Nutanix Firewall Network Port List

Nutanix HCI Infra Network Port List

Nutanix HCI Infrastructure have predefined reserved network port and web URL list that should be opened on external North-South traffic handling firewall for Nutanix components and services included BMC interface i.e IPMI, iLO, iRMC, iDRAC’, Controller-VM CVM, Acropolis Hypervisor AHV, Software upgrade, 1 One Click Upgrade, Life Cycle Management LCM, SMTP, Remote support, Pulse, Email Alert, Data Protection, Prism and Prism Central etc.

I will share detailed information on Nutanix HCI infrastructure, cluster, components and services network port list as per following:

Nutanix BMC / IPMI / iLO / iRMC / iDRAC / Network Port list
Nutanix Controller-VM: CVM Network Port list
Nutanix Acropolis Hypervisor: AHV Network Port List
Prism and Prism Central Network Port List
One click Software Upgrade Network Port List
LCM Firmware Network Port List
SMTP Network Port List
Nutanix Remote Tunnel Support Network Port List
Nutanix Cluster Alert Message Via E-mail Network Port List
Data Protection Network Port List
Nutanix Pulse Network Port List

Lets explore the Nutanix cluster infra Network port list one by one below:

Nutanix Hardware Management Network Port List

Nutanix is required BMC hardware management interface network ports must be open on external firewall if you want to access e.g IPMI / iLO / iDRAC / iRMC etc. from out-site the LAN Network.

The Nutanix hardware management BMC interface e.g IPMI / iLO / iRMC / iDRAC Network Port list below:

Source : Nutanix HW IPMI / iLO / iRMC / iDRAC IP Address
Protocol: Port : TCP:22, TCP:80, TCP:443, TCP:5900, UDP/TCP:623
Service : Respectively SSH, HTTP, HTTPS, VNC, Virtual Media

Read also : how to secure Nutanix IPMI interface hardening in data center

Nutanix Controller-VM CVM Network Ports

Nutanix standalone Controller-VM CVM internal services network port list details with protocol and Nutanix services.

Source : Nutanix Controller-VM CVM
Protocol : TCP only
Service : As per below table
Network Port
: Nutanix CVM network port list below
Firewall State : Not Required: these network ports for Nutanix CVM internal services communication only.

Port / ProtocolService
22/tcpssh
80/tcphttp
111/tcprpcbind
445/tcpmicrosoft-ds
2009/tcpnews
2010/tcpsearch
2013/tcpraid-am
2020/tcpxinupageserver
2022/tcpdown
2030/tcpdevice2
2033/tcpglogger
2035/tcpimsldoc
2038/tcpobjectmanager
2040/tcplam
2041/tcpinterbase
2042/tcpisis
2049/tcpnfs
2099/tcph2250-annex-g
2100/tcpamiganetfs
2103/tcpzephyr-clt
2222/tcpEtherNetIP-1
2525/tcpms-v-worlds
2601/tcpzebra
2602/tcpripd
2605/tcpbgpd
3260/tcpiscsi
3261/tcpwinshadow
5000/tcpupnp
5989/tcpwbem-https
7000/tcpafs3-fileserver
7777/tcpcbt
7778/tcpinterwise
8080/tcphttp-proxy
8081/tcpblackice-icecap
9080/tcpglrpc
9081/tcpcisco-aqos
9876/tcpsd
9877/tcpunknown


Above Nutanix Controller-VM CVM network ports are necessary to run Nutanix CVM services for communication with other services.

Read also : How Nutanix CVM communicate with each other in cluster Nutanix Controller-VM CVM to CVM Communication Network Port List

Nutanix AHV Network Ports

Nutanix Acropolis Hypervisor AHV is required only one network port number 22 / SSH service for communication between Nutanix Controller-VM CVM and another AHV host in Nutanix infra.

Source : Nutanix Acropolis Hypervisor AHV
Protocol: Port : TCP:22
Service : SSH

Nutanix Prism Network Port

Nutanix Prism element and Prism central both uses same port number 80 and 9440 to access PrismUI including RestAPI calls, PoSH, remote ncli for Prism as Service web console to access Nutanix cluster on web browser.

Source IP Address : Nutanix Prism and Prism Central
Protocol: Port : TCP:80, TCP:9440
Service : Respectively HTTP, HTTPS

Read also : What is Nutanix Prism as Service Core Architecture explained

Nutanix HCI Network Ports Audit

Every organization has to do Vulnerability Assessment and Penetration Testing ( VAPT ) audit for vulnerability testing to secure the IT devices. Nutanix HCI – AHV, CVM, Prism has default network ports list those are opened for cluster functionality and needed for VAPT audit.

Nutanix HCI appliance default network port list for Vulnerability Assessment and Penetration Testing ( VAPT ) audit.

IPMI PortsAHV Hypervisor PortsController VM – CVM Ports
22 / TCP22 / TCP22 / TCP
80 / TCP 80 / TCP
443 / TCP 111 / TCP
623 / TCP 443 / TCP
5900 / TCP 445 / TCP
  2020 / TCP
  2222 / TCP
  3260 / TCP
  3261 / TCP
  5989 / TCP

Note: Above network ports may vary on AHV and AOS version.

Nutanix Software Upgrade Network Port

If you want to use Nutanix 1 one click upgrade feature to upgrade the Nutanix software online e.g AOS, AHV, NCC and foundation with one click simplicity then you need to allow couple of network ports and Public Web URL on external firewall to fetch in and download the software update(s) online from Nutanix authorized software online repository.

Source IP Address : All Nutanix Controller-VM CVM IP Address
Protocol: Port : TCP:80, TCP:443
Service : HTTP and HTTPS
Firewall Policy : Allow
Destination URL : *.compute-*.amazonaws.com:80 / 443 , ntnx-portal.s3.amazonaws.com , s3*.amazonaws.com , release-api.nutanix.com:80

Nutanix LCM Upgrade Network Port

Nutanix hardware upgrade through LCM framework is supported on Nutanix AHV and VMware Esxi hypervisor only. To upgrade the hardware firmware and software online e.g SATADOM, BMC, BIOS, HBA Card, Disk and CALM etc. through Nutanix LCM framework need to allow network ports on external firewall.

Nutanix LCM framework network port and Web URL list below:

Source IP Address : All Nutanix Controller-VM CVM IP Address
Protocol: Port : TCP:80, TCP:443
Service : HTTP and HTTPS
Firewall Policy : Allow
Destination URL : download.nutanix.com

Read also : How to troubleshoot Nutanix LCM upgrade Process failed

Nutanix Cluster Alerts Network Port

If you don’t have SMTP server but want to send out the Nutanix cluster alert from Nutanix cluster to email recipients then you need to allow Web URL to send out the alert from Nutanix cluster to Nutanix insight server.

Source IP Address : All Nutanix Controller-VM CVM / Prism Central IP Address
Protocol: Port : TCP:443
Service : HTTPS
Firewall Policy : Allow
Destination URL : insights.nutanix.com and recipient email addresses

Read also : Why Nutanix Adopted Web-Scale Infrastructure Concept ?

Nutanix Cluster Pulse Network Port

If you enabled the Nutanix Pulse feature for pro-active Nutanix support to send out the Nutanix cluster current health report via email to Nutanix Support for Pulse then you need to allow Nutanix alert network port on external firewall.

Use Case 1 : Using SMTP Server: If your organization have security policy that does not allow network ports 80 and 8443 to be opened on external firewall, then you can use SMTP server to send out the Pulse messages using any accessible local SMTP server, just need to configure it in Prism UI.

Source IP Address : SMTP Server IP Address
Protocol: Port : TCP:25, 465, 587
Service : Respectively SMTP, SSL, TLS
Firewall Policy : No required for local SMTP Server
Destination E-mail_ID : nos-alerts@nutanix.com and nos-asups@nutanix.com

Use Case 2 : Without SMTP Server : If your organization doesn’t have SMTP server but you want to send out the Nutanix cluster current health report via Pulse to Nutanix Support for pro-active support then need to allow network port and Web URL in external firewall as following:

Source IP Address : All Nutanix CVM / Prism Central IP Address
Protocol: Port : TCP- 443, 80, 8443
Service : Respectively HTTPS, HTTP, SSH
Firewall Policy : Allow
Destination URL : insights.nutanix.com: 443, nsc01.nutanix.net: 80/8443, nsc02.nutanix.net:80/8443

Note :
Pulse messages are not HTTP formatted, so if you use a firewall that only allows HTTP traffic through port 80, Pulse requires access through port 8443.
Pulse uses the SSH protocol for communication through the firewall

Nutanix Move Firewall Port List

Nutanix move tool requires firewall ports list must be allowed on external firewall for communicate and migration. Nutanix move firewall port list is for VMware, Hyper-v, AWS etc. Visit my another post: Nutanix Move Firewall Port List

Remote Support Network Port

Nutanix provided built-in Remote Support Tunnel feature in Prism so that Nutanix support can access Nutanix Acropolis cluster through Nutanix CVM remote Secure Tunnel service using network port with SSH protocol if customer allow to do troubleshooting directly on Nutanix cluster without using any remote desktop third party software.

Remote service in built-in in Nutanix cluster to access the Nutanix cluster though secure Tunnel over the internet.

Source IP Address : All Nutanix CVM / Prism Central IP Address
Protocol: Port : TCP- 80, 8443
Service : Respectively HTTP, SSH
Firewall Policy : Allow
Destination URL : nsc01.nutanix.net: 80/8443, nsc02.nutanix.net:80/8443

Data Protection Network Port

Nutanix Data Protection is the bult-in feature to create remote site as DR and start the replication of container, VM and volume group to DR site to keep safe your data in case of primary site disaster.

To using Nutanix Data protection feature need to allow few network ports on external firewall to allow communicate between bother PR and DR site.

Nutanix Data Protection Network Port list here:

Source IP Address : Primary Site all Nutanix CVM / Prism IP Address
Protocol: Port : TCP- 2009 / 2020 AOS Communication, UDP:53 ( DNS ), HTTPS: 443 ( Azure, AWS Communication ), TCP:22 ( Nutanix CVM Communication ) and TCP:3000
Service : Respectively above mentioned
Firewall Policy : Allow
Destination : DR Site all Nutanix CVM / Prism IP Address

Conclusion

Nutanix HCI infrastructure was developed with using dozen of network ports for Nutanix CVM, AHV, Prism, Pulse, SMTP etc. but now it is reached to hundreds of network ports list. It is not possible to remember to all post so i wrote this blog to noted down on single page to help all Nutanix users.

I hope this Nutanix network port list blog will help to get each network port using by Nutanix in infra in detailed information.

Thanks to being with HyperHCI Tech Blog.!