VMware Cloud Community
Sascha88
Contributor
Contributor
‎06-29-2022 11:36 PM
Jump to solution

Firewall rules vSAN 2-node cluster

Hi,

I have a question regarding Firewall in a vSAN 2-node cluster architecture.

My planned setup: I want to add a Firewall between the vSAN hosts and witness host.
So my question is which ports must be open in the Firewall that the communication between vSAN hosts and witness hosts works? And from where to where is the communication? 

In the 2-node cluster guide the needed ports are documented. See attached picture. 
If i unterstand it correctly just UDP 12321 is needed. Is this right? But it is not clear in which direction the communication works.

Thank you for your help.
Sascha

 

Preview file
28 KB
0 Kudos
2 Solutions

Accepted Solutions
TheBobkin
Champion
Champion
‎06-30-2022 12:40 PM
Jump to solution

@Sascha88, No, it requires more than just UDP 12321 to and from Witness, here is the full list of ports and detailing what they are used for, to/from what and in which versions:

TCP and UDP ports required to access VMware vSAN (52959) 

 

There is also this very handy page that shows required ports for different services of not just vSAN but all active VMware products:

https://ports.esp.vmware.com/home/vSAN

View solution in original post

TheBobkin
Champion
Champion
‎04-05-2023 10:37 AM
Jump to solution

@usmabison and anyone else interested in such things - I created a KB article providing more information on this topic and also some troubleshooting tips:

https://kb.vmware.com/s/article/91689

View solution in original post

0 Kudos
5 Replies
TheBobkin
Champion
Champion
‎06-30-2022 12:40 PM
Jump to solution

@Sascha88, No, it requires more than just UDP 12321 to and from Witness, here is the full list of ports and detailing what they are used for, to/from what and in which versions:

TCP and UDP ports required to access VMware vSAN (52959) 

 

There is also this very handy page that shows required ports for different services of not just vSAN but all active VMware products:

https://ports.esp.vmware.com/home/vSAN

TheBobkin
Champion
Champion
‎06-30-2022 12:43 PM
Jump to solution

For anyone referencing that kb in current state I think it should be TCP 12443 not UDP, this is used for DIT enablement, I will get it fixed.

0 Kudos
usmabison
VMware Employee
VMware Employee
‎04-04-2023 11:37 AM
Jump to solution

Can you point me in a direction regarding the earlier post please ... I'm looking for what port 12443 does (specific to vSAN)- the KB 52959 simply states vSAN Clustering service, but your post infers DIT (assuming Data-In-Transit?) enablement? Or point me to any docs describing the detailed purpose. It was in a customer's PPSM but not very well defined ... I'm trying to help them with clearer references...

0 Kudos
TheBobkin
Champion
Champion
‎04-05-2023 05:45 AM
Jump to solution

Hi @usmabison,

Correct, it is used for establishing secure connection between the nodes when enabling and using vSAN Data in Transit encryption.

 

A basic summary of what this does is, it fetches cert info from the other nodes via this port and then compares this to the node info as stored in the unicastagent list.

 

This doesn't appear to be well documented publicly so I can perhaps author a KB with such details and how to test the connection and configuration.

TheBobkin
Champion
Champion
‎04-05-2023 10:37 AM
Jump to solution

@usmabison and anyone else interested in such things - I created a KB article providing more information on this topic and also some troubleshooting tips:

https://kb.vmware.com/s/article/91689

0 Kudos