You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by "Musayev, Ilya" <im...@webmd.net> on 2013/02/11 19:07:49 UTC
CS4.1 Firewall Ports for all components
I need to create a specific network for CloudStack only with Advanced Shared Network Zone.
Looking for CS4.1 Firewall Ports for all components,
If you know where I can find this information, please let me know,
As always, you feedback is appreciated.
Regards
ilya
Re: CS4.1 Firewall Ports for all components
Posted by Chip Childers <ch...@sungard.com>.
Ilya,
Be careful with this list. It includes the debug ports, as well as the
unauthenticated API port. In any environment you care about, you
probably don't want these exposed even outside the management server
itself (including the local network). IMO, it's best to block these
ports at the edge FW as well as within the mgmt server's host FW.
-chip
On Tue, Feb 12, 2013 at 01:09:41AM +0000, Musayev, Ilya wrote:
> Thanks Tariq
>
> I did see a similar info on 3.0 guide.
>
> I'm pretty certain we are missing several ports on this list - as displayed by netstat on router and proxy vm. We are also missing the direction (I.e. source and destination). With this list it's hard to make that determination and create meaningful firewall rules.
>
> I guess I will have to analyse netstat output and document it on wiki.
>
> If anyone has already done this - please share, if not, I will do that and share with community.
>
> Regards
> Ilya
>
> Tariq Iqbal <ta...@shapeblue.com> wrote:
> Ilya,
>
> Thanks to Rohit for sharing the following recently on another post:
>
> Please see INSTALL.md for latest info on ports used by CloudStack;
> From my last update on the file:
> Apache CloudStack uses some ports, make sure at least those used by
> the management
> server are available and not blocked by any local firewall. Following ports are
> used by Apache CloudStack and its entities:
> 8787: Apache CloudStack (Tomcat) debug socket
> 9090, 8250, 8080: Apache CloudStack Management Server, User/Client API
> 8096: User/Client to CloudStack Management Server (unauthenticated)
> 7080: AWS API Server
> 3306: MySQL Server
> 3922, 8250, 80/443, 111/2049, 53: Secondary Storage VM
> 3922, 8250, 53: Console Proxy VM
> 3922, 8250, 53: Virtual Router
> 22, 80, 443: XenServer, XAPI
> 22: KVM
> 443: vCenter
> DNS: 53
> NFS: 111/2049
>
> Also the following "Citrix CloudPlatform networking, technical deep dive" webinar explains CS networking and ports:
> http://www.shapeblue.com/2012/11/14/citrix-cloud-technologies-webinar-series-register-now/
>
>
> Kind Regards,
>
> Tariq Iqbal
> Senior Consultant
>
>
>
> S: +44(0)20 3603 0540 | M: +44(0)790 9911600
>
> tariq.iqbal@shapeblue.com | www.shapeblue.com<http://www.shapeblue.com> | Twitter:@shapeBlue
>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
>
>
> ________________________________________
> From: Musayev, Ilya [imusayev@webmd.net]
> Sent: 11 February 2013 18:07
> To: cloudstack-dev@incubator.apache.org
> Subject: CS4.1 Firewall Ports for all components
>
> I need to create a specific network for CloudStack only with Advanced Shared Network Zone.
>
> Looking for CS4.1 Firewall Ports for all components,
>
> If you know where I can find this information, please let me know,
>
> As always, you feedback is appreciated.
>
> Regards
> ilya
> ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.
>
> ________________________________
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
RE: CS4.1 Firewall Ports for all components
Posted by "Musayev, Ilya" <im...@webmd.net>.
Thanks Tariq
I did see a similar info on 3.0 guide.
I'm pretty certain we are missing several ports on this list - as displayed by netstat on router and proxy vm. We are also missing the direction (I.e. source and destination). With this list it's hard to make that determination and create meaningful firewall rules.
I guess I will have to analyse netstat output and document it on wiki.
If anyone has already done this - please share, if not, I will do that and share with community.
Regards
Ilya
Tariq Iqbal <ta...@shapeblue.com> wrote:
Ilya,
Thanks to Rohit for sharing the following recently on another post:
Please see INSTALL.md for latest info on ports used by CloudStack;
>From my last update on the file:
Apache CloudStack uses some ports, make sure at least those used by
the management
server are available and not blocked by any local firewall. Following ports are
used by Apache CloudStack and its entities:
8787: Apache CloudStack (Tomcat) debug socket
9090, 8250, 8080: Apache CloudStack Management Server, User/Client API
8096: User/Client to CloudStack Management Server (unauthenticated)
7080: AWS API Server
3306: MySQL Server
3922, 8250, 80/443, 111/2049, 53: Secondary Storage VM
3922, 8250, 53: Console Proxy VM
3922, 8250, 53: Virtual Router
22, 80, 443: XenServer, XAPI
22: KVM
443: vCenter
DNS: 53
NFS: 111/2049
Also the following "Citrix CloudPlatform networking, technical deep dive" webinar explains CS networking and ports:
http://www.shapeblue.com/2012/11/14/citrix-cloud-technologies-webinar-series-register-now/
Kind Regards,
Tariq Iqbal
Senior Consultant
S: +44(0)20 3603 0540 | M: +44(0)790 9911600
tariq.iqbal@shapeblue.com | www.shapeblue.com<http://www.shapeblue.com> | Twitter:@shapeBlue
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
________________________________________
From: Musayev, Ilya [imusayev@webmd.net]
Sent: 11 February 2013 18:07
To: cloudstack-dev@incubator.apache.org
Subject: CS4.1 Firewall Ports for all components
I need to create a specific network for CloudStack only with Advanced Shared Network Zone.
Looking for CS4.1 Firewall Ports for all components,
If you know where I can find this information, please let me know,
As always, you feedback is appreciated.
Regards
ilya
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.
________________________________
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
RE: CS4.1 Firewall Ports for all components
Posted by Tariq Iqbal <ta...@shapeblue.com>.
Ilya,
Thanks to Rohit for sharing the following recently on another post:
Please see INSTALL.md for latest info on ports used by CloudStack;
From my last update on the file:
Apache CloudStack uses some ports, make sure at least those used by
the management
server are available and not blocked by any local firewall. Following ports are
used by Apache CloudStack and its entities:
8787: Apache CloudStack (Tomcat) debug socket
9090, 8250, 8080: Apache CloudStack Management Server, User/Client API
8096: User/Client to CloudStack Management Server (unauthenticated)
7080: AWS API Server
3306: MySQL Server
3922, 8250, 80/443, 111/2049, 53: Secondary Storage VM
3922, 8250, 53: Console Proxy VM
3922, 8250, 53: Virtual Router
22, 80, 443: XenServer, XAPI
22: KVM
443: vCenter
DNS: 53
NFS: 111/2049
Also the following "Citrix CloudPlatform networking, technical deep dive" webinar explains CS networking and ports:
http://www.shapeblue.com/2012/11/14/citrix-cloud-technologies-webinar-series-register-now/
Kind Regards,
Tariq Iqbal
Senior Consultant
S: +44(0)20 3603 0540 | M: +44(0)790 9911600
tariq.iqbal@shapeblue.com | www.shapeblue.com | Twitter:@shapeBlue
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
________________________________________
From: Musayev, Ilya [imusayev@webmd.net]
Sent: 11 February 2013 18:07
To: cloudstack-dev@incubator.apache.org
Subject: CS4.1 Firewall Ports for all components
I need to create a specific network for CloudStack only with Advanced Shared Network Zone.
Looking for CS4.1 Firewall Ports for all components,
If you know where I can find this information, please let me know,
As always, you feedback is appreciated.
Regards
ilya
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.
________________________________
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.