Service,Protocol,Dest. Port,Traffic description,Source Object,Dest. Object,Source/Dest Pairs,Dest. Network,ServiceNetMap Parent ansible,TCP,22,Undercloud SSH connections for Ansible Playbooks.,Undercloud,All Roles,Undercloud->All Roles,Control Plane,N/A aodh_api,TCP,8042,AODH Alarming Configuration Internal/Admin API.,"Controller, Administrator","VIP, Controller, Telemetry","Administrator->VIP, Controller->Controller, Controller->Telemetry",Internal API,AodhApiNetwork aodh_api,TCP,13042,"AODH Alarming Configuration Public API.llow Allows the Admin to create metric thresholds and alarms. ","Controller, Administrator","VIP, Controller, Telemetry","Administrator->VIP, Controller->Controller, Controller->Telemetry",External,PublicNetwork barbican_api,TCP,9311,Barbican Internal/Admin API,Controller,"VIP, Controller","Controller->VIP, Controller->Controller",Internal API,BarbicanApiNetwork barbican_api,TCP,13311,"Barbican Public API (TLS). Defaults to 9311 if not using TLS.","Controller, Users","VIP, Controller","Users->VIP, Controller->VIP, Controller->Controller",External,PublicNetwork ceph_mon,TCP,6789 and 3300,Ceph MON,"Controller, Compute, Ceph","Ceph, Compute, Controller","Ceph->Ceph, Ceph->Controller, Controller->Controller, Controller->Ceph, Compute->Controller, Compute->Ceph",Storage,CephMonNetwork "ceph_{rbdmirror,osd,mgr,mds}",TCP,6800-7300,"Ceph RBD-MIRROR, OSD, MGR, MDS","Controller, Compute, Ceph","Ceph, Compute, Controller","Ceph->Ceph, Ceph->Controller, Controller->Controller, Controller->Ceph, Compute->Controller, Compute->Ceph",Storage,CephMonNetwork "ceph_{rbdmirror,osd}",TCP,6800-7300,"Ceph RBD-MIRROR, OSD",Ceph,Ceph,Ceph->Ceph,Storage Management,CephClusterNetwork ceph_nfs,TCP/UDP,2049,Ceph NFS (Ganesha),Controller,"Controller, Ceph","Controller->Controller Controller->Ceph",StorageNfs,GaneshaNetwork ceph_nfs,TCP/UDP,2049,Ceph NFS (Ganesha) HA VIP,Compute,VIP (on Controller),Compute->VIP,StorageNfs,GaneshaNetwork ceph_rgw,TCP,8080,Ceph RadosGW internal/admin S3/Swift,Controller,"Controller, Ceph","Controller->Controller Controller->Ceph",Storage,CephRgwNetwork ceph_rgw,TCP,13808,"Ceph RadosGW public API (TLS) S3/Swift. Port 13080 used by Nova VNC proxy. Will use 8080 if no TLS.","Users, Administrator, Compute",VIP (on Controller),"Users->VIP Compute->VIP",External,PublicNetwork ceph dashboard,TCP,8444 - 3100,"Ceph dashboard. Port 3100: grafana Port 9092: prometheus Port 9283: ceph_mgr for metrics Port 9093 alertmanager Port 9100: all node_exporter Port 8444: CephDashboard ","Controller, Administrator","VIP, Controller","Administrator->VIP Controller->Controller",Control Plane,CephDashboardNetwork cinder,TCP,8776,Cinder internal/admin API,"Controller, Compute","VIP, Controller","Compute->VIP, Controller->VIP, Controller->Controller",Internal API,CinderApiNetwork cinder,TCP,13776,"Cinder public API (TLS). Defaults to 8776 if not using TLS.","Controller, Users",Controller,"Users->VIP, Controller->Controller",External,PublicNetwork collectd,TCP,25826,"Collectd server port. CollectdServerPort.",Compute,"VIP, Controller or Telemetry","Compute->VIP, Controller->Telemetry",Internal API,MetricsQdrNetwork collectd AMQP,TCP,5666,Collectd AMQP,Compute,Controller or Telemetry,"Compute->Controller, Compute->Telemetry",Internal API,MetricsQdrNetwork dns,TCP/UDP,53,"DNS requests. Traffic will use the default route on the node to access external DNS servers.",All Roles,External Servers,All roles->External DNS,"External (Controller), Control Plane (other roles)",N/A docker registry,TCP,8787,"Docker registry for pulling containers. This entry assumes that the Undercloud is used as the Docker registry. If a Red Hat Satellite server is used, or if the containers are pulled straight from registry.redhat.io, then the traffic will flow there instead of the Undercloud.",All Roles,Undercloud,All roles->Undercloud,Control Plane,DockerRegistryNetwork ec2_api,TCP,8788,EC2 Internal/Admin API,Controller,Controller,"Controller->Controller, Controller->VIP",Internal Api,Ec2ApiNetwork ec2_api,TCP,13788,"EC2 Public API (TLS). Ec2ApiExternalNetwork may be set to influence external network. Port 8788 will be used if no TLS","Controller, Users",Controller,"Controller->VIP, Users->VIP",External,PublicNetwork etcd,TCP,2379,etcd Client Port,Controller,Controller,Serivces -> etcd api,Internal Api,EtcdNetwork etcd,TCP,2380,etcd Peer Port,Controller,Controller,"etcd nodes <->etcd nodes only masters run this",Internal Api,EtcdNetwork glance,TCP,9292,Glance Internal/Admin API,"Controller, Compute",Controller,"Controller->Controller, Controller->VIP, Compute->VIP",Internal API,GlanceApiNetwork glance,TCP,13292,"Glance Public API (TLS). Port 9292 will be used if no TLS","Controller, Admin",Controller,"Controller->Controller, Controller->VIP, Admin->Controller",External,PublicNetwork gnocchi,TCP,8041,"Gnocchi Internal/Admin API. CollectdGnocchiPort.",Controller,Controller,"Controller->Controller, Controller->VIP",Internal API,GnocchiApiNetwork gnocchi,TCP,13041,"Gnocchi Public API (TLS). Default port 8041 used with no TLS.",Controller,Controller,"Controller->Controller, Controller->VIP",External,PublicNetwork gnocchi_statsd,UDP,8125,"Network daemon for statistics. ","Controller, Telemetry","Controller, Telemetry","Controller->Controller, Controller->VIP",Internal API,GnocchiApiNetwork haproxy_stats,TCP,1993,"HAProxy Statistics Port. Used for troubleshooting/reporting.",Admin,Controller,"User->Controller, User->VIP",Control Plane,N/A Heat Cloudformation API,TCP,13005,Heat Cfn Endpoint (CloudForms comaptible API service to heat),"Controller, Users",Controller,"Controller->Controller, Users->Controller",External,PublicNetwork Heat Internal/Admin API,TCP,8004,Heat API Internal/Admin API Endpoint,Controller,Controller,Controller->Controller,Internal Api,HeatApiNetwork Heat Public API,TCP,13004,"Heat Public API Endpoint (Public TLS). Default port 8004 used with no TLS","Controller, Users",Controller,"Controller->Controller, Users->Controller",External,PublicNetwork heatCloudFormation API,TCP,8000,Heat AWS CloudFormation Internal/Admin API,Controller,Controller,Controller->External Service,Internal Api,HeatApiCfnNetwork horizon,TCP,443,"Dashboard (TLS). Will use port 80 by default if no TLS.","Controller, Users, Admin",Controller,"Users -> VIP, Controller -> Controller, Controller -> Services, Users -> Ceph",External,PublicNetwork ironic,TCP,6385,"Ironic internal/admin API. In Director, the Undercloud will be the destination. If Ironic is used in the Overcloud, then destination will be the Controllers.","Controller, Admin, Bare Metal Hosts","Controller, Undercloud","Controller->Controller, Controller->VIP, Admin->VIP, Bare Metal->VIP, Admin->Undercloud, Bare Metal->VIP",Control Plane,IronicApiNetwork ironic,TCP,13385,"Ironic public API (TLS). Will use port 6385 by default if no TLS. In Director, the Undercloud will be the destination. If Ironic is used in the Overcloud, then destination will be the Controllers.","Controller, Admin, Bare Metal Hosts","Controller, Undercloud","Controller->Controller, Controller->VIP, Admin->VIP, Bare Metal->VIP, Admin->Undercloud, Bare Metal->VIP",External,PublicNetwork Ironic python agent,TCP,9999,"Ironic Python Agent. Used by Ironic for setting configuration on bare metal hosts during cleaning or deployment.","Undercloud, Controller",Bare Metal Hosts,"Undercloud->Bare Metal, Controller->Bare Metal","Control Plane, Ironic Bare Metal Network", http_ironic_conductor,TCP,8088,"HTTP for Ironic PXE boot. Used for inspecting/deploying bare metal There are potentially two instances: one for the Undercloud/Director, and another on the Controller when using Ironic in the overcloud.","Controller, Baremetal nodes","Undercloud, Controller","Bare Metal->Undercloud,Bare Metal->VIP, Controller->Controller",Control Plane,IronicNetwork tftp_ironic_conductor,UDP,69,"TFTP for Ironic PXE boot. Used for inspecting/deploying bare metal. There are potentially two instances: one for the Undercloud/Director, and another on the Controller when using Ironic in the overcloud.",Baremetal nodes,"Undercloud, Controller","Bare Metal->Undercloud,Bare Metal->VIP, Controller->Controller",Control Plane,IronicNetwork ironic_inspector,TCP,5050,"Ironic inspector internal/admin API. Used for inspecting bare metal","Controller, Baremetal nodes","Undercloud, Controller","Bare Metal->Undercloud,Bare Metal->VIP, Controller->Controller",Control Plane,IronicInspectorNetwork ironic_inspector,TCP,13050,"Ironic inspector public API (TLS). Used for launching introspection, etc. Port 5050 will be used if no TLS.","Controller, Users","Undercloud, Controller","Users->VIP, Controller->VIP Controller->Controller",External,PublicNetwork iSCSI (LVM),TCP,3260,"Cinder Volume iSCSI Initiator. Used for iSCSI when using LVM volumes.",Compute,Controller,Compute->Controller,Storage,CinderIscsiNetwork keystone,TCP,35357,"Keystone admin API (for Undercloud). Undercloud contacts to set up admin. Keystone API used in both the overcloud and undercloud. Not necessarily specific to administrator traffic (the underlying application serving requests on 35357 is the same as the application serving traffic on 5000).","Undercloud, Controller, Admin",Controller,"Undercloud->VIP, Controller->Controller, Admin->VIP",Control Plane,KeystoneAdminApiNetwork keystone,TCP,5000,"Keystone internal API. This is technically the public endpoint for end users. But it can serve administrators, too.",All Roles,Controller,"All Roles->VIP, Controller->VIP, Controller->Controller",Internal Api,KeystonePublicApiNetwork keystone,TCP,13000,"Keystone public API (TLS). Will use port 5000 if no TLS.","Controller, Users",Controller,"Users->VIP, Controller->Controller",External,KeystonePublicApiNetwork manila,TCP,8786,Manila internal/admin API,"Controller, Compute",Controller,"Compute->VIP, Controller->VIP, Controller->Controller",Internal API,ManilaApiNetwork manila,TCP,13786,"Manila Public API (TLS). Will use port 8786 if no TLS.","Controller, Compute",Controller,"Compute->VIP, Controller->VIP, Controller->Controller",External,PublicNetwork memcached,TCP,11211,Services will use memcached to cached Keystone idetity tokens. All roles will communicate with the c=Controllers using memcached.,"Controller, Compute",Controller,"All Roles->Controller, Controller->Controller",Internal API,MemcachedNetwork mistral_api,TCP,8989,"Mistral internal/admin API. Used in the undercloud, NOT USED in overcloud.",Undercloud,Controller,Undercloud only,Internal API,MistralApiNetwork mistral_api,TCP,13989,"Mistral API Public API (TLS). Uses port 8989 if no TLS.","Controller, Users, Admin",Controller,Undercloud only,External,PublicNetwork mysql_galera,TCP,4568,"Galera Cluster incremental state transfer. Used by a galera server to join a running galera cluster and catch up to cluster state. Depending on the deployment topology, traffic is either Controller -> Controller, or Database -> Database.","Controller, Database","Controller, Database","Controller->Controller, Database->Database",Internal API,MysqlNetwork mysql_galera,TCP,4567,"Galera Cluster replication traffic. Galera replication traffic between the galera nodes. Depending on the deployment topology, traffic is either Controller -> Controller, or Database -> Database.","Controller, Database","Controller, Database","Controller->Controller, Database->Database",Internal API,MysqlNetwork mysql_galera,TCP,9200,"Galera-monitor. Polled by HAProxy (e.g. in role Controller, or ControllerOpenStack) to check whether the galera server that is running locally is clustered and available for service.","Controller, Database","Controller, Database","Controller->Controller, Database->Database",Internal API,MysqlNetwork mysql_galera,TCP,3306,"MySQL DB client access. Octavia running on Controller or Networker roles makes direct connections to Database running on Controller or Database. Other OpenStack services usually access database via HAProxy (e.g. in role Controller, or ControllerOpenStack)","Controller, Networker","Controller, Database","Controller->VIP, Networker->VIP",Internal API,MysqlNetwork mysql_galera,TCP,4444,"MySQL State Snapshot Transfer. Used by a galera server to join a running galera and request a full DB synchronization over rsync. Depending on the deployment topology, traffic is either Controller -> Controller, or Database -> Database.","Controller, Database","Controller, Database","Controller->Controller, Database->Database",Internal API,MysqlNetwork mysql_galera,TCP,3123,"Pacemaker MySQL Cluster Control Port. Special pacemaker_remote port dedicated to the containerized galera service. Connection between pacemaker on controller and the galera container. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-firewalls-haar.","Controller, Database","Controller, Database","Controller->Controller, Database->Database",Internal API,MysqlNetwork neutron,TCP,9696,Neutron internal/admin API,"Controller, Compute",Controller,"Controller->Controller, Compute -> Controller",Internal Api,NeutronApiNetwork neutron,TCP,13696,"Neutron Public API (TLS). Will use port 9696 if no TLS.","Controller, Users, Admin",Controller,"Controller->Controller, Controller->VIP, Users->VIP, Admin->VIP",External,PublicNetwork Neutron L3 VRRP,VRRP (mcast),N/A,"VRRP. VRRP is used by the Neutron L3 HA to provide failover between Controller/Networker nodes. Used only in ML2/OVN deployments.",Controller or Networker,Controller or Networker,"Controller->Controller, Networker->Networker",Provider/tenant Neutron networks (not Overcloud networks),N/A (present on Neutron provider/tenant networks) Neutron Virtual Networks,UDP,4789,"VXLAN tunnels. Used by multiple Neutron plugins such as ML2/OVS, OpenDaylight, etc.","Controller, Compute, Networker","Controller, Compute, Networker","Controller->Controller, Controller->Compute, Compute->Controller, Compute->Compute, Networker->Networker, Compute->Networker, Networker->Compute",Tenant,NeutronTenantNetwork DHCP,UDP,67,"Undercloud provisioning DHCP. DHCP requests for introspection/deployment.",All roles,Undercloud,All Roles->Undercloud,Control Plane,N/A DHCP,UDP,68,"Undercloud provisioning DHCP. DHCP responses for introspection/deployment.",Undercloud,All roles,Undercloud->All Roles,Control Plane,N/A neutron_gre,GRE,N/A,Neutron OVS Agent,"Controller, Compute, Networker","Controller, Compute, Networker","Controller->Controller, Controller->Compute, Compute->Controller, Compute->Compute, Networker->Networker, Compute->Networker, Networker->Compute",Tenant,NeutronTenantNetwork nova,TCP,8774,Nova internal/admin API,"Controller, Compute",Controller,"Controller->Controller, Controller->VIP, Compute->VIP, Networker-> VIP",Internal Api,NovaApiNetwork nova,TCP,13774,"Nova public API (TLS). Will use port 8774 if no TLS.","Controller, User, Admin",Controller,"Controller->VIP, Users->VIP,",External,PublicNetwork nova_metadata,TCP,8775,"Nova Metadata. Instances make connections to Neutron Metadata Proxy, which forwards to Nova Metadata service on Controllers.","Controller, Networker",Controller,"Controller->Controller, Controller->VIP, Networker->VIP",Internal Api,NovaMetadataNetwork nova_libvirt_api,TCP,16514,"Nova libvirt API (TLS). Compute roles listen for libvirt calls when TLS is enabled.",Compute,Compute,Compute -> Compute,Internal Api,NovaLibvirtNetwork nova_libvirt_migration,TCP,61152-61215,"Nova live migration. Live migration port range for libvirtd.",Compute,Compute,Compute -> Compute,Internal Api,NovaLibvirtNetwork nova_vnc_console,TCP,5900-6923,"Nova VNC console port range. VNC console from VNC proxy to Compute.",Controller,Compute,Controllers -> Compute,Internal Api,NovaLibvirtNetwork nova_vnc_proxy,TCP,6080,"Nova VNC Proxy internal/admin API. nova api call that does an rpc to the compute node to get the console information.",Controller,Controller,"Controller -> Controller, Controller -> VIP",Internal Api,NovaVncProxyNetwork nova_vnc_proxy,TCP,13080,"Nova VNC Proxy public API (TLS). Port 6080 will be used if no TLS. Users connect here for VNC proxy.","Controller, Users, Admin",Controller,"Users -> VIP, Admin - > VIP, Controller -> VIP",External,PublicNetwork nova_live_migration_ssh,TCP,2022,"Nova live migration over SSH. Port may be set with MigrationSshPort.",Compute,Compute,Compute -> Compute,Internal Api,ComputeHostnameResolveNetwork nova_cold_migration_ssh,TCP,2022,"Nova cold migration over SSH. Port may be set with MigrationSshPort.",Compute,Compute,Compute -> Compute,Internal Api,NovaApiNetwork nova_placement,TCP,8778,"Nova placement internal/admin API. ",Controller,Controller,"Controller -> Controller, Controller -> VIP, Admin -> VIP",Internal API,NovaPlacementNetwork nova_placement,TCP,13778,"Nova placement public API (TLS). Will use port 8778 if no TLS.","Controller, Users, Admin",Controller,"Controller -> Controller, Controller -> VIP, Users -> VIP",External,PublicNetwork ntp,UDP,123,"NTP. NTP is an external service that all roles must talk to for time sync via the default gateway.",All Roles,External servers,All Roles-> NTP,"External (Controller), Control Plane (other roles)",N/A ntp,UDP,323,chrony implementation of NTP,All Roles,External servers,All Roles-> NTP,"External (Controller), Control Plane (other roles)",N/A octavia_api,TCP,9876,"Octavia internal/admin API. ",Controller,Controller,"Controller->Controller, Controller->VIP, Users->VIP, Admin->VIP",Internal API,OctaviaApiNetwork octavia_api,TCP,13876,"Octavia public API (TLS). Will use port 9876 if no TLS.","Controller, Users, Admin","Controller, VIP","Controller->VIP, Users->VIP, Admin->VIP",External,PublicNetwork octavia_health_manager,UDP,5555,Octavia load balancer management network (amphora heartbeats). These heartbeats happen on the same tenant network(s) where the load balancer is handling requests.,Compute,"Controller, Networker","Compute->Controller, Compute->Networker",Neutron Tenant network(s),N/A ovn,TCP,3125,"Pacemaker OVN Cluster Control Port Special pacemaker_remote port dedicated to the containerized OVN service. Connection between pacemaker on controller and the OVN container. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-firewalls-haar",Controller,Controller,,Internal API,RedisNetwork ovn_controller,UDP,6081,neutron geneve networks,"Controller, Compute, Networker","Controller, Compute, Networker","Controller -> Compute, Controller -> Networker, Compute -> Controller, Compute -> Networker, Networker-> Controller, Networker -> Compute",Tenant,NeutronTenantNetwork ovn_dbs,TCP,6641,"OVN db server. Port may be set with OVNNorthboundServerPort. Managed by pacemaker (active/passive).",Controller,Controller VIP (pacemaker),Controller -> VIP,Internal API,OvnDbsNetwork ovn_dbs,TCP,6642,"OVN db server. Port may be set with OVNSouthboundServerPort Managed by pacemaker (active/passive).","Controller, Compute, Networker",Controller VIP (pacemaker),"Controller -> VIP, Compute -> VIP, Networker -> VIP",Internal API,OvnDbsNetwork pacemaker,TCP,3121,"Pacemaker remote. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-firewalls-haar.",Controller,"Controller, Compute, Networker, Database","Controller -> Compute, Controller -> Networker, Controller -> Controller, Controller -> Database ",, pacemaker,TCP,2224,"pcs - Required on all nodes node-to-node communication. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-firewalls-haar.","Controller, Compute, Networker","Controller, Compute, Networker, Database",All roles -> all roles,, pacemaker,UDP,5405,"corosync - multicast UDP. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-firewalls-haar",Controller,Controller,Controller->Controller,Internal API, pacemaker,TCP,21064,"dlm - Required on all nodes if the cluster contains any resources requiring DLM. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-firewalls-haar.",Controller,Controller,Controller->Controller," ", panko_api,TCP,8977,"Panko internal/admin API. Internal back-end network for Panko API",Controller,Controller,"Controller->Controller, Controller->VIP",InternalApi,PankoApiNetwork panko_api,TCP,13977,"Panko public API (TLS). External access for Panko API. Will use port 8987 if no TLS.","Controller, Admin",Controller,"Controller->Controller, Controller->VIP",External,PublicNetwork rabbitmq,TCP,3122,"Pacemaker Rabbitmq Cluster Control. Special pacemaker_remote port dedicated to the containerized rabbitmq service. Connection between pacemaker on controller and the rabbitmq container. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-firewalls-haar.",Controller,"Controller, Networker","Controller -> Controller, Controller->Networker",Internal API,RabbitmqNetwork rabbitmq,TCP,5672,"AMQP message traffic ","Controller, Compute, Networker","Controller, Networker","Controller -> Controller, Controller -> Networker, Compute -> Controller, Compute -> Networker",Internal API,RabbitmqNetwork rabbitmq,TCP,25672,"Erlang distribution protocol (node clustering). ","Controller, Networker","Controller, Networker","Controller -> Controller, Networker -> Networker",Internal API,RabbitmqNetwork rabbitmq,TCP,4369,"epmd (Erlang port mapper daemon). ","Controller, Networker","Controller, Networker","Controller -> Controller, Networker -> Networker",Internal API,RabbitmqNetwork rabbitmq,TCP,15672,beam_smp for rabbitmq,"Controller, Networker","Controller, Networker","Controller -> Controller, Networker -> Networker",Internal API,RabbitmqNetwork redis,TCP,6379,"Redis service access and replication. Redis service. Openstack services access it via HAProxy. Same port is used for Redis cluster replication (between redis servers).",Controller,Controller,Controller->Controller,Internal API,RedisNetwork redis (TLS),TCP,6379,"Redis service access and replication. socat tunnel that exposes a TLS endpoint to HAProxy and a Redis server running/listening locally on localhost:6379 (because Redis doesn't support TLS natively). For replication, the Redis server target remote Redis host via another local socat tunnel listening on localhost:[Redis_base_port+offset_for_redis_server_replica].",Controller,Controller,Controller->Controller,Internal API,RedisNetwork redis,TCP,3124,"Pacemaker Redis Cluster Control Port. Special pacemaker_remote port dedicated to the containerized redis service. Connection between pacemaker on controller and the redis container. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-firewalls-haar",Controller,Controller,Controller->Controller,Internal API,RedisNetwork red hat satellite,TCP,80,"Server enrollment/certificate download. Nodes will use IP default route to access.",All Roles,Satellite server,see notes,Control Plane or External,N/A red hat satellite,TCP,443,"RPM downloads. Nodes will use IP default route to access.",All Roles,Satellite server,see notes,Control Plane or External,N/A rsync,TCP,873,Required by swift and mysql,Storage,Storage,Swift->Swift,Swift, sahara,TCP,8386,"Sahara internal/admin API. ",Controller,Controller,"Controller -> Controller Controller -> Compute Controller->Swift",Internal API,SaharaApiNetwork sahara,TCP,13386,"Sahara public API (TLS). ","Controller, Users, Admin",Controller,"Controller -> Controller Controller -> Compute Controller->Swift",External,PublicNetwork SNMP,UDP,161,"Ceilometer SNMP. SNMP monitoring.",Controller,All Roles,"Controller -> Controller Controller -> Compute",Control Plane,SnmpdNetwork SNMP,TCP,199,SMUX protocol ,Controller,All Roles,"Controller -> Controller Controller -> Compute",Control Plane,SnmpdNetwork swift,TCP,8080,"Swift internal endpoint, plaintext HTTP. Keep this firewalled from Internet, only visible to the LB (HAProxy).",Controller HAProxy,Controller,"Controller->Controller, Controller->Swift",Internal API,SwiftApiNetwork swift,TCP,6200,"Swift internal, object server. Absolutely keep this firewalled from anything but Swift proxy and peer Swift nodes; this whole block used to be at 600x, may still be around in OSP10 and older or legacy, upgraded clouds.","Controller, Storage",Storage,"Controller->Swift, Swift->Swft",Swift,SwiftApiNetwork swift,TCP,6201,"Swift internal, container server. Absolutely keep this firewalled from anything but Swift proxy and peer Swift nodes.","Controller, Storage",Storage,"Controller->Swift, Swift->Swft",Swift,SwiftApiNetwork swift,TCP,6202,"Swift internal, account server. Absolutely keep this firewalled from anything but Swift proxy and peer Swift nodes.","Controller, Storage",Storage,"Controller->Swift, Swift->Swft",Swift,SwiftApiNetwork zaqar,TCP,8888,"Zaqar internal/admin API. Used in undercloud, not in overcloud.",Controller,Controller,Undercloud only,Internal API,ZaqarApiNetwork zaqar,TCP,13888,"Zaqar public API (TLS). ",Controller,Controller,Undercloud only,External,PublicNetwork zaqar websockets,TCP,9000,"Zaqar websockets public API (TLS). Will use port 8888 if no TLS.","Controller, Users, Admin",Controller,,External,PublicNetwork