External communications
Clients need to communicate with grid nodes to ingest and retrieve content. The ports used depends on the object storage protocols chosen. These ports need to be accessible to the client.
Restricted access to ports
If enterprise networking policies restrict access to any of the ports, you can do one of the following:
-
Use load balancer endpoints to allow access on user-defined ports.
-
Remap ports when deploying nodes. However, you should not remap load balancer endpoints. See the information about port remapping for your StorageGRID node:
Ports used for external communications
The following table shows the ports used for traffic into the nodes.
This list does not include ports that might be configured as load balancer endpoints. |
Port | TCP or UDP | Protocol | From | To | Details |
---|---|---|---|---|---|
22 |
TCP |
SSH |
Service laptop |
All nodes |
SSH or console access is required for procedures with console steps. Optionally, you can use port 2022 instead of 22. |
25 |
TCP |
SMTP |
Admin Nodes |
Email server |
Used for alerts and email-based AutoSupport. You can override the default port setting of 25 using the Email Servers page. |
53 |
TCP/ UDP |
DNS |
All nodes |
DNS servers |
Used for DNS. |
67 |
UDP |
DHCP |
All nodes |
DHCP service |
Optionally used to support DHCP-based network configuration. The dhclient service does not run for statically-configured grids. |
68 |
UDP |
DHCP |
DHCP service |
All nodes |
Optionally used to support DHCP-based network configuration. The dhclient service does not run for grids that use static IP addresses. |
80 |
TCP |
HTTP |
Browser |
Admin Nodes |
Port 80 redirects to port 443 for the Admin Node user interface. |
80 |
TCP |
HTTP |
Browser |
Appliances |
Port 80 redirects to port 8443 for the StorageGRID Appliance Installer. |
80 |
TCP |
HTTP |
Storage Nodes with ADC |
AWS |
Used for platform services messages sent to AWS or other external services that use HTTP. Tenants can override the default HTTP port setting of 80 when creating an endpoint. |
80 |
TCP |
HTTP |
Storage Nodes |
AWS |
Cloud Storage Pools requests sent to AWS targets that use HTTP. Grid administrators can override the default HTTP port setting of 80 when configuring a Cloud Storage Pool. |
111 |
TCP/ UDP |
RPCBind |
NFS client |
Admin Nodes |
Used by NFS-based audit export (portmap). Note: This port is required only if NFS-based audit export is enabled. Note: Support for NFS has been deprecated and will be removed in a future release. |
123 |
UDP |
NTP |
Primary NTP nodes |
External NTP |
Network time protocol service. Nodes selected as primary NTP sources also synchronize clock times with the external NTP time sources. |
161 |
TCP/ UDP |
SNMP |
SNMP client |
All nodes |
Used for SNMP polling. All nodes provide basic information; Admin Nodes also provide alert data. Defaults to UDP port 161 when configured. Note: This port is only required, and is only opened on the node firewall if SNMP is configured. If you plan to use SNMP, you can configure alternate ports. Note: For information about using SNMP with StorageGRID, contact your NetApp account representative. |
162 |
TCP/ UDP |
SNMP Notifications |
All nodes |
Notification destinations |
Outbound SNMP notifications and traps default to UDP port 162. Note: This port is only required if SNMP is enabled and notification destinations are configured. If you plan to use SNMP, you can configure alternate ports. Note: For information about using SNMP with StorageGRID, contact your NetApp account representative. |
389 |
TCP/ UDP |
LDAP |
Storage Nodes with ADC |
Active Directory/LDAP |
Used for connecting to an Active Directory or LDAP server for Identity Federation. |
443 |
TCP |
HTTPS |
Browser |
Admin Nodes |
Used by web browsers and management API clients for accessing the Grid Manager and Tenant Manager. Note: If you close Grid Manager ports 443 or 8443, any users currently connected on a blocked port, including you, will lose access to Grid Manager unless their IP address has been added to the Privileged address list. See Configure firewall controls to configure privileged IP addresses. |
443 |
TCP |
HTTPS |
Admin Nodes |
Active Directory |
Used by Admin Nodes connecting to Active Directory if single sign-on (SSO) is enabled. |
443 |
TCP |
HTTPS |
Storage Nodes with ADC |
AWS |
Used for platform services messages sent to AWS or other external services that use HTTPS. Tenants can override the default HTTP port setting of 443 when creating an endpoint. |
443 |
TCP |
HTTPS |
Storage Nodes |
AWS |
Cloud Storage Pools requests sent to AWS targets that use HTTPS. Grid administrators can override the default HTTPS port setting of 443 when configuring a Cloud Storage Pool. |
903 |
TCP |
NFS |
NFS client |
Admin Nodes |
Used by NFS-based audit export ( Note: This port is required only if NFS-based audit export is enabled. Note: Support for NFS has been deprecated and will be removed in a future release. |
2022 |
TCP |
SSH |
Service laptop |
All nodes |
SSH or console access is required for procedures with console steps. Optionally, you can use port 22 instead of 2022. |
2049 |
TCP |
NFS |
NFS client |
Admin Nodes |
Used by NFS-based audit export (nfs). Note: This port is required only if NFS-based audit export is enabled. Note: Support for NFS has been deprecated and will be removed in a future release. |
5353 |
UDP |
mDNS |
All nodes |
All nodes |
Provides the multicast DNS (mDNS) service that is used for full-grid IP changes and for primary Admin Node discovery during installation, expansion, and recovery. |
5696 |
TCP |
KMIP |
Appliance |
KMS |
Key Management Interoperability Protocol (KMIP) external traffic from appliances configured for node encryption to the Key Management Server (KMS), unless a different port is specified on the KMS configuration page of the StorageGRID Appliance Installer. |
8022 |
TCP |
SSH |
Service laptop |
All nodes |
SSH on port 8022 grants access to the base operating system on appliance and virtual node platforms for support and troubleshooting. This port is not used for Linux-based (bare metal) nodes and is not required to be accessible between grid nodes or during normal operations. |
8443 |
TCP |
HTTPS |
Browser |
Admin Nodes |
Optional. Used by web browsers and management API clients for accessing the Grid Manager. Can be used to separate Grid Manager and Tenant Manager communications. Note: If you close Grid Manager ports 443 or 8443, any users currently connected on a blocked port, including you, will lose access to Grid Manager unless their IP address has been added to the Privileged address list. See Configure firewall controls to configure privileged IP addresses. |
9022 |
TCP |
SSH |
Service laptop |
Appliances |
Grants access to StorageGRID appliances in pre-configuration mode for support and troubleshooting. This port is not required to be accessible between grid nodes or during normal operations. |
9091 |
TCP |
HTTPS |
External Grafana service |
Admin Nodes |
Used by external Grafana services for secure access to the StorageGRID Prometheus service. Note: This port is required only if certificate-based Prometheus access is enabled. |
9092 |
TCP |
Kafka |
Storage Nodes with ADC |
Kafka cluster |
Used for platform services messages sent to a Kafka cluster. Tenants can override the default Kafka port setting of 9092 when creating an endpoint. |
9443 |
TCP |
HTTPS |
Browser |
Admin Nodes |
Optional. Used by web browsers and management API clients for accessing the Tenant Manager. Can be used to separate Grid Manager and Tenant Manager communications. |
18082 |
TCP |
HTTPS |
S3 clients |
Storage Nodes |
S3 client traffic directly to Storage Nodes (HTTPS). |
18083 |
TCP |
HTTPS |
Swift clients |
Storage Nodes |
Swift client traffic directly to Storage Nodes (HTTPS). |
18084 |
TCP |
HTTP |
S3 clients |
Storage Nodes |
S3 client traffic directly to Storage Nodes (HTTP). |
18085 |
TCP |
HTTP |
Swift clients |
Storage Nodes |
Swift client traffic directly to Storage Nodes (HTTP). |
23000-23999 |
TCP |
HTTPS |
All nodes on the source grid for cross-grid replication |
Admin Nodes and Gateway Nodes on the destination grid for cross-grid replication |
This range of ports is reserved for grid federation connections. Both grids in a given connection use the same port. |