Required Firewall Ports for vRealize

In this post I’ll describe the required firewall ports for vRealize Automation (vRA), vRealize Business (vRB) and vRealize Orchestrator (vRO) with some additional components like IPAM.
 
Required Firewall Ports for vRealize
 
The past few months I have been working on designing and implementing a couple of firewalled distributed VMware vRealize solutions. And every time I had the same challenges, not really well documented ports. For example, if you try to install a vRealize Automation IaaS component you need to have port 5480 open from the IaaS server to the vRealize Automation Appliance. This is not mentioned in the official vRA Port Requirements under “Outgoing Ports for Infrastructure as a Service Components”, so this was always a struggle to get this past the security guys why this port needed to be opened because it isn’t in the official documentation.

Therefore I have created the Visio drawing above with all different components and the required firewall ports for vRA, vRB and vRO that can be used as a reference point.
Side Note : There is no “one size fits all” solution! Each deployment has it’s own requirements, dependencies and design. Please review them carefully and if you have any questions just let me know.

Below you can find the vRealize components list with the required outgoing and incoming ports.

 

vRA – vRealize Automation Appliance

Outgoing Ports To
22,443,5480 (TCP) vRB
25,110,143,587,993,993 (TCP) Mail Server
53 (TCP,UDP) DNS
123 (TCP,UDP) NTP
443 (TCP) vRA DEM-O
443 (TCP) vRA DEM-W
443 (TCP) vRA IaaS
443 (TCP) vRA vCenter Agent
5432 (TCP) vRA DB
7444 (TCP) vRI
8281 (TCP) vRO
Incoming Ports From
22,443,5480 (TCP) vRB
443 (TCP) End Users
443 (TCP) vRO
443,5480 (TCP) vRA DEM-O
443,5480 (TCP) vRA DEM-W
443,5480 (TCP) vRA IaaS
443,5480 (TCP) vRA vCenter Agent

vRO – vRealize Orchestrator

Outgoing Ports To
25,587 (TCP) Mail Server
53 (TCP,UDP) DNS
123 (TCP,UDP) NTP
80,443 (TCP) vCenter
389/636 (TCP) AD
443 (TCP) IPAM / DNS
443 (TCP) vRA
443 (TCP) vRA IaaS
7444 (TCP) vRI
1433,135,1024-65535 (TCP) MSSQL
Incoming Ports From
443 (TCP) vRA IaaS
8281 (TCP) vRA

vRA DEM-O – vRealize DEM Orchestrator

Outgoing Ports To
53 (TCP,UDP) DNS
123 (TCP,UDP) NTP
443,5480 (TCP) vRA
443 (TCP) vRA DEM-W
443 (TCP) vRA IaaS
Incoming Ports From
443 (TCP) vRA
443 (TCP) vRA DEM-W
443 (TCP) vRA IaaS

vRA DEM-W – vRealize DEM Worker

Outgoing Ports To
53 (TCP,UDP) DNS
123 (TCP,UDP) NTP
443,5480 (TCP) vRA
443 (TCP) vRA DEM-O
443 (TCP) vRA IaaS
Incoming Ports From
443 (TCP) vRA
443 (TCP) vRA DEM-O
443 (TCP) vRA IaaS

vRA IaaS – vRealize Infrastructure as a Service

Outgoing Ports To
53 (TCP,UDP) DNS
123 (TCP,UDP) NTP
443 (TCP) vRA DEM-O
443 (TCP) vRA DEM-W
443 (TCP) vRA vCenter Agent
443,5480 (TCP) vRA
1433,135,1024-65535 (TCP) MSSQL
Incoming Ports From
443 (TCP) vRA
443 (TCP) vRA DEM-O
443 (TCP) vRA DEM-W
443 (TCP) vRA vCenter Agent
443 (TCP) vRO

vRA vCenter Agent – vRealize vCenter Agent

Outgoing Ports To
53 (TCP,UDP) DNS
123 (TCP,UDP) NTP
443,5480 (TCP) vRA
443 (TCP) vRA IaaS
80,443 (TCP) vCenter
Incoming Ports From
443 (TCP) vRA
443 (TCP) vRA IaaS

vRB – vRealize Business

Outgoing Ports To
22 (TCP) External Update Repo
22,443,5480 (TCP) vRA
53 (TCP,UDP) DNS
123 (TCP,UDP) NTP
443,10443 (TCP) vCenter
7444 (TCP) vRI
Incoming Ports From
22,443,5480 (TCP) vRA

vRI – vRealize Identity Appliance

Outgoing Ports To
53 (TCP,UDP) DNS
123 (TCP,UDP) NTP
389/636 (TCP) AD
Incoming Ports From
7444 (TCP) End Users
7444 (TCP) vRO
7444 (TCP) vRA
7444 (TCP) vRB

End Users

Outgoing Ports To
53 (TCP,UDP) DNS
443 (TCP) vRA
7444 (TCP) vRI

It could be that I missed a port somewhere, if you found one please leave a comment and I will add the missing port asap. Or if you would like to receive the Visio drawing, so you could use it for yourself, send me a message or tweet.

Marco van Baggum

Marco van Baggum

Works as a SDDC Architect for ITQ. More details can be found on the About page

13 thoughts on “Required Firewall Ports for vRealize

      1. Much appreciated!!! If you have any other in-depth marketing or customer facing diagrams, powerpoints, or information I can’t find on [*].vmware.com regarding vRealize Operations — I’m accepting emails 🙂

  1. Thanks for that list – saved me alot of work already. One thing that’s missing: vRI is also accessed from vR IAAS on port 7444. If that’s not possible you’ll see it in the IAAS repo logs, e.g. “A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond vRI-address:7444”. The official documentation says that vRA-IaaS needs to accept “incomming” traffic for 7444. I guess that’s a error in the documentation and it should say vRA-IaaS needs to talk with the vRI on 7444.

      1. Hi,

        just found two more missing, required for VMRC:
        TCP 902 from vRA to ESXi
        TCP 8444 from client browser to vRA

        Both have been added to the official documentation but I missed them the first time.

        1. Hi Robert,

          True but be aware that those ports are only for vRA 6.2.1 and newer. I have an updated document for a really segregated distributed installation that I did. So I really want to update the article, but I need to find some spare time :).

          Marco

  2. Just curious if you have an updated diagram for version 7.2? I’d love a copy if you do! I am getting ready to do just this and I’d rather not reinvent the wheel 🙂

    1. I agree with Paul, do you have an updated 7.2 version of this diagram? If not, could you please send me the 6.2 version of the Visio diagram so that I could start updating it from there?

  3. Hi Marco,

    This is fantastic. Did you manage to update your Visio drawing to include all the ports for 6.2.x and newer? Can you please send me your drawing? Thanks so much 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.