Red Hat Training

A Red Hat training course is available for Red Hat Virtualization

1.3. Networking Requirements

1.3.1. Firewall Requirements for DNS, NTP, and IPMI Fencing

The firewall requirements for DNS, NTP, and IPMI Fencing are special cases that require individual consideration.

DNS and NTP

Red Hat Virtualization does not create a DNS or NTP server, so the firewall does not need to have open ports for incoming traffic.

By default, Red Hat Enterprise Linux allows outbound traffic to DNS and NTP on any destination address. If you disable outgoing traffic, make exceptions for requests being sent to DNS and NTP servers.

Important
  • The Red Hat Virtualization Manager and all hosts (Red Hat Virtualization Host and Red Hat Enterprise Linux host) must have a fully qualified domain name and full, perfectly-aligned forward and reverse name resolution.
  • Running a DNS service as a virtual machine in the Red Hat Virtualization environment is not supported. All DNS services the Red Hat Virtualization environment uses must be hosted outside of the environment.
  • Red Hat strongly recommends using DNS instead of the /etc/hosts file for name resolution. Using a hosts file typically requires more work and has a greater chance for errors.

IPMI and Other Fencing Mechanisms (optional)

For IPMI (Intelligent Platform Management Interface) and other fencing mechanisms, the firewall does not need to have open ports for incoming traffic.

By default, Red Hat Enterprise Linux allows outbound IPMI traffic to ports on any destination address. If you disable outgoing traffic, make exceptions for requests being sent to your IPMI or fencing servers.

Each Red Hat Virtualization Host and Red Hat Enterprise Linux host in the cluster must be able to connect to the fencing devices of all other hosts in the cluster. In case the cluster hosts are badly affected, they must be able to connect to other hosts in the data center.

The specific port number depends on the type of the fence agent you are using and how it is configured.

The firewall requirement tables in the following sections do not represent this option.

1.3.2. Red Hat Virtualization Manager Firewall Requirements

The Red Hat Virtualization Manager requires that a number of ports be opened to allow network traffic through the system’s firewall.

The engine-setup script can configure the firewall automatically, but this overwrites any pre-existing firewall configuration if you are using iptables. If you want to keep the existing firewall configuration, you must manually insert the firewall rules required by the Manager. The engine-setup command saves a list of the iptables rules required in the /etc/ovirt-engine/iptables.example file. If you are using firewalld, engine-setup does not overwrite the existing configuration.

The firewall configuration documented here assumes a default configuration.

Note

A diagram of these firewall requirements is available at https://access.redhat.com/articles/3932211. You can use the IDs in the table to look up connections in the diagram.

Table 1.4. Red Hat Virtualization Manager Firewall Requirements

IDPort(s)ProtocolSourceDestinationPurpose

M1

-

ICMP

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Red Hat Virtualization Manager

Optional.

May help in diagnosis.

M2

22

TCP

System(s) used for maintenance of the Manager including backend configuration, and software upgrades.

Red Hat Virtualization Manager

Secure Shell (SSH) access.

Optional.

M3

2222

TCP

Clients accessing virtual machine serial consoles.

Red Hat Virtualization Manager

Secure Shell (SSH) access to enable connection to virtual machine serial consoles.

M4

80, 443

TCP

Administration Portal clients

VM Portal clients

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

REST API clients

Red Hat Virtualization Manager

Provides HTTP and HTTPS access to the Manager.

M5

6100

TCP

Administration Portal clients

VM Portal clients

Red Hat Virtualization Manager

Provides websocket proxy access for a web-based console client, noVNC, when the websocket proxy is running on the Manager. If the websocket proxy is running on a different host, however, this port is not used.

M6

7410

UDP

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Red Hat Virtualization Manager

If Kdump is enabled on the hosts, open this port for the fence_kdump listener on the Manager. See fence_kdump Advanced Configuration.

M7

54323

TCP

Administration Portal clients

Red Hat Virtualization Manager (ImageIO Proxy server)

Required for communication with the ImageIO Proxy (ovirt-imageio-proxy).

M8

6442

TCP

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Open Virtual Network (OVN) southbound database

Connect to Open Virtual Network (OVN) database

M9

9696

TCP

Clients of external network provider for OVN

External network provider for OVN

OpenStack Networking API

M10

35357

TCP

Clients of external network provider for OVN

External network provider for OVN

OpenStack Identity API

M11

53

TCP, UDP

Red Hat Virtualization Manager

DNS Server

DNS lookup requests from ports above 1023 to port 53, and responses. Open by default.

M12

123

UDP

Red Hat Virtualization Manager

NTP Server

NTP requests from ports above 1023 to port 123, and responses. Open by default.

Note
  • A port for the OVN northbound database (6641) is not listed because, in the default configuration, the only client for the OVN northbound database (6641) is ovirt-provider-ovn. Because they both run on the same host, their communication is not visible to the network.
  • By default, Red Hat Enterprise Linux allows outbound traffic to DNS and NTP on any destination address. If you disable outgoing traffic, make exceptions for the Manager to send requests to DNS and NTP servers. Other nodes may also require DNS and NTP. In that case, consult the requirements for those nodes and configure the firewall accordingly.

1.3.3. Host Firewall Requirements

Red Hat Enterprise Linux hosts and Red Hat Virtualization Hosts (RHVH) require a number of ports to be opened to allow network traffic through the system’s firewall. The firewall rules are automatically configured by default when adding a new host to the Manager, overwriting any pre-existing firewall configuration.

To disable automatic firewall configuration when adding a new host, clear the Automatically configure host firewall check box under Advanced Parameters.

To customize the host firewall rules, see https://access.redhat.com/solutions/2772331.

Note

A diagram of these firewall requirements is available at https://access.redhat.com/articles/3932211. You can use the IDs in the table to look up connections in the diagram.

Table 1.5. Virtualization Host Firewall Requirements

IDPort(s)ProtocolSourceDestinationPurpose

H1

22

TCP

Red Hat Virtualization Manager

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Secure Shell (SSH) access.

Optional.

H2

2223

TCP

Red Hat Virtualization Manager

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Secure Shell (SSH) access to enable connection to virtual machine serial consoles.

H3

161

UDP

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Red Hat Virtualization Manager

Simple network management protocol (SNMP). Only required if you want Simple Network Management Protocol traps sent from the host to one or more external SNMP managers.

Optional.

H4

111

TCP

NFS storage server

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

NFS connections.

Optional.

H5

5900 - 6923

TCP

Administration Portal clients

VM Portal clients

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Remote guest console access via VNC and SPICE. These ports must be open to facilitate client access to virtual machines.

H6

5989

TCP, UDP

Common Information Model Object Manager (CIMOM)

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Used by Common Information Model Object Managers (CIMOM) to monitor virtual machines running on the host. Only required if you want to use a CIMOM to monitor the virtual machines in your virtualization environment.

Optional.

H7

9090

TCP

Red Hat Virtualization Manager

Client machines

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Required to access the Cockpit user interface, if installed.

H8

16514

TCP

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Virtual machine migration using libvirt.

H9

49152 - 49216

TCP

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Virtual machine migration and fencing using VDSM. These ports must be open to facilitate both automated and manual migration of virtual machines.

H10

54321

TCP

Red Hat Virtualization Manager

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

VDSM communications with the Manager and other virtualization hosts.

H11

54322

TCP

Red Hat Virtualization Manager (ImageIO Proxy server)

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Required for communication with the ImageIO daemon (ovirt-imageio-daemon).

H12

6081

UDP

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

Required, when Open Virtual Network (OVN) is used as a network provider, to allow OVN to create tunnels between hosts.

H13

53

TCP, UDP

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

DNS Server

DNS lookup requests from ports above 1023 to port 53, and responses. This port is required and open by default.

H14

123

UDP

Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts

NTP Server

NTP requests from ports above 1023 to port 123, and responses. This port is required and open by default.

Note

By default, Red Hat Enterprise Linux allows outbound traffic to DNS and NTP on any destination address. If you disable outgoing traffic, make exceptions for the Red Hat Virtualization Hosts

Red Hat Enterprise Linux hosts to send requests to DNS and NTP servers. Other nodes may also require DNS and NTP. In that case, consult the requirements for those nodes and configure the firewall accordingly.

1.3.4. Database Server Firewall Requirements

Red Hat Virtualization supports the use of a remote database server for the Manager database (engine) and the Data Warehouse database (ovirt-engine-history). If you plan to use a remote database server, it must allow connections from the Manager and the Data Warehouse service (which can be separate from the Manager).

Similarly, if you plan to access a local or remote Data Warehouse database from an external system, such as Red Hat CloudForms, the database must allow connections from that system.

Important

Accessing the Manager database from external systems is not supported.

Note

A diagram of these firewall requirements is available at https://access.redhat.com/articles/3932211. You can use the IDs in the table to look up connections in the diagram.

Table 1.6. Database Server Firewall Requirements

IDPort(s)ProtocolSourceDestinationPurpose

D1

5432

TCP, UDP

Red Hat Virtualization Manager

Data Warehouse service

Manager (engine) database server

Data Warehouse (ovirt-engine-history) database server

Default port for PostgreSQL database connections.

D2

5432

TCP, UDP

External systems

Data Warehouse (ovirt-engine-history) database server

Default port for PostgreSQL database connections.