Reference

Firewall Dependencies & Ports

VCF 9.1 has hundreds of component-to-component flows. This page does not list them all — the full, version-accurate matrix lives in the two authoritative tools below. What this page gives you is the curated set of cross-zone flows that block a deployment if they are missed — the ones the firewall / security team must open before and during bring-up — grouped the way a firewall team thinks (by zone, not by component).

Get the exhaustive, current list from a tool — don’t hand-maintain it:

  • Coscia’s VCF Planner — includes a browsable Ports & Protocols matrix (1,083 entries); friendlier to filter than the vendor portal.
  • Broadcom Ports & Protocols portal — vendor-authoritative: select your VCF components and it generates the complete source → destination → port list.

Use those for the definitive per-component detail; use this page to make sure the deployment-critical flows are on the firewall team’s change request. Grab the firewall-request template (CSV) to hand them.

Ports below are the well-known/high-confidence ones; where a flow’s exact port varies by component, the flow is named and the specifics are left to the tools above.


A. Prerequisite services — management → shared infrastructure

These are the classic bring-up blockers: if DNS/NTP/AD/CA/depot aren’t reachable from the management network, bring-up fails.

SourceDestinationPort(s)ProtoPurpose
Management subnetsDNS servers53TCP/UDPForward + reverse resolution
Management subnetsNTP servers123UDPTime sync (must be in sync)
Management subnetsAD domain controllers88, 389, 636, 3268/3269TCP/UDPKerberos, LDAP/LDAPS, Global Catalog
Management subnetsCertificate Authority443 (+ CA-specific)TCPCertificate enrollment / signing
Management subnetsSoftware depot443TCPBinary / bundle download (online or local depot)

A.1 Outbound public URLs — online depot / licensing / CEIP

The concrete allowlist behind the “Software depot” row, from the TechDocs Public URLs list (full per-URL source breakdown in prerequisites.md). All outbound TCP 443 — via the egress proxy if one is in path (intake G5). Air-gapped: only the VCF Download Tool host needs these.

SourceDestinationPort(s)ProtoPurpose
VCF Installer, SDDC Manager, vCenter, VCF Operations, depot services runtime, VCF Download Tooldl.broadcom.com, eapi.broadcom.com, vvs.broadcom.com, vsanhealth.vmware.com, projects.packages.broadcom.com443TCPOnline depot binaries, compatibility + vSAN HCL data
SDDC Manager, VCF services runtime instancesvcsa.vmware.com443TCPCEIP telemetry
VCF Operationsvcf.broadcom.com, eapi.broadcom.com443TCPLicensing
SDDC Manager, VCF Download Toolauth.esp.vmware.com443TCPUpdate Manager Download Service (UMDS)
Cloud Proxyeapi.broadcom.com443TCPCloud Proxy connectivity

B. Admin / management access — jump host → management

SourceDestinationPort(s)ProtoPurpose
Jump / bastion hostvCenter, SDDC Manager, NSX Manager, VCF Operations443TCPAdmin UIs / APIs
Jump / bastion hostESXi hosts, appliances22TCPSSH (as needed)
Jump / bastion hostESXi hosts902TCPHost management / console

C. NSX fabric & north-south — Edge ↔ ToR

SourceDestinationPort(s)ProtoPurpose
NSX Edge nodesToR switches179TCPBGP peering
NSX Edge nodesToR switches3784/3785UDPBFD (if enabled)

D. Multi-AZ / stretched — inter-AZ + witness

Only if the cluster is stretched (see 03-multi-az-prep.md).

SourceDestinationPort(s)ProtoPurpose
AZ1 ⇄ AZ2 (per-AZ networks)AZ1 ⇄ AZ2vSAN / vMotion / overlayStretched cluster data + overlay (routed between AZs)
ESX-Management (AZ1 & AZ2)Witness sitevSAN witness trafficTCPWitness traffic rides the ESX-Management VMkernel (WTS); route to the 3rd site (≤ 200 ms)

E. Day-2 / fleet — Operations, Cloud Proxy, License Server, syslog

SourceDestinationPort(s)ProtoPurpose
Collected endpoints / Cloud ProxyVCF Operations443, 4505, 4506TCPOperations collection; Telegraf app monitoring (9.1)
Management componentsvCenter (syslog)1514TCPSyslog — 9.1 change: use 1514 (TLS); plain 514 is blocked
Fleet appliancesVCF Operations / License Server443TCPFleet management, licensing
Jump / bastion host, VCF OperationsAvi Controller VIP + nodes443TCPAvi controller UI / API (only if Avi LB in scope)
Avi Service EnginesAvi Controllers8443TCPSE ↔ controller secure channel (full Avi matrix: see the tools above)

9.1 gotchas worth flagging to the firewall team:

  • Syslog moved 514 → 1514. vCenter 9.1 blocks the unencrypted 514; syslog must use 1514 (TLS)Broadcom KB 430675. The full vCenter port list is on TechDocs: Required Ports for vCenter.
  • Cloud Proxy needs 443, 4505, 4506 for Telegraf-based app monitoring.
  • License Server requires an FQDN/IP outside the VCF services-runtime range (IPv4 only) — a routing/reachability point, not just a port.

Using this with the toolkit

  • The firewall-request template turns the above into a fill-in change request (source zone / destination / port / protocol / direction / purpose / status) for the security team.
  • These flows are gated in prerequisites.md (core services reachable) and surface in the deployment plan (witness routing, depot, License Server, Cloud Proxy).
  • For anything not listed here, generate the exact ports from Coscia’s Ports & Protocols matrix or the Broadcom portal above — do not treat this page as the complete list.