Inbound & Outbound Ports & Protocols for VMware SD-WAN
search cancel

Inbound & Outbound Ports & Protocols for VMware SD-WAN

book

Article ID: 312353

calendar_today

Updated On:

Products

VMware SD-WAN by VeloCloud

Issue/Introduction

This KB article covers all of the ports and protocols that a VMware Edge sends both inbound and outbound. This information is important for customers using port vulnerability scanners (for example, Nessus) so that VMware SD-WAN traffic is properly identified.

The article is also a reference for network administrators who need to consider upstream firewalls between the Edge and the Internet or private WAN when installing a VMware SD-WAN Edge in their network.

With regards to the Edge, VMware SD-WAN has certain ports that need to be opened for our service to work properly.  With one notable exception (UDP 2426) these ports only need to be opened on a firewall upstream from the Edge for traffic that is outbound from the Edge.


Environment

VMware SD-WAN by VeloCloud

Resolution

Mandatory Ports

ProtocolPort NumberPurposeInbound / Outbound
VeloCloud Management Protocol (VCMP)UDP 2426
 
Required for VCMP tunnels.Inbound* / Outbound
HTTPSTCP 443Required for Orchestrator communication.Outbound only
NTPUDP 123Required for time synchronization (security).Outbound only
DNSUDP 53Required for translation of Orchestrator URLs, among other use cases.Outbound only


Note: With regards to the Inbound / Outbound column: this refers to traffic relative to the Edge itself.  In other words, where traffic matching a particular port needs to be opened outbound, this means outbound from the Edge and then passing through the firewall to the respective destination of the traffic.

* UDP 2426 needs to be opened for Inbound traffic in the following two scenarios:

  • The Edge operates as a Hub.
  • Where Dynamic Branch-to-Branch is activated.

* UDP 2426 and UDP Hole Punching
A third scenario involves an Edge connected behind a NAT, and here the recommendation is to open UDP 2426 for inbound traffic. If a customer elects to not open UDP 2426, UDP Hole Punching can be used to open ports for inbound VCMP traffic (but only if the site supports UDP hole punching). UDP hole punching is activated by going to Configure > Edge > Device > WAN Settings and then Editing that Overlay.

Opening UDP 2426 remains the safer option over UDP hole punching, as UDP hole punching may not work correctly in some scenarios. Quoting from VMware SD-WAN documentation, a customer should "Use UDP hole punching only as a last resort as it will not work with firewalls, symmetric NAT devices, 4G/LTE networks due to CGNAT, and most modern NAT devices."

Conditional Ports

The following is a table of ports that, depending on your Edge's configuration and the Cloud Security Service (CSS) you are using, may also need to be opened.

ProtocolPort NumberPurposeInbound / Outbound
IKEUDP 500
 
Used by Edges to form IPSec tunnels with certain CSS solutions.Outbound only
ESPIP 50Used by Edges to form IPSec tunnels with certain CSS solutions.Outbound only
NAT traversal UDP 4500Required to pass IKE and ESP over NAT.Outbound only
 

Other Ports Used by the VMware SD-WAN Edge

In addition to the ports listed above, the VMware SD-WAN Edge also sends and receives local traffic on the following ports. These ports do not need to be opened in your upstream firewall but should be accounted for when using a port vulnerability scanner.

ProtocolPort NumberPurposeInbound / Outbound
SSHTCP 22Diagnostic secure shell login to the Edge.Inbound only
HTTPTCP 80, 443Local Administrative UI for the Edge.Inbound only
DHCPUDP 67, 68DHCP services to clients; DHCP configuration of Interfaces.Inbound and Outbound
SNMPUDP 161SNMP Management of the Edge.Inbound only
DHCPv6UDP 547DHCPv6 services to clients.Inbound only
VRRPIP 112Heartbeat between High Availability Edges.Inbound and Outbound