Secure operation of vCloud Director requires a secure network environment. Configure and test this network environment before you begin installing vCloud Director

Connect all vCloud Director servers to a network that is secured and monitored. vCloud Director network connections have several additional requirements:

Do not connect vCloud Director directly to the public Internet. Always protect vCloud Director network connections with a firewall. Only port 443 (HTTPS) must be open to incoming connections. Ports 22 (SSH) and 80 (HTTP) can also be opened for incoming connections if needed. All other incoming traffic from a public network must be rejected by the firewall.

Ports That Must Allow Incoming Packets From vCloud Director Hosts

Port

Protocol

Comments

111

TCP, UDP

NFS portmapper used by transfer service

920

TCP, UDP

NFS rpc.statd used by transfer service

61611

TCP

ActiveMQ

61616

TCP

ActiveMQ

Do not connect the ports used for outgoing connections to the public network.

Ports That Must Allow Outgoing Packets From vCloud Director Hosts

Port

Protocol

Comments

25

TCP, UDP

SMTP

53

TCP, UDP

DNS

111

TCP, UDP

NFS portmapper used by transfer service

123

TCP, UDP

NTP

389

TCP, UDP

LDAP

443

TCP

vCenter, vShield Manager, and ESX connections

514

UDP

Optional. Enables syslog use

902

TCP

vCenter and ESX connections

903

TCP

vCenter and ESX connections

920

TCP, UDP

NFS rpc.statd used by transfer service

1433

TCP

Default Microsoft SQL Server database port

1521

TCP

Default Oracle database port

5672

TCP, UDP

Optional. AMQP messages for task extensions

61611

TCP

ActiveMQ

61616

TCP

ActiveMQ

Do not connect physical host computers to physical networks that are uplinks for the vNetwork distributed switches that back vCloud Director network pools.

Route traffic between vCloud Director servers and the vCloud Director database server over a dedicated private network if possible.

Virtual switches and distributed virtual switches that support provider networks must be isolated from each other. They cannot share the same level 2 physical network segment.