View Only
  • 1.  Firewall rules vSAN 2-node cluster

    Posted Jun 30, 2022 06:37 AM
      |   view attached


    I have a question regarding Firewall in a vSAN 2-node cluster architecture.

    My planned setup: I want to add a Firewall between the vSAN hosts and witness host.
    So my question is which ports must be open in the Firewall that the communication between vSAN hosts and witness hosts works? And from where to where is the communication? 

    In the 2-node cluster guide the needed ports are documented. See attached picture. 
    If i unterstand it correctly just UDP 12321 is needed. Is this right? But it is not clear in which direction the communication works.

    Thank you for your help.


  • 2.  RE: Firewall rules vSAN 2-node cluster
    Best Answer

    Posted Jun 30, 2022 07:40 PM

    , No, it requires more than just UDP 12321 to and from Witness, here is the full list of ports and detailing what they are used for, to/from what and in which versions:

    TCP and UDP ports required to access VMware vSAN (52959) 


    There is also this very handy page that shows required ports for different services of not just vSAN but all active VMware products:


  • 3.  RE: Firewall rules vSAN 2-node cluster

    Posted Jun 30, 2022 07:44 PM

    For anyone referencing that kb in current state I think it should be TCP 12443 not UDP, this is used for DIT enablement, I will get it fixed.

  • 4.  RE: Firewall rules vSAN 2-node cluster

    Broadcom Employee
    Posted Apr 04, 2023 06:37 PM
    • Greetings  !

    Can you point me in a direction regarding the earlier post please ... I'm looking for what port 12443 does (specific to vSAN)- the KB 52959 simply states vSAN Clustering service, but your post infers DIT (assuming Data-In-Transit?) enablement? Or point me to any docs describing the detailed purpose. It was in a customer's PPSM but not very well defined ... I'm trying to help them with clearer references...

  • 5.  RE: Firewall rules vSAN 2-node cluster

    Posted Apr 05, 2023 12:46 PM

    Hi ,

    Correct, it is used for establishing secure connection between the nodes when enabling and using vSAN Data in Transit encryption.


    A basic summary of what this does is, it fetches cert info from the other nodes via this port and then compares this to the node info as stored in the unicastagent list.


    This doesn't appear to be well documented publicly so I can perhaps author a KB with such details and how to test the connection and configuration.

  • 6.  RE: Firewall rules vSAN 2-node cluster
    Best Answer

    Posted Apr 05, 2023 05:37 PM

     and anyone else interested in such things - I created a KB article providing more information on this topic and also some troubleshooting tips: