Ports used by PowerVC

This topic lists ports used by PowerVC for inbound and outbound traffic. This topic also lists the local ports PowerVC uses on the management server.

The host must be reserved for PowerVC and the operating system on which it runs. No additional software must be installed on the management server.

No firewall configuration is done by default during PowerVC installation. The -c firewall install option can be used to do some rough automatic firewall configuration, disabling firewalld and enabling iptables with PowerVC-specific rules on the PowerVC management system. However, this is not generally recommended. Appropriate firewall configuration can be complex and specific to your environment, so the recommended approach is to configure your firewall manually based on the information given in the following table. Also, note that even with -c firewall, additional firewall configuration might be necessary on network firewalls or registered compute hosts, which PowerVC does not touch, or if PowerVC is upgraded to a newer version that introduces additional port requirements. For production environments, consult your system and firewall administrators.

  • If you are having connectivity issues, the firewall is likely causing the problem. Only apply firewall rules to external facing devices, like br-ex. Do not apply them against the internal devices such as br-tun, br-int, tap devices or others. To determine whether the firewall is the problem, disable the firewall for a short time and if connectivity is restored, that indicates that the rules are incorrect.
  • Restarting firewalld services resets the iptable settings configured by PowerVC. This happens when you have already run ./install -c firewall option.

Ports used on the management server

Table 1. Ports used on the management server
Traffic direction Port Usage Protocol
Inbound 80 (1) Apache HTTPD Web Server TCP (HTTP)
Inbound 443 Apache HTTPD Web Server TCP (HTTPS)
Inbound 873 swift TCP (HTTPS)
Inbound 5000 keystone TCP (HTTPS)
Inbound 5470 bumblebee TCP (HTTPS)
Inbound 5671 rabbitmq TCP (AMQPS)
Inbound 8041 gnocchi TCP (HTTPS)
Inbound 8080 swift TCP (HTTPS)
Inbound 8428 validator TCP (HTTPS)
Inbound 8774 nova TCP (HTTPS)
Inbound 8778 panko TCP (HTTPS)
Inbound 8998 clerk TCP (HTTPS)
Inbound 9000 cinder TCP (HTTPS)
Inbound 9292 glance TCP (HTTPS)
Inbound 9696 neutron TCP (HTTPS)
Inbound 35357 keystone TCP (HTTPS)
Outbound Allow ICMP ping ICMP
Outbound 22 Brocade and Cisco Fibre Channel switches, and the IBM® Storwize® family

PowerVM® NovaLink hosts

Outbound 389 LDAP client TCP and UDP (LDAP)
Outbound 443


Brocade HTTPS

Outbound 636 LDAP client LDAPS
Outbound 5989 EMC PowerMax TCP (HTTPS)
Outbound 5901 NovaLink console TCP (RFB)
Outbound 8452 IBM DS8000® TCP (HTTPS)
Outbound 12443 HMC HTTPS
  • 1: Only redirects to port 443. You can disable it if you want users to only use port 443.
Note: The Hitachi Configuration Manager Rest API server port specified during Hitachi storage provider registration is used as the source port for outbound calls to the Hitachi Configuration Manger Rest API server to manage Hitachi storage controllers.

Ports used by PowerVC on the management server

The ports listed in the following table are used by PowerVC on the management server. These are used internally and are neither inbound nor outbound.

Table 2. Ports used by PowerVC on the management server
Port Usage
1883 MQTT clients without and with TLS
2181 zookeeper
2224 pacemaker
2888 zookeeper
3888 zookeeper
3121 pacemaker
4369 epmd
4444 galera
4567 galera
4568 galera
5403 pacemaker
5405 pacemaker and corosync
6080 nova-novncproxy
6200 swift-object-service
6201 swift-container-service
6202 swift-account-service
7869 lim
7870 vemkd
7871 pem
7872 egosc
8002 ui-server
8081 zookeeper
8780 placement
8883 MQTT clients without and with TLS
9001 haproxy
9200, 9202-9214 haproxy health check
9191 glance-registry
9929 pacemaker
11211 memcached
15672 rabbitmqadmin
15674 STOMP-over-WebSockets clients
15675 MQTT-over-WebSockets clients
15692 Prometheus metrics
21064 pacemaker
25671 rabbitmq-dist
25672 rabbitmq-dist
27017 mongodb
35672-35682 Used by CLI tools (Erlang distribution client ports)
50110 DB and galera
61613-61614 STOMP clients without and with TLS

For PowerVC to successfully register a NovaLink host, the NovaLink host's firewall must allow inbound traffic for port 22. All other ports in the following table are also required for proper operation.

Table 3. Ports used on NovaLink managed hosts
Traffic direction Port Usage Protocol
Inbound Allow ICMP ping ICMP
Inbound 22 Secure shell TCP (SSH)
Inbound 5901 NovaLink console TCP (RFB)
Outbound 5000 keystone TCP (HTTPS)
Outbound 5671 rabbitmq TCP (AMQPS)
Outbound 8080 swift TCP (HTTPS)
Outbound 8774 nova TCP (HTTPS)
Outbound 9000 cinder TCP (HTTPS)
Outbound 9292 glance TCP (HTTPS)
Outbound 9696 neutron TCP (HTTPS)

Ports used by PowerVC monitoring services

PowerVC uses the below mentioned ports on the monitoring services. These ports are used for inter-service communication and must be open for both inbound and outbound traffic between all controller nodes of the PowerVC cluster. In addition, Kibana has an outbound client port that must be open to any nodes web clients that wish to connect to it.

Table 4. Ports used by PowerVC on the monitoring services
Port Usage Protocol
5044 logstash-filebeat connection TCP (UDP)
5601 kibana client port (outbound only) TCP (HTTPS)
8443 kibana application port TCP (UDP)
9201 elasticsearch-logstash connection TCP (HTTPS)
9301 elasticsearch application port TCP (UDP)
9601 logstash application port TCP (UDP)

Ports used by PowerVC compute plane node

PowerVC uses the below mentioned ports on compute plane node.

Table 5. Ports used by PowerVC on compute plane node
Port Usage Protocol
2224 management nodes and compute plane ( Both inbound and outbound) TCP
2224 pacemaker_pcsd communication TCP
3121 pacemaker_remote TCP