Posted on Leave a comment

Recommendation on Firewall Ports Config Nutanix

Following is the list of firewall ports that must be kept open to successfully access the Nutanix cluster.

  • Prism web console: 9440, 80
  • SSH to both CVM and Hypervisor: 22
  • Cluster remote support: 80, 8443
  • vCenter remote console: 443, 902, 903 from both the user host and vCenter
  • vCenter from Prism web console: 443, 80
  • Citrix MCS: virtual IP, Port  9440 (TCP)

Following is the list of ports that must be kept open for the 1-Click upgrade.

  • *.compute-*,443
  • and s3*.amazonaws.comThe target address depends on the downloaded AOS version. You can only access through port 443.

Note: 1-Click Upgrade for AOS, DiskFW, and NCC contacts a MongoDB metadata server ( through the NutanixPortal to determine what loads are available as compared to the cluster. If loads are available, they appear in the UI as available and compatible and are used to upgrade the cluster. The metadata URL points to Amazon S3, where the actual bits are stored and which load balances with a broad range of IP addresses behind it are randomly selected with each new attempt to download. So, no other way is available to create a port-specific rule.

If the blocks are behind a firewall with no internet access, the BIN and JSON files need to be downloaded, and then uploaded to Prism for a manual update or upgrade.

Following is the list of ports that must be kept open for the IPMI Remote console.

  • HTTP: 80 (TCP)
  • HTTPS: 443 (TCP)
  • IPMI: 623 (UDP)
  • Remote console: 5900 (TCP)
  • Virtual media: 623 (TCP)
  • SMASH: 22 (TCP)
  • WS-MAN: 8889 (TCP)
  • Putty/ssh to virtual media: 5120 (TCP)
  • KVM Console: 2937 (TCP)
  • Remote Console (KVM over IP): 5900 (TCP)
  • Video (Remote Con): 5901 (TCP)
  • CD (Remote Con): 5120 (TCP)
  • Floppy (Remote Con): 5123 (TCP)

Note: This KB lists the basic ports required to access the cluster without any issues.