Required Ports

This page provides information that may be used by network administrators who need to configure firewalls in their infrastructure. Below you find the list of ports that should be open to access your OnApp cloud if that is required to investigate and resolve your ticket.

OnApp uses a wide set of services and application protocols to operate cloud environments. Incorrect restrictions or traffic blocking can cause OnApp cloud malfunctions.

Avoid installing third-party software and utilities from unconfirmed sources. Such software may open a back-door to the correctly protected environment. 


OnApp Cloud communication networks are layer 2 separated depending on their functions. 

In case if the cloud uses dedicated networks and all computes management NICs are directly connected using non-public IP addresses, external access to the cloud will be controlled by a separate firewall device or special IPFILTER applied to NIC on CP server and connected to the Internet network. 

Only the Control Panel server needs an Internet connection. Compute resource servers can run isolated from the public network as their appliance NIC is used only by guest VS connections. CR servers do not need IP addresses assigned to their appliance NIC. This guarantees that the OS on CR cannot use an appliance connection for IP communication. 

There are OnApp Cloud deployments where components are distributed to different locations, so the management must use public IPs to communicate via Internet networks. In this scheme, cloud nodes management may be exposed to the third party's unauthorized access attempts.     

To minimize negative effects that can be caused by Brute-force or DDOS attacks, cloud nodes should be protected by appropriate traffic filtering. This can be managed using separate specialized firewall devices or by setting the Linux Firewall on the CP server. 


  • Do not block any communication between the Control Panel and compute resources. Where possible, we recommend you to set a firewall rule.
  • Monitis is used for autoscaling of servers built using OnApp versions previous to 4.2 until autoscaling is switched off for such server(s). In this case, virtual servers and the CP server require outbound access to monitis.com over ports 80/443.

The table below contains the list of protocols and application ports used by default in OnApp Cloud platform. Depending on the cloud configuration, some application ports may be changed or not used at all.

Control Panel

Type

Port

Description

 Control Panel Server Management Network


22SSH connections from the outside world to compute resources and backup servers (inbound and outbound), which can be changed in Settings > Configuration > Defaults

25Email notifications (outbound only)

111Portmapper/rpcbind connection to compute resources (outbound only)

161

162

SNMP connection to compute resources and backup servers for stats gathering (outbound only)

3162Snmptrap port (inbound), can be changed in Settings > Configuration

4995vmon from compute resources (obsolete in 3.0)

5672RabbitMQ bundled with OnApp (inbound) and external RabbitMQ (outbound)

8080StorageAPI over the management network
Control Panel Inbound Internet Connection22SSH connections from the outside world to compute resources and backup servers (inbound and outbound), which can be changed in Settings > Configuration > Defaults

443Licensing server for OnApp versions 5.0 and up (outbound only)

80/443Control Panel access (inbound only). Access to api.onappcdn.com for CDN provisioning (outbound only).

5555Licensing server for OnApp versions prior to 5.0 (outbound only). The hostname of the licensing server is licensing.onapp.com

30000-40000VS Console Ports (vnc_proxy which can be changed in Settings > Configuration)

Control Panel Server External Internet Communications

22 (TCP)

SSH or Secure Shell console (command line) management remote connection 


25/587 (TCP)

SMTP Email notifications


53 (UDP/TCP)

DNS Hostname to IP address lookup


123(UDP)

Network Time Protocol (NTP) for time synchronization in the cloud.

80/443 (TCP)

HTTP/HTTPS different applications use those protocols and ports for GUI and API


5555 (TCP)

Licensing server for OnApp versions prior to 5.0 (outbound only). The hostname of the licensing server is licensing.onapp.com


30000-30099 (TCP)

vnc_proxy, remote connection to VS VNC GUI and CLI console

Control Panel Server Cloud Internal Management Communications with CR, BS, and Other Servers

22 (TCP)

SSH or Secure Shell console, remote management execution.

53 (UDP/TCP)

DNS Hostname to IP address lookup


67/68/69 (UDP)

DHCP(bootp), TFTP for PXE cloud-boot CR/BS


111 (TCP)

Portmapper/rpcbind connection for NFS mounts on CP, CR, BS


123(UDP)

Network Time Protocol (NTP) for time synchronization in the cloud. 


161/162 (UDP/TCP) 

SNMP SNMPtrap statistic data collection from and trap signal to CR/BS


514 (UDP)

RSYSLOG accepts logging information from cloud-boot CR/BS


8181 (TCP)

SDN sontroller  (if configured)


2049 (UDP/TCP)

NFS service on CP, CR, BS


3162 (UDP)

SNMPtrap signal from CR to CP about VS status changes.

3260 (TCP)

ISCSI target service on CR


3306 (TCP)

MySQL DB service (in case of separate DB server)


5672 (TCP)

RabbitMQ messaging service 


5700-5799 (TCP)

Websocket connections to VSs consoles on CR


5900-5999 (TCP)

VNC connections to VSs consoles on CR


8080 (TCP)

StorageAPI protocol to manage storage devices on CR/BS


10050 (TCP)

Zabbix agent service on VS with the autoscaled option enabled.



The tables below provide the list of protocols and application ports used by other applications, except the OnApp Cloud platform. Depending on the configuration, some application ports may be changed or not used at all.

Xen and KVM Compute Resources Management Network

Port

Description

22 SSH connections from the CP server (inbound and outbound), which can be changed in Settings > Configuration > Defaults
161
162
SNMP (for stats gathering)

5700-5799

 note

In this range, the second number is hypothetical. It should not be less than the amount of VSs on your compute resource.

 Websocket

5900-6000

 note

In this range, the second number is hypothetical. It should not be less than the amount of VSs on your compute resource.

VNC on the compute resources (inbound only)
8080 StorageAPI over the management network

Zabbix Server

Port

Description

80Control Panel Server for deployment of a new autoscaling VS (inbound only)

10050 

10051 

Zabbix server for autoscaling

VMware Cloud Director and vCenter

Port

Description

CustomAn open outbound port is required to connect to VCD and vCenter. You can set a custom port, by default it's 443.

Virtual Server

Port

Description

22 SSH connections from the CP server (inbound only)

Application Server

Port

Description

21 FTP
22 SSH connections from the CP server (inbound only)
25
143
567
Email services
80
443
Apache 
2002
2003
2004
2005 
Application servers
8009
8080
8443
Java

Backup Servers Management Network

Port

Description

22 SSH connections from CP server (inbound only), which can be changed in Settings > Configuration > Defaults
161
162

SNMP (for stats gathering)


2049 

NFS connections from compute resources and CP server (inbound only)

The port is required only if using NFS for Backup/Template storage.

8080 Storage API over the management network

Integrated Storage

CloudBoot management network requires the same ports as static compute resources and also NFS and DHCP. SAN network should not have port limits, must be separated, and have only CloudBoot compute resources or backup servers attached to it.

CDN Edge Server

Port

Description

TCP/22
TCP/80
TCP/443
TCP/1935
TCP/4949
TCP/5001
TCP/8081
TCP/8083
TCP/8084
TCP/8085
TCP/8086
TCP/UDP/554
All ports inbound only
TCP/UDP/53 
TCP/80 
TCP/443
TCP/5001
TCP/5667
TCP/5672
TCP/8080 
TCP/8140 
UDP/25826
All ports outbound only