Introduction:
This is a comprehensive list of the TCP and UDP network ports required for a VAST cluster deployment. These port requirements are universal for C/Dnode and Ebox - and apply equally to on-premises data centers and cloud deployments.
Important: When setting up firewall rules creating an explicit "allow" rule triggers an implicit "deny" for all other traffic. Therefore, every required port must be explicitly whitelisted or wide port ranges used. This is true for ingress rules governing host access as well.
Note: We also include optional ports for common applications and services routinely used as part of larger solutions built with VAST.
Setting up Firewall Rules:
Network port requirements for a VAST cluster can be grouped into three distinct use cases:
Protocol & Access Ports (Ingress): These well-known IP ports are used for standard storage protocols, REST API access, and SSH management. They must be open for inbound traffic (ingress) from end-users, administrators, and any client applications (such as Spark, Kafka, or Trino) that need to consume cluster resources.
Internal Cluster Ports (Local to private cluster subnet only): These ports are only required for internal communication and orchestration between the cluster nodes. They only require local routing within the subnet and should not be exposed outside the cluster itself.
Replication Ports (Ingress & Egress): These ports handle data replication and must be open for both inbound and outbound traffic at the cluster level. Crucially, if you are replicating data globally, you must ensure these ports are also explicitly allowed through all intermediate border routers and firewalls bridging your on-premises data center and your cloud network.
External Data and Management Access Ports
The Data Network is the network that the customer’s clients use to access storage and other services on a VAST cluster. These ports need to be open to allow traffic in and out of the private subnet/VPC where the cluster runs.
Data Network – Protocols (Access to the Cluster) | ||||
|---|---|---|---|---|
Service | TCP | UDP | Identifier | Description |
SSH | 22 | - | sshd | SSH access to nodes and VMS |
VMS Monitor | 5551 | - | https | Monitor VMS deployment progress |
NFSv3 | 111 | 632 | rpcbind | Used for NFSv3 to coordinate other required sub-protocol ports (mount, status, nlockmgr, rquotad). |
20048 | 20048 | mount | Used for NFSv3 to perform filesystem mount coordination and actions. | |
20106 | 20106 | status | NSM - The NFS Status Monitor; handles client/server connectivity status communications. | |
20107 | 20107 | nlockmgr | NLM - The NFSv3 Lock Manager; coordinates advisory file locking for the protocol. | |
20108 | 20108 | rquotad | The Remote Quota server; advertises allocation/quota metrics to user space clients. | |
NFS v3 / v4 | 2049 | 2049 | nfs | Primary data transport path for standard NFSv3 and modern NFSv4.1+ protocols. |
20049 | - | nfs/RDMA | ||
SMB | 445 | - | smb | SMB Protocol file shares |
S3 | 80 | - | http | S3 Object Storage API and cluster VMS communication channel endpoints. |
443 | - | https | ||
Replication | 49001 | - | Replication VIPs | VAST Native Native Cross-Cluster Replication. Utilizes varying ports dynamically based on TLS policy flags. (Optional) |
49002 | - | |||
DNS | 53 | 53 | DNS | Integrated VAST Delegation DNS Server routing endpoints. (Optional) |
NVME over TCP | 4420 | - | NVMe-oF | Required infrastructure connectivity pathways for block storage targets. (Optional) |
Kafka | 9092 | - | kafka | Event Streaming Kafka Broker integrations (v5.3 platform layers). (Optional) |
VAST Internal/Cluster Services
This is the official required set of internal ports for running a VAST cluster. These are not required to be open for ingress into the private subnet, but all VMs running in the subnet need these ports open to enable intra-cluster communication.
Some Options to reduce management overhead:
Use Wide Ranges: This will “future-proof” the install in case VAST adds additional ports. In addition to the standard services and high numbers for NFS, use a range like this – it catches most of them except the lower standard protocol ports: [2000-20000].
Use layered Security Groups/Firewall Rules with an “internal” SG/Rule that is “Self Referential/” (AWS) or uses network/VM tags (GCP/Azure) or using host groups with firewalld, etc. (Guidelines for using targeted firewall rules).
VAST Cluster Required Ports | |||||||
|---|---|---|---|---|---|---|---|
VAST Processes (TCP) | Network Services (TCP) | Internal Ports (UDP) | |||||
Port | Description | Port | Description | Port | Description | ||
3128 | Call Home Proxy | 22 | SSH | 4001 | DNode Internal | ||
4000 | DNode Internal | 80 | HTTP | 4005 | DNode1 platform CAS | ||
4001 | DNode Internal | 111 | rpcbind for NFS | 4101 | DNode Internal | ||
4100 | DNode Internal | 389 | LDAP | 4105 | DNode1 data CAS | ||
4101 | DNode Internal | 443 | HTTPS | 4205 | CAS Operations | ||
4200 | CNode Internal | 445 | SMB | 5205-5239 | CNode silos CAS | ||
4201 | CNode Internal | 636 | Secure LDAP | 6005 | Leader CAS | ||
5200 | CNode Internal data-env | 2049 | NFS | 7005 | DNode2 Platform CAS | ||
5201 | CNode Internal data-env | 3268 | LDAP catalogue | 7105 | DNode2 data CAS | ||
5551 | vms_monitor | 3269 | LDAP catalog SSL | ||||
6000 | leader | 4420 | spdk target | ||||
6001 | leader | 4520 | spdk target | ||||
7000 | DNode Internal | 5000 | Docker registry | ||||
7100 | DNode Internal | 6126 | mlx sharpd | ||||
7101 | DNode Internal | 9090 | Tabular | ||||
8000 | mcvms | 9092 | Kafka | ||||
20048 | mount | ||||||
20106 | NSM | ||||||
20107 | NLM | ||||||
20108 | NFS_RQUOTA | ||||||
Optional Services and Applications
Optional Services and Applications | |||||||
|---|---|---|---|---|---|---|---|
SyncEngine | Optional Services (Testing) | Additional Applications TBA | |||||
Port | Description | Port | Description | Port | Description | ||
5009 | Control Plane API | 1611 | vperfsanity/elbencho | — | [Pending App] | ||
8888 | Mscli webUI | 1612 | vperfsanity/elbencho | — | |||
8080 | Prometheus Exporter | 2611 | netbench | — | |||
8000-8001 | Prometheus scraping | — | |||||
3009 | Grafana | — | |||||
5050 | pgAdmin | — | |||||
5540 | RedisInsight | — | |||||
5432 | PostgreSQL | — | |||||
6379 | Redis | — | |||||
9991 | Prometheus | — | |||||
Port Lists in Text Block for Copy/Paste
All of the ports in a convenient plain text format for copying to setup SG/NSG/Firewall Rules.
Port Lists in Text Block for Copy/Paste
========================================================================
DATA NETWORK PROTOCOLS - TCP PORTS
========================================================================
22 - SSH (sshd)
53 - DNS Server
80 - S3 API HTTP
111 - NFSv3 rpcbind
443 - S3 API HTTPS
445 - SMB Protocol Target
2049 - NFS Data Path Transport
4420 - NVMe over TCP Target (NVMe-oF)
5551 - VMS Monitor Progress Engine
9092 - Kafka Messaging Broker
20048 - NFSv3 Mount Daemon
20049 - NFS over RDMA Framework
20106 - NFSv3 Status Monitor (NSM)
20107 - NFSv3 Lock Manager (NLM)
20108 - NFSv3 Remote Quota Manager (rquotad)
49001 - VAST Cluster Replication Path A
49002 - VAST Cluster Replication Path B
[Raw Bulk Paste String]:
22,53,80,111,443,445,2049,4420,5551,9092,20048,20049,20106,20107,20108,49001,49002
========================================================================
DATA NETWORK PROTOCOLS - UDP PORTS
========================================================================
53 - DNS Server
632 - NFSv3 rpcbind Allocation
2049 - NFS Data Path Transport
20048 - NFSv3 Mount Daemon
20106 - NFSv3 Status Monitor (NSM)
20107 - NFSv3 Lock Manager (NLM)
20108 - NFSv3 Remote Quota Manager (rquotad)
[Raw Bulk Paste String]:
53,632,2049,20048,20106,20107,20108
========================================================================
### Internal Ports ###
========================================================================
========================================================================
1. VAST PROCESSES (TCP)
========================================================================
3128 - Call Home Proxy
4000 - DNode Internal
4001 - DNode Internal
4100 - DNode Internal
4101 - DNode Internal
4200 - CNode Internal
4201 - CNode Internal
5200 - CNode Internal data-env
5201 - CNode Internal data-env
5551 - vms_monitor
6000 - leader
6001 - leader
7000 - DNode Internal
7100 - DNode Internal
7101 - DNode Internal
8000 - mcvms
[Raw Bulk Paste String]:
3128,4000,4001,4100,4101,4200,4201,5200,5201,5551,6000,6001,7000,7100,7101,8000
========================================================================
2. NETWORK SERVICES (TCP)
========================================================================
22 - SSH
80 - HTTP
111 - rpcbind for NFS
389 - LDAP
443 - HTTPS
445 - SMB
636 - Secure LDAP
2049 - NFS
3268 - LDAP catalogue
3269 - LDAP catalog SSL
4420 - spdk target
4520 - spdk target
5000 - Docker registry
6126 - mlx sharpd
9090 - Tabular
9092 - Kafka
20048 - mount
20106 - NSM
20107 - NLM
20108 - NFS_RQUOTA
[Raw Bulk Paste String]:
22,80,111,389,443,445,636,2049,3268,3269,4420,4520,5000,6126,9090,9092,20048,20106,20107,20108
========================================================================
3. INTERNAL PORTS (UDP)
========================================================================
4001 - DNode Internal
4005 - DNode1 platform CAS
4101 - DNode Internal
4105 - DNode1 data CAS
4205 - CAS Operations
5205-5239 - CNode silos CAS
6005 - Leader CAS
7005 - DNode2 Platform CAS
7105 - DNode2 data CAS
[Raw Bulk Paste String]:
4001,4005,4101,4105,4205,5205-5239,6005,7005,7105