Understanding Port 9080 Usage in vSphere Environments
book
Article ID: 382896
calendar_today
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Security scans may identify port 9080 as an open port on ESXi hosts, potentially flagging it as an "Excessive/Unidentified Service." This article explains the legitimate use of this port in vSphere environments and addresses security concerns.
Environment
VMware vSphere versions 6.5, 6.7, 7.0, and 8.0
vCenter Server
ESXi hosts
Cause
Port 9080 (TCP) is a required system port used for vSphere I/O filtering communication between vCenter Server and ESXi hosts. This port operates specifically on the management network interfaces and is essential for proper system functionality.
Resolution
Verify port 9080 configuration:
Confirm the port is only open between vCenter Server's management interface (typically eth0) and ESXi hosts' management interfaces (typically vmk0)
Verify no direct user access is possible to this port
Document security exceptions:
Add port 9080 to your security scanning allowlist for vSphere environments
Note this as an approved system-to-system communication port
Document that this port is required for vSphere I/O filtering functionality
Implement network segmentation:
Ensure management network interfaces are properly isolated
Restrict access to management networks as per VMware best practices
Additional Information
Port 9080 is classified as an incoming port for vSphere base functionality
This port is specifically for system-to-system communication
Unlike SSH (port 22), port 9080 does not accept direct user connections
For a complete list of required vSphere ports, visit https://ports.broadcom.com