In this post I’ll describe the required firewall ports for vRealize Automation (vRA), vRealize Business (vRB) and vRealize Orchestrator (vRO) with some additional components like IPAM.
The past few months I have been working on designing and implementing a couple of firewalled distributed VMware vRealize solutions. And every time I had the same challenges, not really well documented ports. For example, if you try to install a vRealize Automation IaaS component you need to have port 5480 open from the IaaS server to the vRealize Automation Appliance. This is not mentioned in the official vRA Port Requirements under “Outgoing Ports for Infrastructure as a Service Components”, so this was always a struggle to get this past the security guys why this port needed to be opened because it isn’t in the official documentation.
Therefore I have created the Visio drawing above with all different components and the required firewall ports for vRA, vRB and vRO that can be used as a reference point.
Side Note : There is no “one size fits all” solution! Each deployment has it’s own requirements, dependencies and design. Please review them carefully and if you have any questions just let me know.
Below you can find the vRealize components list with the required outgoing and incoming ports.
vRA – vRealize Automation Appliance
| Outgoing Ports |
To |
| 22,443,5480 (TCP) |
vRB
|
| 25,110,143,587,993,993 (TCP) |
Mail Server
|
| 53 (TCP,UDP) |
DNS
|
| 123 (TCP,UDP) |
NTP
|
| 443 (TCP) |
vRA DEM-O
|
| 443 (TCP) |
vRA DEM-W
|
| 443 (TCP) |
vRA IaaS
|
| 443 (TCP) |
vRA vCenter Agent
|
| 5432 (TCP) |
vRA DB
|
| 7444 (TCP) |
vRI
|
| 8281 (TCP) |
vRO
|
| Incoming Ports |
From |
| 22,443,5480 (TCP) |
vRB |
| 443 (TCP) |
End Users |
| 443 (TCP) |
vRO |
| 443,5480 (TCP) |
vRA DEM-O |
| 443,5480 (TCP) |
vRA DEM-W |
| 443,5480 (TCP) |
vRA IaaS |
| 443,5480 (TCP) |
vRA vCenter Agent |
vRO – vRealize Orchestrator
| Outgoing Ports |
To |
| 25,587 (TCP) |
Mail Server |
| 53 (TCP,UDP) |
DNS |
| 123 (TCP,UDP) |
NTP |
| 80,443 (TCP) |
vCenter |
| 389/636 (TCP) |
AD |
| 443 (TCP) |
IPAM / DNS |
| 443 (TCP) |
vRA |
| 443 (TCP) |
vRA IaaS |
| 7444 (TCP) |
vRI |
| 1433,135,1024-65535 (TCP) |
MSSQL |
| Incoming Ports |
From |
| 443 (TCP) |
vRA IaaS |
| 8281 (TCP) |
vRA |
vRA DEM-O – vRealize DEM Orchestrator
| Outgoing Ports |
To |
| 53 (TCP,UDP) |
DNS |
| 123 (TCP,UDP) |
NTP |
| 443,5480 (TCP) |
vRA |
| 443 (TCP) |
vRA DEM-W |
| 443 (TCP) |
vRA IaaS |
| Incoming Ports |
From |
| 443 (TCP) |
vRA |
| 443 (TCP) |
vRA DEM-W |
| 443 (TCP) |
vRA IaaS |
vRA DEM-W – vRealize DEM Worker
| Outgoing Ports |
To |
| 53 (TCP,UDP) |
DNS |
| 123 (TCP,UDP) |
NTP |
| 443,5480 (TCP) |
vRA |
| 443 (TCP) |
vRA DEM-O |
| 443 (TCP) |
vRA IaaS |
| Incoming Ports |
From |
| 443 (TCP) |
vRA |
| 443 (TCP) |
vRA DEM-O |
| 443 (TCP) |
vRA IaaS |
vRA IaaS – vRealize Infrastructure as a Service
| Outgoing Ports |
To |
| 53 (TCP,UDP) |
DNS |
| 123 (TCP,UDP) |
NTP |
| 443 (TCP) |
vRA DEM-O |
| 443 (TCP) |
vRA DEM-W |
| 443 (TCP) |
vRA vCenter Agent |
| 443,5480 (TCP) |
vRA |
| 1433,135,1024-65535 (TCP) |
MSSQL |
| Incoming Ports |
From |
| 443 (TCP) |
vRA |
| 443 (TCP) |
vRA DEM-O |
| 443 (TCP) |
vRA DEM-W |
| 443 (TCP) |
vRA vCenter Agent |
| 443 (TCP) |
vRO |
vRA vCenter Agent – vRealize vCenter Agent
| Outgoing Ports |
To |
| 53 (TCP,UDP) |
DNS |
| 123 (TCP,UDP) |
NTP |
| 443,5480 (TCP) |
vRA |
| 443 (TCP) |
vRA IaaS |
| 80,443 (TCP) |
vCenter |
| Incoming Ports |
From |
| 443 (TCP) |
vRA |
| 443 (TCP) |
vRA IaaS |
vRB – vRealize Business
| Outgoing Ports |
To |
| 22 (TCP) |
External Update Repo |
| 22,443,5480 (TCP) |
vRA |
| 53 (TCP,UDP) |
DNS |
| 123 (TCP,UDP) |
NTP |
| 443,10443 (TCP) |
vCenter |
| 7444 (TCP) |
vRI |
| Incoming Ports |
From |
| 22,443,5480 (TCP) |
vRA |
vRI – vRealize Identity Appliance
| Outgoing Ports |
To |
| 53 (TCP,UDP) |
DNS |
| 123 (TCP,UDP) |
NTP |
| 389/636 (TCP) |
AD |
| Incoming Ports |
From |
| 7444 (TCP) |
End Users |
| 7444 (TCP) |
vRO |
| 7444 (TCP) |
vRA |
| 7444 (TCP) |
vRB |
End Users
| Outgoing Ports |
To |
| 53 (TCP,UDP) |
DNS |
| 443 (TCP) |
vRA |
| 7444 (TCP) |
vRI |
It could be that I missed a port somewhere, if you found one please leave a comment and I will add the missing port asap. Or if you would like to receive the Visio drawing, so you could use it for yourself, send me a message or tweet.
I would appreciate the Visio drawing, please.
You’ve got mail! 🙂
Marco
Much appreciated!!! If you have any other in-depth marketing or customer facing diagrams, powerpoints, or information I can’t find on [*].vmware.com regarding vRealize Operations — I’m accepting emails 🙂
Could I get the 6.2 Visio drawing as well?
Thanks for that list – saved me alot of work already. One thing that’s missing: vRI is also accessed from vR IAAS on port 7444. If that’s not possible you’ll see it in the IAAS repo logs, e.g. “A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond vRI-address:7444”. The official documentation says that vRA-IaaS needs to accept “incomming” traffic for 7444. I guess that’s a error in the documentation and it should say vRA-IaaS needs to talk with the vRI on 7444.
Hi Robert,
That port is indeed missing, I will update the article.
Marco
Hi,
just found two more missing, required for VMRC:
TCP 902 from vRA to ESXi
TCP 8444 from client browser to vRA
Both have been added to the official documentation but I missed them the first time.
Hi Robert,
True but be aware that those ports are only for vRA 6.2.1 and newer. I have an updated document for a really segregated distributed installation that I did. So I really want to update the article, but I need to find some spare time :).
Marco
Just curious if you have an updated diagram for version 7.2? I’d love a copy if you do! I am getting ready to do just this and I’d rather not reinvent the wheel 🙂
I agree with Paul, do you have an updated 7.2 version of this diagram? If not, could you please send me the 6.2 version of the Visio diagram so that I could start updating it from there?
can i get a copy of visio file as well please
Can I get a copy of the visio diagram as well? Awesome job!
Thanks,
Hi Marco,
This is fantastic. Did you manage to update your Visio drawing to include all the ports for 6.2.x and newer? Can you please send me your drawing? Thanks so much 🙂
Can i get a copy of the latest visio file?