Firewalls and default ports

On some deployments, such as ones where restrictive firewalls are in place, you might need to manually configure a firewall to permit OpenStack service traffic.

To manually configure a firewall, you must permit traffic through the ports that each OpenStack service uses. This table lists the default ports that each OpenStack service uses:

Default ports that OpenStack components use

OpenStack service

Default ports

Backup Service (Freezer)

9090

Bare Metal provisioning service (Ironic)

6385

Block Storage (cinder)

8776

Compute (nova) endpoints

8774

Compute ports for access to virtual machine consoles

5900-5999

Compute VNC proxy for browsers (openstack-nova-novncproxy)

6080

Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy)

6081

Container Infrastructure Management (Magnum)

9511

Container Service (Zun)

9517

Database service (Trove)

8779

DNS service (Designate)

9001

High Availability Service (Masakari)

15868

Identity service (keystone) endpoint

5000

Image service (glance) API

9292

Key Manager service (Barbican)

9311

Loadbalancer service (Octavia)

9876

Networking (neutron)

9696

NFV Orchestration service (tacker)

9890

Object Storage (swift)

6000, 6001, 6002

Orchestration (heat) endpoint

8004

Orchestration AWS CloudFormation-compatible API (openstack-heat-api-cfn)

8000

Placement API (placement)

8003

Proxy port for HTML5 console used by Compute service

6082

Rating service (Cloudkitty)

8889

Registration service (Adjutant)

5050

Resource Reservation service (Blazar)

1234

Root Cause Analysis service (Vitrage)

8999

Shared File Systems service (Manila)

8786

Telemetry alarming service (Aodh)

8042

Workflow service (Mistral)

8989

To function properly, some OpenStack components depend on other, non-OpenStack services. For example, the OpenStack dashboard uses HTTP for non-secure communication. In this case, you must configure the firewall to allow traffic to and from HTTP.

This table lists the ports that other OpenStack components use:

Default ports that secondary services related to OpenStack components use

Service

Default port

Used by

HTTP

80

OpenStack dashboard (Horizon) when it is not configured to use secure access.

HTTP alternate

8080

OpenStack Object Storage (swift) service.

HTTPS

443

Any OpenStack service that is enabled for SSL, especially secure-access dashboard.

rsync

873

OpenStack Object Storage. Required.

iSCSI target

3260

OpenStack Block Storage. Required when using LVM with iSCSI target (tgt, LIO, iSER)

NVMe-oF target

4420

OpenStack Block Storage. Required when using LVM with NVMe-oF target (nvmet).

MySQL database service

3306

Most OpenStack components.

Message Broker (AMQP traffic)

5672

OpenStack Block Storage, Networking, Orchestration, and Compute.

On some deployments, the default port used by a service may fall within the defined local port range of a host. To check a host’s local port range:

$ sysctl net.ipv4.ip_local_port_range

If a service’s default port falls within this range, run the following program to check if the port has already been assigned to another application:

$ lsof -i :PORT

Configure the service to use a different port if the default port is already being used by another application.