External communications

Contributors netapp-madkat

Clients need to communicate with grid nodes to ingest and retrieve content. The ports used depends on the object storage protocols chosen. These ports need to be accessible to the client.

Restricted access to ports

If enterprise networking policies restrict access to any of the ports, you can use load balancer endpoints to allow access on user-defined ports. You can then use untrusted Client Networks to allow access only on load balancer endpoint ports.

Port remapping

To use systems and protocols such as SMTP, DNS, SSH, or DHCP, you must remap ports when deploying nodes. However, you should not remap load balancer endpoints. For information about port remapping, see the installation instructions for your platform:

Ports used for external communications

The following table shows the ports used for traffic into the nodes.

Note This list does not include ports that might be configured as load balancer endpoints.
Port TCP or UDP Protocol From To Details

22

TCP

SSH

Service laptop

All nodes

SSH or console access is required for procedures with console steps. Optionally, you can use port 2022 instead of 22.

25

TCP

SMTP

Admin Nodes

Email server

Used for alerts and email-based AutoSupport. You can override the default port setting of 25 using the Email Servers page.

53

TCP/ UDP

DNS

All nodes

DNS servers

Used for domain name system.

67

UDP

DHCP

All nodes

DHCP service

Optionally used to support DHCP-based network configuration. The dhclient service does not run for statically-configured grids.

68

UDP

DHCP

DHCP service

All nodes

Optionally used to support DHCP-based network configuration. The dhclient service does not run for grids that use static IP addresses.

80

TCP

HTTP

Browser

Admin Nodes

Port 80 redirects to port 443 for the Admin Node user interface.

80

TCP

HTTP

Browser

Appliances

Port 80 redirects to port 8443 for the StorageGRID Appliance Installer.

80

TCP

HTTP

Storage Nodes with ADC

AWS

Used for platform services messages sent to AWS or other external services that use HTTP. Tenants can override the default HTTP port setting of 80 when creating an endpoint.

80

TCP

HTTP

Storage Nodes

AWS

Cloud Storage Pools requests sent to AWS targets that use HTTP. Grid administrators can override the default HTTP port setting of 80 when configuring a Cloud Storage Pool.

111

TCP/ UDP

RPCBind

NFS client

Admin Nodes

Used by NFS-based audit export (portmap).

Note: This port is required only if NFS-based audit export is enabled.

123

UDP

NTP

Primary NTP nodes

External NTP

Network time protocol service. Nodes selected as primary NTP sources also synchronize clock times with the external NTP time sources.

137

UDP

NetBIOS

SMB client

Admin Nodes

Used by SMB-based audit export for clients that require NetBIOS support.

Note: This port is required only if SMB-based audit export is enabled.

138

UDP

NetBIOS

SMB client

Admin Nodes

Used by SMB-based audit export for clients that require NetBIOS support.

Note: This port is required only if SMB-based audit export is enabled.

139

TCP

SMB

SMB client

Admin Nodes

Used by SMB-based audit export for clients that require NetBIOS support.

Note: This port is required only if SMB-based audit export is enabled.

161

TCP/ UDP

SNMP

SNMP client

All nodes

Used for SNMP polling. All nodes provide basic information; Admin Nodes also provide alert and alarm data. Defaults to UDP port 161 when configured.

Note: This port is only required, and is only opened on the node firewall if SNMP is configured. If you plan to use SNMP, you can configure alternate ports.

Note: For information about using SNMP with StorageGRID, contact your NetApp account representative.

162

TCP/ UDP

SNMP Notifications

All nodes

Notification destinations

Outbound SNMP notifications and traps default to UDP port 162.

Note: This port is only required if SNMP is enabled and notification destinations are configured. If you plan to use SNMP, you can configure alternate ports.

Note: For information about using SNMP with StorageGRID, contact your NetApp account representative.

389

TCP/ UDP

LDAP

Storage Nodes with ADC

Active Directory/LDAP

Used for connecting to an Active Directory or LDAP server for Identity Federation.

443

TCP

HTTPS

Browser

Admin Nodes

Used by web browsers and management API clients for accessing the Grid Manager and Tenant Manager.

443

TCP

HTTPS

Admin Nodes

Active Directory

Used by Admin Nodes connecting to Active Directory if single sign-on (SSO) is enabled.

443

TCP

HTTPS

Archive Nodes

Amazon S3

Used for accessing Amazon S3 from Archive Nodes.

443

TCP

HTTPS

Storage Nodes with ADC

AWS

Used for platform services messages sent to AWS or other external services that use HTTPS. Tenants can override the default HTTP port setting of 443 when creating an endpoint.

443

TCP

HTTPS

Storage Nodes

AWS

Cloud Storage Pools requests sent to AWS targets that use HTTPS. Grid administrators can override the default HTTPS port setting of 443 when configuring a Cloud Storage Pool.

445

TCP

SMB

SMB client

Admin Nodes

Used by SMB-based audit export.

Note: This port is required only if SMB-based audit export is enabled.

903

TCP

NFS

NFS client

Admin Nodes

Used by NFS-based audit export (rpc.mountd).

Note: This port is required only if NFS-based audit export is enabled.

2022

TCP

SSH

Service laptop

All nodes

SSH or console access is required for procedures with console steps. Optionally, you can use port 22 instead of 2022.

2049

TCP

NFS

NFS client

Admin Nodes

Used by NFS-based audit export (nfs).

Note: This port is required only if NFS-based audit export is enabled.

5696

TCP

KMIP

Appliance

KMS

Key Management Interoperability Protocol (KMIP) external traffic from appliances configured for node encryption to the Key Management Server (KMS), unless a different port is specified on the KMS configuration page of the StorageGRID Appliance Installer.

8022

TCP

SSH

Service laptop

All nodes

SSH on port 8022 grants access to the base operating system on appliance and virtual node platforms for support and troubleshooting. This port is not used for Linux-based (bare metal) nodes and is not required to be accessible between grid nodes or during normal operations.

8082

TCP

HTTPS

S3 clients

Gateway Nodes

S3 client traffic to the deprecated CLB service on Gateway Nodes (HTTPS).

8083

TCP

HTTPS

Swift clients

Gateway Nodes

Swift client traffic to the deprecated CLB service on Gateway Nodes (HTTPS).

8084

TCP

HTTP

S3 clients

Gateway Nodes

S3 client traffic to the deprecated CLB service on Gateway Nodes (HTTP).

8085

TCP

HTTP

Swift clients

Gateway Nodes

Swift client traffic to the deprecated CLB service on Gateway Nodes (HTTP).

8443

TCP

HTTPS

Browser

Admin Nodes

Optional. Used by web browsers and management API clients for accessing the Grid Manager. Can be used to separate Grid Manager and Tenant Manager communications.

9022

TCP

SSH

Service laptop

Appliances

Grants access to StorageGRID appliances in pre-configuration mode for support and troubleshooting. This port is not required to be accessible between grid nodes or during normal operations.

9091

TCP

HTTPS

External Grafana service

Admin Nodes

Used by external Grafana services for secure access to the StorageGRID Prometheus service.

Note: This port is required only if certificate-based Prometheus access is enabled.

9443

TCP

HTTPS

Browser

Admin Nodes

Optional. Used by web browsers and management API clients for accessing the Tenant Manager. Can be used to separate Grid Manager and Tenant Manager communications.

18082

TCP

HTTPS

S3 clients

Storage Nodes

S3 client traffic directly to Storage Nodes (HTTPS).

18083

TCP

HTTPS

Swift clients

Storage Nodes

Swift client traffic directly to Storage Nodes (HTTPS).

18084

TCP

HTTP

S3 clients

Storage Nodes

S3 client traffic directly to Storage Nodes (HTTP).

18085

TCP

HTTP

Swift clients

Storage Nodes

Swift client traffic directly to Storage Nodes (HTTP).