Inbound & Outbound Ports & Protocols for VMware SD-WAN
Article ID: 312353
Updated On:
Products
Issue/Introduction
This KB article covers all of the ports and protocols that a VMware Edge sends both inbound and outbound. This information is important for customers using port vulnerability scanners (for example, Nessus) so that VMware SD-WAN traffic is properly identified.
The article is also a reference for network administrators who need to consider upstream firewalls between the Edge and the Internet or private WAN when installing a VMware SD-WAN Edge in their network.
With regards to the Edge, VMware SD-WAN has certain ports that need to be opened for our service to work properly. With one notable exception (UDP 2426) these ports only need to be opened on a firewall upstream from the Edge for traffic that is outbound from the Edge.
Environment
Resolution
Mandatory Ports
| Protocol | Port Number | Purpose | Inbound / Outbound |
| VeloCloud Management Protocol (VCMP) | UDP 2426 |
Required for VCMP tunnels. | Inbound* / Outbound |
| HTTPS | TCP 443 | Required for Orchestrator communication. | Outbound only |
| NTP | UDP 123 | Required for time synchronization (security). | Outbound only |
| DNS | UDP 53 | Required for translation of Orchestrator URLs, among other use cases. | Outbound only |
Note: With regards to the Inbound / Outbound column: this refers to traffic relative to the Edge itself. In other words, where traffic matching a particular port needs to be opened outbound, this means outbound from the Edge and then passing through the firewall to the respective destination of the traffic.
* UDP 2426 needs to be opened for Inbound traffic in the following two scenarios:
- The Edge operates as a Hub.
- Where Dynamic Branch-to-Branch is activated.
* UDP 2426 and UDP Hole Punching
A third scenario involves an Edge connected behind a NAT, and here the recommendation is to open UDP 2426 for inbound traffic. If a customer elects to not open UDP 2426, UDP Hole Punching can be used to open ports for inbound VCMP traffic (but only if the site supports UDP hole punching). UDP hole punching is activated by going to Configure > Edge > Device > WAN Settings and then Editing that Overlay.
Opening UDP 2426 remains the safer option over UDP hole punching, as UDP hole punching may not work correctly in some scenarios. Quoting from VMware SD-WAN documentation, a customer should "Use UDP hole punching only as a last resort as it will not work with firewalls, symmetric NAT devices, 4G/LTE networks due to CGNAT, and most modern NAT devices."
Conditional Ports
The following is a table of ports that, depending on your Edge's configuration and the Cloud Security Service (CSS) you are using, may also need to be opened.
| Protocol | Port Number | Purpose | Inbound / Outbound |
| IKE | UDP 500 |
Used by Edges to form IPSec tunnels with certain CSS solutions. | Outbound only |
| ESP | IP 50 | Used by Edges to form IPSec tunnels with certain CSS solutions. | Outbound only |
| NAT traversal | UDP 4500 | Required to pass IKE and ESP over NAT. | Outbound only |
Other Ports Used by the VMware SD-WAN Edge
In addition to the ports listed above, the VMware SD-WAN Edge also sends and receives local traffic on the following ports. These ports do not need to be opened in your upstream firewall but should be accounted for when using a port vulnerability scanner.
| Protocol | Port Number | Purpose | Inbound / Outbound |
| SSH | TCP 22 | Diagnostic secure shell login to the Edge. | Inbound only |
| HTTP | TCP 80, 443 | Local Administrative UI for the Edge. | Inbound and Outbound |
| DHCP | UDP 67, 68 | DHCP services to clients; DHCP configuration of Interfaces. | Inbound and Outbound |
| SNMP | UDP 161 | SNMP Management of the Edge. | Inbound only |
| DHCPv6 | UDP 547 | DHCPv6 services to clients. | Inbound only |
| VRRP | IP 112 | Heartbeat between High Availability Edges. | Inbound and Outbound |
Feedback
