Firewalls and default ports

Firewalls and default ports

On some deployments, such as ones where restrictive firewalls are in place, you might need to manually configure a firewall to permit OpenStack service traffic.

To manually configure a firewall, you must permit traffic through the ports that each OpenStack service uses. This table lists the default ports that each OpenStack service uses:

Default ports that OpenStack components use
OpenStack service Default ports Port type
Application Catalog (murano) 8082  
Block Storage (cinder) 8776 publicurl and adminurl
Clustering (senlin) 8778 publicurl and adminurl
Compute (nova) endpoints 8774 publicurl and adminurl
Compute API (nova-api) 8773, 8775  
Compute ports for access to virtual machine consoles 5900-5999  
Compute VNC proxy for browsers ( openstack-nova-novncproxy) 6080  
Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy) 6081  
Proxy port for HTML5 console used by Compute service 6082  
Data processing service (sahara) endpoint 8386 publicurl and adminurl
Identity service (keystone) administrative endpoint 5000 adminurl
Identity service public endpoint 5000 publicurl
Image service (glance) API 9292 publicurl and adminurl
Image service registry 9191  
Networking (neutron) 9696 publicurl and adminurl
Object Storage (swift) 6000, 6001, 6002  
Orchestration (heat) endpoint 8004 publicurl and adminurl
Orchestration AWS CloudFormation-compatible API (openstack-heat-api-cfn) 8000  
Orchestration AWS CloudWatch-compatible API (openstack-heat-api-cloudwatch) 8003  
Root Cause Analysis service (Vitrage) 8999  
Telemetry (ceilometer) 8777 publicurl and adminurl
Workflow service (Mistral) 8989  

To function properly, some OpenStack components depend on other, non-OpenStack services. For example, the OpenStack dashboard uses HTTP for non-secure communication. In this case, you must configure the firewall to allow traffic to and from HTTP.

This table lists the ports that other OpenStack components use:

Default ports that secondary services related to OpenStack components use
Service Default port Used by
HTTP 80 OpenStack dashboard (Horizon) when it is not configured to use secure access.
HTTP alternate 8080 OpenStack Object Storage (swift) service.
HTTPS 443 Any OpenStack service that is enabled for SSL, especially secure-access dashboard.
rsync 873 OpenStack Object Storage. Required.
iSCSI target 3260 OpenStack Block Storage. Required.
MySQL database service 3306 Most OpenStack components.
Message Broker (AMQP traffic) 5672 OpenStack Block Storage, Networking, Orchestration, and Compute.

On some deployments, the default port used by a service may fall within the defined local port range of a host. To check a host’s local port range:

$ sysctl net.ipv4.ip_local_port_range

If a service’s default port falls within this range, run the following program to check if the port has already been assigned to another application:

$ lsof -i :PORT

Configure the service to use a different port if the default port is already being used by another application.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.