Firewalls and default ports

On some deployments, such as ones where restrictive firewalls are in place, you might need to manually configure a firewall to permit OpenStack service traffic.

To manually configure a firewall, you must permit traffic through the ports that each OpenStack service uses. This table lists the default ports that each OpenStack service uses:

Default ports that OpenStack components use

OpenStack service

Default ports

Port type

Application Catalog (murano)

8082

Block Storage (cinder)

8776

publicurl and adminurl

Clustering (senlin)

8778

publicurl and adminurl

Compute (nova) endpoints

8774

publicurl and adminurl

Compute API (nova-api)

8773, 8775

Compute ports for access to virtual machine consoles

5900-5999

Compute VNC proxy for browsers ( openstack-nova-novncproxy)

6080

Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy)

6081

Proxy port for HTML5 console used by Compute service

6082

Data processing service (sahara) endpoint

8386

publicurl and adminurl

Identity service (keystone) administrative endpoint

5000

adminurl

Identity service public endpoint

5000

publicurl

Image service (glance) API

9292

publicurl and adminurl

Image service registry

9191

Networking (neutron)

9696

publicurl and adminurl

Object Storage (swift)

6000, 6001, 6002

Orchestration (heat) endpoint

8004

publicurl and adminurl

Orchestration AWS CloudFormation-compatible API (openstack-heat-api-cfn)

8000

Orchestration AWS CloudWatch-compatible API (openstack-heat-api-cloudwatch)

8003

Root Cause Analysis service (Vitrage)

8999

Telemetry (ceilometer)

8777

publicurl and adminurl

Workflow service (Mistral)

8989

To function properly, some OpenStack components depend on other, non-OpenStack services. For example, the OpenStack dashboard uses HTTP for non-secure communication. In this case, you must configure the firewall to allow traffic to and from HTTP.

This table lists the ports that other OpenStack components use:

Default ports that secondary services related to OpenStack components use

Servis

Default port

Used by

HTTP

80

OpenStack dashboard (Horizon) when it is not configured to use secure access.

HTTP alternate

8080

OpenStack Object Storage (swift) service.

HTTPS

443

Any OpenStack service that is enabled for SSL, especially secure-access dashboard.

rsync

873

OpenStack Object Storage. Required.

iSCSI target

3260

OpenStack Block Storage. Required.

MySQL database service

3306

Most OpenStack components.

Message Broker (AMQP traffic)

5672

OpenStack Block Storage, Networking, Orchestration, and Compute.

On some deployments, the default port used by a service may fall within the defined local port range of a host. To check a host’s local port range:

$ sysctl net.ipv4.ip_local_port_range

If a service’s default port falls within this range, run the following program to check if the port has already been assigned to another application:

$ lsof -i :PORT

Configure the service to use a different port if the default port is already being used by another application.