On some deployments, such as ones where restrictive firewalls are in place, you might need to manually configure a firewall to permit OpenStack service traffic.

 This lists the default ports that each OpenStack service uses:

  • Block Storage (cinder) 8776 publicurl and adminurl
  • Compute (nova) endpoints 8774 publicurl and adminurl
  • Compute API (nova-api) 8773, 8775 
  • Compute ports for access to virtual machine consoles 5900-5999 
  • Compute VNC proxy for browsers ( openstack-nova-novncproxy) 6080 
  • Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy) 6081 
  • Proxy port for HTML5 console used by Compute service 6082 
  • Identity service (keystone) administrative endpoint 35357 adminurl
  • Identity service public endpoint 5000 publicurl
  • Image Service (glance) API 9292 publicurl and adminurl
  • Image Service registry 9191 
  • Networking (neutron) 9696 publicurl and adminurl
  • Object Storage (swift) 6000, 6001, 6002 
  • Orchestration (heat) endpoint 8004 publicurl and adminurl
  • Telemetry (ceilometer) 8777 publicurl and adminurl
  • HTTP 80 OpenStack dashboard (Horizon) when it is not configured to use secure access.
  • HTTP alternate 8080 OpenStack Object Storage (swift) service.
  • HTTPS 443 Any OpenStack service that is enabled for SSL, especially secure-access dashboard.
  • rsync 873 OpenStack Object Storage. Required.
  • iSCSI target 3260 OpenStack Block Storage. Required.
  • MySQL database service 3306 Most OpenStack components.
  • Message Broker (AMQP traffic) 5672 OpenStack Block Storage, Networking, Orchestration, and Compute.
Did this answer your question?