Ports used by PowerVC

Edit online

This topic lists ports used by PowerVC for inbound and outbound traffic. This topic also lists the local ports PowerVC uses on the management server.

The host must be reserved for PowerVC and the operating system on which it runs. No additional software must be installed on the management server.

No firewall configuration is done by default during PowerVC installation. The -c firewall install option can be used to do some rough automatic firewall configuration, disabling firewalld and enabling iptables with PowerVC-specific rules on the PowerVC management system. However, this is not generally recommended. Appropriate firewall configuration can be complex and specific to your environment, so the recommended approach is to configure your firewall manually based on the information given in the following table. Also, note that even with -c firewall, additional firewall configuration might be necessary on network firewalls or registered compute hosts, which PowerVC does not touch, or if PowerVC is upgraded to a newer version that introduces additional port requirements. For production environments, consult your system and firewall administrators.

Note: If you are having connectivity issues, the firewall is likely causing the problem. Only apply firewall rules to external facing devices, like br-ex. Do not apply them against the internal devices such as br-tun, br-int, tap devices or others. To determine whether the firewall is the problem, disable the firewall for a short time and if connectivity is restored, that indicates that the rules are incorrect.

Ports used on the management server
Ports used by PowerVC on the management server
Ports used on NovaLink managed hosts
Ports used on SDN network nodes

Ports used on the management server

Table 1. Ports used on the management server
Traffic direction	Port	Usage	Protocol
Inbound	80 ⁽¹⁾	Apache HTTPD Web Server	TCP (HTTP)
Inbound	443	Apache HTTPD Web Server	TCP (HTTPS)
Inbound	1191	Spectrum Scale - Software-defined storage	TCP (SSH)
Inbound	31000-32047	Spectrum Scale - Software-defined storage	TCP (SSH)
Inbound	5000	keystone	TCP (HTTPS)
Inbound	5470	bumblebee	TCP (HTTPS)
Inbound	5671	rabbitmq	TCP (AMQPS)
Inbound	8041	gnocchi	TCP (HTTPS)
Inbound	8080	swift	TCP (HTTPS)
Inbound	8428	validator	TCP (HTTPS)
Inbound	8774	nova	TCP (HTTPS)
Inbound	8778	panko	TCP (HTTPS)
Inbound	8998	clerk	TCP (HTTPS)
Inbound	9000	cinder	TCP (HTTPS)
Inbound	9292	glance	TCP (HTTPS)
Inbound	9696	neutron	TCP (HTTPS)
Inbound	35357	keystone	TCP (HTTPS)
Outbound	Allow ICMP	ping	ICMP
Outbound	22	Brocade and Cisco Fibre Channel switches, and the IBM® Storwize® family PowerVM® NovaLink hosts	TCP (SSH)
Outbound	User specified - typically 25 or 587	Email notifications	SMTP
Outbound	389	LDAP client	TCP and UDP (LDAP)
Outbound	443	EMC VNX HMC Brocade HTTPS	TCP (SSH)
Outbound	443	Infoblox	TCP (HTTPS)
Outbound	636	LDAP client	LDAPS
Outbound	1191	Spectrum Scale - Software-defined storage	TCP (SSH)
Outbound	31000-32047	Spectrum Scale - Software-defined storage	TCP (SSH)
Outbound	5989	EMC VMAX	TCP (HTTPS)
Outbound	5901	NovaLink console	TCP (RFB)
Outbound	7778	XIV®	TCP (SSL)
Outbound	8452	IBM DS8000®	TCP (HTTPS)
Outbound	12443	HMC	HTTPS
1: Only redirects to port 443. You can disable it if you want users to only use port 443.

Note: The Hitachi Configuration Manager Rest API server port specified during Hitachi storage provider registration is used as the source port for outbound calls to the Hitachi Configuration Manger Rest API server to manage Hitachi storage controllers.

Ports used by PowerVC on the management server

The ports listed in the following table are used by PowerVC on the management server. These are used internally and are neither inbound nor outbound.

Table 2. Ports used by PowerVC on the management server
Port	Usage
4369	epmd
6200	swift-object-service
6201	swift-container-service
6202	swift-account-service
6080	nova-novncproxy
7869	lim
7870	vemkd
7871	pem
7872	egosc
9191	glance-registry
11211	memcached
25672	rabbitmq-dist
50110	DB

Ports used on NovaLink managed hosts

For PowerVC to successfully register a NovaLink host, the NovaLink host's firewall must allow inbound traffic for port 22. All other ports in the following table are also required for proper operation.

Table 3. Ports used on NovaLink managed hosts
Traffic direction	Port	Usage	Protocol
Inbound	Allow ICMP	ping	ICMP
Inbound	22	Secure shell	TCP (SSH)
Inbound	4789	Software-defined networking (SDN) overlays	UDP
Inbound	5901	NovaLink console	TCP (RFB)
Inbound	1191⁽²⁾	Spectrum Scale registration on KVM systems	TCP
Inbound	31000⁽²⁾	Spectrum Scale registration on KVM systems	TCP
Inbound	32047⁽²⁾	Spectrum Scale registration on KVM systems	TCP
Inbound	4789⁽²⁾	SDN overlays on KVM systems	TCP
Inbound	49152 - 49216⁽²⁾	Live migration for virtual machines on KVM systems. One port must be opened for each migration run simultaneously. For example, if you will only migrate one virtual machine at a time, only 49152 must be opened. If you will run up to five migrations at a time, 49152 - 49156 must be opened.	TCP
Outbound	5000	keystone	TCP (HTTPS)
Outbound	5671	rabbitmq	TCP (AMQPS)
Inbound	5901⁽²⁾	Remote console on KVM systems	TCP
Outbound	8080	swift	TCP (HTTPS)
Outbound / Inbound	8472	SDN overlays	UDP and TCP
Outbound	8774	nova	TCP (HTTPS)
Outbound	9000	cinder	TCP (HTTPS)
Outbound	9292	glance	TCP (HTTPS)
Outbound	9696	neutron	TCP (HTTPS)
2: New in version 1.4.4.

Ports used on SDN network nodes

Table 4. Ports used on SDN network nodes
Traffic direction	Port	Usage	Protocol
Inbound	Allow ICMP	ping	ICMP
Inbound	22	Secure shell	TCP (SSH)
Inbound	4789	Software-defined networking (SDN) overlays	UDP
Outbound	5000	keystone	TCP (HTTPS)
Outbound	5671	rabbitmq	TCP (AMQPS)
Outbound / Inbound	8472	SDN overlays	UDP and TCP
Outbound	9696	neutron	TCP (HTTPS)