |
|||
tcp |
9312 |
mgmt |
barbican-api |
allowed(service admin endpoint) |
System Controller |
Subclouds |
https enabled |
|
tcp |
9312 |
mgmt |
barbican-api |
allowed(service admin endpoint) |
Subclouds |
System Controller |
https enabled |
|
tcp |
11211 |
mgmt |
memcached |
allowed(keystone cache backend) |
Not used between System Controller and Subclouds |
keystone cache backend |
||
tcp |
18002 |
oam |
stx-fault |
allowed(service public endpoint) |
Not used between System Controller and Subclouds |
|||
tcp |
18002 |
mgmt |
stx-fault |
allowed(service internal endpoint) |
Not used between System Controller and Subclouds |
|||
tcp |
18003 |
mgmt |
stx-fault |
allowed(service admin endpoint) |
System Controller |
Subclouds |
https enabled |
|
tcp |
18003 |
mgmt |
stx-fault |
allowed(service admin endpoint) |
Subclouds |
System Controller |
https enabled |
|
icmp |
NA |
oam |
icmp |
allowed |
allowed |
Not used between System Controller and Subclouds The only exception is when using ICMP during subcloud installs. |
||
icmp |
NA |
mgmt |
icmp |
allowed |
allowed |
Not used between System Controller and Subclouds The only exception is when using ICMP during subcloud installs. |
||
tcp |
25491 |
oam |
dcorch-patch -api-proxy |
allowed (service public endpoint) |
NA |
Not used between System Controller and Subclouds |
dcorch-patch-api-proxy public endpoint |
|
tcp |
25491 |
mgmt |
dcorch-patch -api-proxy |
allowed(service internal endpoint) |
NA |
Not used between System Controller and Subclouds |
dcorch-patch-api-proxy internal endpoint |
|
tcp |
25492 |
mgmt |
dcorch-patch -api-proxy |
allowed(service admin endpoint) |
NA |
Not used between System Controller and Subclouds |
dcorch-patch-api-proxy admin endpoint |
|
tcp |
30001- 30004 |
mgmt |
VIM |
allowed |
allowed |
Not used between System Controller and Subclouds |
||
tcp |
30555 |
oam |
OIDC Client |
blocked(by gnp) |
Not used between System Controller and Subclouds |
Only when OIDC app is applied |
||
tcp |
30555 |
mgmt |
OIDC Client |
allowed(serving port) |
Not used between System Controller and Subclouds |
Only when OIDC app is applied |
||
tcp |
30556 |
oam |
DEX OIDC Provider |
blocked(by gnp) |
Not used between System Controller and Subclouds |
Only when OIDC app is applied |
||
tcp |
30556 |
mgmt |
DEX OIDC Provider |
allowed(serving port) |
Not used between System Controller and Subclouds |
Only when OIDC app is applied |
||
tcp |
31001 |
oam |
Elastic Dashboard and API |
allowed(NodePort) |
NA |
System Controller |
Subclouds |
Only when Analytics is applied, https enabled |
tcp |
31001 |
oam |
Elastic Dashboard and API |
allowed(NodePort) |
NA |
Subclouds |
System Controller |
Only when Analytics is applied, https enabled |
tcp |
31001 |
mgmt |
Elastic Dashboard and API |
allowed(NodePort) |
NA |
System Controller |
Subclouds |
Only when Analytics is applied, https enabled |
tcp |
31001 |
mgmt |
Elastic Dashboard and API |
allowed(NodePort) |
NA |
Subclouds |
System Controller |
Only when Analytics is applied, https enabled |
tcp |
31090- 31099 |
oam |
Kafka Brokers (NodePort) |
allowed(NodePort) |
NA |
Not used between System Controller and Subclouds |
|
|
tcp |
31090- 31099 |
mgmt |
Kafka Brokers (NodePort) |
allowed(NodePort) |
NA |
Subclouds |
System Controller |
Only when Analytics is applied, https enabled |
tcp |
32000 |
oam |
Kubernetes dashboard |
allowed(NodePort) |
allowed |
Not used between System Controller and Subclouds |
Only when Kubernetes Dashboard is installed |
|
tcp |
32000 |
mgmt |
Kubernetes dashboard |
allowed(NodePort) |
allowed |
Not used between System Controller and Subclouds |
Only when Kubernetes Dashboard is installed |
|
tcp |
32323 |
oam |
vim-webserver |
blocked(by gnp) |
blocked(by gnp) |
Not used between System Controller and Subclouds |
||
