Protocol Ports Used by Avi Vantage for Management Communication

Overview

This article provides a list of various protocols and ports used by Avi Controller and Service Engines for:

  • Management communication (used by Avi Controller and Service Engines)
  • Network services (used by Avi Controller)
  • Cloud orchestrators
  • Container cluster nodes

Ports Used for Management Communication

The Avi Controller and Avi Service Engines use the following ports for management. The firewall should allow traffic for these ports.

Traffic Source Traffic Destination Ports To Allow
Avi Controller Avi Controller TCP 22 (SSH)
TCP 443 (HTTPS)
TCP 8443 (HTTPS)
TCP 5098 (SSH) (if controller is a docker container, SSH is on port 5098)
External Entities Refer to sections below the table.
Avi Service Engine Not Required
Avi Service Engine Avi Service Engine TCP 4001 for AWS, Azure, GCP, OpenStack clouds
TCP 9001 for VMware, LSC and NSX-T cloud
TCP4001/ TCP 9001 is for ObjStore or SE distributed object store
For more details on TCP 9001, refer to Service Engine Group guide).
Avi Controller TCP 22 (SSH)
TCP 8443 (HTTPS)
UDP 123 (NTP)
TCP 5098 (SSH) (if controller is a docker container, SSH is on port 5098)
External Network Services Avi Controller TCP 22 (SSH)
TCP 80 (HTTP) (optional)
TCP 443 (HTTPS)
TCP 5054 (CLI Server) (if using the optional CLI shell for remote management access)
UDP 161 (SNMP agent listens to this port)

Notes:

  • You do not have to open any firewall port from Controller to SE.

  • The source IP comes from the Avi Controller IP and not from the cluster IP, even if the cluster IP is configured.

  • The secure channel on port 22 (or 5098 in container environments) is used for communication between Avi components for configuration sync, metrics and logs transfer, heartbeats and other management processes.

  • 5098 port on the container side is not supported in the OpenStack mode.

    • Service Engines and Controllers display a login banner when accessed via SSH that shows basic connectivity status. Connectivity checks are made with a simple ICMP Echo (PING). If PING is not allowed between a Controller or Service Engine and its Management default gateway, the status of Gateway will show as DOWN. Similarly, if PING is not allowed between Service Engine and Controller, the status of Controller will show as DOWN. There is no operational impact of these reachability checks failing so the messages can be ignored if it is not possible to allow PING between these components.

For more details on the system portal 8443 and port 22 usage, refer to Avi Controller to SE Communication.

Ports Used by Controller for Network Services

The Avi Controller may send traffic to the following ports as part of network operation. The firewall also should allow traffic from the Avi Controller to these ports.

  • TCP 25 (SMTP)
  • TCP 49 (TACACS+)
  • UDP 53 (DNS)
  • UDP 123 (NTP)
  • UDP 162 (SNMP traps)
  • TCP or UDP 389 (LDAP)
  • UDP 514 (syslog)
  • TCP or UDP 636 (LDAPS)

Protocols/Ports Used by Cloud Orchestrators

GCP

  • Port 443 is needed for GCP cloud to connect to Avi Vantage

OpenStack

Some or all of the following ports may be required:

  • Keystone: TCP 5000, 35357
  • Glance: TCP 9292
  • Nova: TCP 8774
  • Neutron: TCP 9696
  • Heat (optional; used for autoscaling back-end members): TCP 8004

VMware vCenter

  • Avi Controller-to-ESXi hosts: port 443

OpenShift Master

  • Port 8443

Kubernetes Master

  • Port 8080 for unauthenticated masters

Mesos or DC/OS Masters

  • Port 5050 for masters
  • Port 80 for unauthenticated Marathon services

AWS

  • Port 443

Azure

  • Port 443

Ports Used by Container Cluster Nodes

OpenShift

  • Port 22

Kubernetes Minions

  • Port 22

Mesos Nodes

  • Port 22