Security Rules for Oracle Cloud VMware Solution SDDCs

This topic details the security rules the Console's Create SDDC workflow configures for the new SDDC's subnet and VLANs. The rules are based on the requirements set by VMware.

Important

If you do not use the workflow to create an SDDC, ensure that you configure the SDDC's networking resources with these security rules. Otherwise, provisioning the SDDC will fail.

Provisioning Subnet

The security lists for the provisioning subnet have the following stateful ingress security rules:

Direction Source Protocol Source Port Destination Port Description
Ingress VCN CIDR TCP All 22 Allow SSH traffic
Ingress VCN CIDR ICMP   Type and Code: All Allow ICMP traffic
Ingress VCN CIDR TCP All 80 Allow HTTP traffic
Ingress VCN CIDR TCP All 443 Allow HTTPS traffic
Ingress VCN CIDR TCP All 902 Allow vCenter Server agent to manage ESXi host
Ingress VCN CIDR UDP All 902 Allow vCenter Server agent to manage ESXi host
Ingress VCN CIDR TCP All 903 Allow vCenter Server agent to manage ESXi host
Ingress VCN CIDR TCP All 53 Allow DNS traffic
Ingress VCN CIDR UDP All 53 Allow DNS traffic
Ingress VCN CIDR TCP All 27010 Allow VMware license server traffic
Ingress VCN CIDR TCP All 27000 Allow VMware license server traffic
Ingress VCN CIDR UDP All 123 Allow NTP time server traffic
Ingress VCN CIDR TCP All 3260 Allow iSCSI traffic
Ingress SDDC CIDR All All All Allow ingress traffic for VMware inter-process communication

The security lists for the provisioning subnet have the following stateful egress security rule:

Direction Source Protocol Source Port Destination Port Description
Egress 0.0.0.0/0 All All All Allow all egress traffic

NSX Edge VTEP VLAN

The NSG for this VLAN has the following stateful security rules:

Direction Source Protocol Source Port Destination Port Description
Egress 0.0.0.0/0 All All All Allow all egress traffic
Ingress SDDC CIDR UDP All 6081 Allow traffic for GENEVE Termination End Point (TEP) Transport N/W
Ingress SDDC CIDR UDP All 3784-3785 Allow traffic for BFD Session between TEPs
Ingress SDDC CIDR All All All Allow ingress traffic for VMware inter-process communication

NSX VTEP VLAN

The NSG for this VLAN has the following stateful security rules:

Direction Source Protocol Source Port Destination Port Description
Egress 0.0.0.0/0 All All All Allow all egress traffic
Ingress SDDC CIDR UDP All 6081 Allow traffic for GENEVE Termination End Point (TEP) Transport N/W
Ingress SDDC CIDR UDP All 3784-3785 Allow traffic for BFD Session between TEPs
Ingress SDDC CIDR All All All Allow ingress traffic for VMware inter-process communication

vMotion VLAN

The NSG for this VLAN has the following stateful security rules:

Direction Source Protocol Source Port Destination Port Description
Egress 0.0.0.0/0 All All All Allow all egress traffic
Ingress VCN CIDR TCP All 443 Allow HTTPS traffic
Ingress SDDC CIDR TCP All 8000 Allow vMotion traffic
Ingress 0.0.0.0/0 TCP All 902 Allow ESXi NFC traffic
Ingress SDDC CIDR All All All Allow ingress traffic for VMware inter-process communication

vSAN VLAN

The NSG for this VLAN has the following stateful security rules:

Direction Source Protocol Source Port Destination Port Description
Egress 0.0.0.0/0 All All All Allow all egress traffic
Ingress SDDC CIDR TCP All 8006 Allow traffic used for Virtual SAN health monitoring
Ingress SDDC CIDR UDP All 8006 Allow traffic used for Virtual SAN health monitoring
Ingress VCN CIDR TCP All 80 Allow vSAN HTTP traffic
Ingress SDDC CIDR TCP All 2233 Allow vSAN Transport traffic
Ingress SDDC CIDR UDP All 12345 Allow vSAN Clustering Service traffic
Ingress SDDC CIDR UDP All 12321 Allow Unicast agent traffic
Ingress SDDC CIDR UDP All 23451 Allow vSAN Clustering Service traffic
Ingress SDDC CIDR All All All Allow ingress traffic for VMware inter-process communication

vSphere VLAN

The NSG for this VLAN has the following stateful security rules:

Direction Source Protocol Source Port Destination Port Description
Egress 0.0.0.0/0 All All All Allow all egress traffic
Ingress SDDC CIDR UDP All 123 Allow NTP port traffic
Ingress SDDC CIDR TCP All 22 Allow SSH traffic
Ingress SDDC CIDR TCP All 1234 Allow traffic for NSX messaging channel to NSX Manager
Ingress SDDC CIDR UDP All 12345-23451 Allow traffic for vSAN Cluster Monitoring, Membership, and Directory Service
Ingress SDDC CIDR UDP All 12321 Allow Unicast agent traffic
Ingress VCN CIDR TCP All 2233 Allow RDT traffic
Ingress SDDC CIDR TCP All 2480 Allow NestDB traffic
Ingress SDDC CIDR TCP All 3260 Allow iSCSI traffic
Ingress SDDC CIDR TCP All 3784-3785 Allow BFD traffic between nodes
Ingress VCN CIDR TCP All 427 Allow CIM client traffic
Ingress VCN CIDR UDP All 427 Allow CIM client traffic
Ingress VCN CIDR TCP All 443 Allow HTTPS traffic
Ingress SDDC CIDR UDP All 50263 Allow Edge HA traffic
Ingress VCN CIDR TCP All 53 Allow DNS traffic
Ingress VCN CIDR UDP All 53 Allow DNS traffic
Ingress VCN CIDR UDP All 5355 Allow systemd-resolve traffic
Ingress VCN CIDR TCP All 5480 Allow appliance management traffic
Ingress SDDC CIDR TCP All 5555 Allow NSX Agent traffic
Ingress SDDC CIDR TCP All 5671 Allow AMQP traffic
Ingress SDDC CIDR TCP All 1234-1235 Allow NSX messaging traffic
Ingress SDDC CIDR TCP All 8080 Allow HTTP traffic
Ingress SDDC CIDR TCP All 5900-5964 Allow RFB protocol traffic
Ingress VCN CIDR TCP All 5988-5989 Allow CIM traffic
Ingress SDDC CIDR TCP All 6500 Allow traffic for ESXi dump collector
Ingress SDDC CIDR UDP All 6500 Allow traffic for ESXi dump collector
Ingress SDDC CIDR TCP All 6666 Allow traffic for NSX Edge communication
Ingress SDDC CIDR TCP All 6999 Allow NSX DLR traffic
Ingress VCN CIDR TCP All 80 Allow HTTP traffic
Ingress SDDC CIDR TCP All 8100-8300 Allow vSphere fault tolerance traffic
Ingress SDDC CIDR UDP All 8100-8300 Allow vSphere fault tolerance traffic
Ingress SDDC CIDR TCP All 8000 Allow vMotion traffic
Ingress SDDC CIDR UDP All 8000 Allow vMotion traffic
Ingress SDDC CIDR TCP All 8010 Allow vSAN health traffic
Ingress SDDC CIDR TCP All 8006 Allow vSAN health traffic
Ingress SDDC CIDR UDP All 8006 Allow vSAN health traffic
Ingress SDDC CIDR TCP All 8301-8302 Allow traffic to DVSSync port to enable fault tolerance
Ingress SDDC CIDR TCP All 8889 Allow Web Services Management traffic
Ingress SDDC CIDR TCP All 9000 Allow Distributed Data Store traffic
Ingress SDDC CIDR UDP All 9000 Allow Distributed Data Store traffic
Ingress SDDC CIDR TCP All 902 Allow vCenter server to manage ESXi hosts
Ingress SDDC CIDR UDP All 902 Allow Server Agent traffic
Ingress SDDC CIDR TCP All 9080 Allow I/O Filter traffic
Ingress VCN CIDR TCP All 9090 Allow vSphere Web Client traffic
Ingress VCN CIDR UDP All 9090 Allow vSphere Web Client traffic
Ingress VCN CIDR TCP All 9443 Allow vSphere Web Client traffic
Ingress VCN CIDR UDP All 9443 Allow vSphere Web Client traffic
Ingress VCN CIDR TCP All All Allow traffic to TCP ports for VMware cluster
Ingress VCN CIDR UDP All All Allow traffic to UDP ports for VMware cluster
Ingress SDDC CIDR All All All Allow ingress traffic for VMware inter-process communication

Replication-Net VLAN

The NSG for this VLAN has the following stateful security rules:

Direction Source Protocol Source Port Destination Port Description
Egress 0.0.0.0/0 All All All Allow all egress traffic
Ingress SDDC CIDR TCP All 9080 Allow vSphere replication communication
Ingress 0.0.0.0/0 TCP All 22 Allow SSH for VCHA replication and communication
Ingress SDDC CIDR TCP All 31031

For Replication 5.8: Allow initial replication traffic

For Replication 6.x: Allow initial and ongoing replication traffic

Ingress SDDC CIDR TCP All 44046 Allow ongoing replication traffic
Ingress 0.0.0.0/0 ICMP Type and Code:0,0 Allow monitoring and health precheck traffic
Ingress 0.0.0.0/0 ICMP Type and Code:11,0 Allow traceroute traffic
Ingress 0.0.0.0/0 ICMP Type and Code:3,4 Allow traffic for path MTU discovery
Ingress 0.0.0.0/0 ICMP Type and Code:8,0 Allow monitoring and health precheck traffic

Provisioning-Net VLAN

The NSG for this VLAN has the following stateful security rules:

Direction Source Protocol Source Port Destination Port Description
Egress 0.0.0.0/0 All All All Allow all egress traffic
Ingress SDDC CIDR UDP All 123 Allow NTP port traffic
Ingress SDDC CIDR TCP All 22 Allow SSH traffic
Ingress SDDC CIDR TCP All 1234 Allow traffic for NSX messaging channel to NSX Manager
Ingress SDDC CIDR UDP All 12345-23451 Allow traffic for vSAN Cluster Monitoring, Membership, and Directory Service
Ingress SDDC CIDR UDP All 12321 Allow Unicast agent traffic
Ingress VCN CIDR TCP All 2233 Allow RDT traffic
Ingress SDDC CIDR TCP All 2480 Allow NestDB traffic
Ingress SDDC CIDR TCP All 3260 Allow iSCSI traffic
Ingress SDDC CIDR TCP All 3784-3785 Allow BFD traffic between nodes
Ingress VCN CIDR TCP All 427 Allow CIM client traffic
Ingress VCN CIDR UDP All 427 Allow CIM client traffic
Ingress VCN CIDR TCP All 443 Allow HTTPS traffic
Ingress SDDC CIDR UDP All 50263 Allow Edge HA traffic
Ingress VCN CIDR TCP All 53 Allow DNS traffic
Ingress VCN CIDR UDP All 53 Allow DNS traffic
Ingress VCN CIDR UDP All 5355 Allow systemd-resolve traffic
Ingress VCN CIDR TCP All 5480 Allow appliance management traffic
Ingress SDDC CIDR TCP All 5555 Allow NSX Agent traffic
Ingress SDDC CIDR TCP All 5671 Allow AMQP traffic
Ingress SDDC CIDR TCP All 1234-1235 Allow NSX messaging traffic
Ingress SDDC CIDR TCP All 8080 Allow HTTP traffic
Ingress SDDC CIDR TCP All 5900-5964 Allow RFB protocol traffic
Ingress VCN CIDR TCP All 5988-5989 Allow CIM traffic
Ingress SDDC CIDR TCP All 6500 Allow traffic for ESXi dump collector
Ingress SDDC CIDR UDP All 6500 Allow traffic for ESXi dump collector
Ingress SDDC CIDR TCP All 6666 Allow traffic for NSX Edge communication
Ingress SDDC CIDR TCP All 6999 Allow NSX DLR traffic
Ingress VCN CIDR TCP All 80 Allow HTTP traffic
Ingress SDDC CIDR TCP All 8100-8300 Allow vSphere fault tolerance traffic
Ingress SDDC CIDR UDP All 8100-8300 Allow vSphere fault tolerance traffic
Ingress SDDC CIDR TCP All 8000 Allow vMotion traffic
Ingress SDDC CIDR UDP All 8000 Allow vMotion traffic
Ingress SDDC CIDR TCP All 8010 Allow vSAN health traffic
Ingress SDDC CIDR TCP All 8006 Allow vSAN health traffic
Ingress SDDC CIDR UDP All 8006 Allow vSAN health traffic
Ingress SDDC CIDR TCP All 8301-8302 Allow traffic to DVSSync port to enable fault tolerance
Ingress SDDC CIDR TCP All 8889 Allow Web Services Management traffic
Ingress SDDC CIDR TCP All 9000 Allow Distributed Data Store traffic
Ingress SDDC CIDR UDP All 9000 Allow Distributed Data Store traffic
Ingress SDDC CIDR TCP All 902 Allow vCenter server to manage ESXi hosts
Ingress SDDC CIDR UDP All 902 Allow Server Agent traffic
Ingress SDDC CIDR TCP All 9080 Allow I/O Filter traffic
Ingress VCN CIDR TCP All 9090 Allow vSphere Web Client traffic
Ingress VCN CIDR UDP All 9090 Allow vSphere Web Client traffic
Ingress VCN CIDR TCP All 9443 Allow vSphere Web Client traffic
Ingress VCN CIDR UDP All 9443 Allow vSphere Web Client traffic
Ingress VCN CIDR TCP All All Allow traffic to TCP ports for VMware cluster
Ingress VCN CIDR UDP All All Allow traffic to UDP ports for VMware cluster
Ingress SDDC CIDR All All All Allow ingress traffic for VMware inter-process communication

HCX VLAN

The NSG for this VLAN has the following stateful security rules:

Direction Source Protocol Source Port Destination Port Description
Egress 0.0.0.0/0 All All All Allow all egress traffic
Ingress SDDC CIDR TCP All 31031 Allow HCX bulk migration traffic
Ingress SDDC CIDR TCP All 8000 Allow HCX X-cloud vMotion traffic
Ingress SDDC CIDR TCP All 443 Allow HCX X-cloud control traffic
Ingress SDDC CIDR TCP All 9443 Allow HCX REST API traffic
Ingress SDDC CIDR TCP All 902 Allow HCX cold migration traffic
Ingress SDDC CIDR TCP All 80 Allow OVF import traffic
Ingress VCN CIDR UDP All 4500 Allow HCX WAN transport traffic
Ingress SDDC CIDR All All All Allow ingress traffic for VMware inter-process communication