none
Firewall Ports - Hyper-V 2016

    Question

  • So in my setup I have a VLAN for the physical hypervisors and all the live migration/cluster functions and a separate VLAN where my application VM's will reside. The two VLANs are completely isolated from one another. Which ports do I need to open between the two VLANs so everything works (cluster, live migration,hyper-v) smoothly? 

    I reviewed this and see Cluster Service listed at #5, but it doesn't say how to implement them. Example.. Source would be hypervisors and destination would be application VM VLAN. I also see Hyper-V live migration, but again not much detail.

    https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows



    Thursday, October 18, 2018 2:35 PM

Answers

  • "VLAN A = Hypervisors / cluster service

    VLAN B = Application VM"

    Yes, that is basically the way I did it, only I would often have 4-6 VLANs defined.  Multiple for host communications and multiple for VM communications, depending upon the needs.  I never touched the Windows firewall.  Never had an issue.  One VLAN talking to another VLAN was generally not desired or needed, but if it were, routing was implemented to allow it.

    So if you are saying that you have all ports blocked between the VMs and hosts, then you will need to open whichever protocols you want to use.  I don't think it is a VLAN issue.  It sounds like you need to make a list of the protocols you want to use and then open those particular ports.


    tim

    • Marked as answer by Heybuzzz76 Tuesday, October 30, 2018 3:06 PM
    Friday, October 19, 2018 2:08 PM

All replies

  • The installation of the cluster should automatically open the necessary ports.  I set up many multi-VLAN clusters and never did anything special to open any ports on the hosts or VMs.

    tim

    Thursday, October 18, 2018 2:38 PM
  • Thanks Tim...

    Were your VLANS isolated from one another? I have to request any/all ports to be open inbound/outbound.

    Thursday, October 18, 2018 2:51 PM
  • Not sure what you mean by 'isolated from one another'.  I always used VLANs for the specific purpose of isolating the traffic of one VLAN from another VLAN.

    tim

    Thursday, October 18, 2018 3:19 PM
  • Sorry. Maybe locked down is a better word. 

    VLAN A = Hypervisors / cluster service

    VLAN B = Application VM

    There are no FW ports open between A and B. All the traffic goes over 2 10 Gig E NICs Teamed. A and B VLANs are trunked over the same ports.

    Basically if the VM on B need to talk to A for any Hyper-V / clustering I will need to open ports. I already have ports open for normal AD functions.

    Thanks

    Thursday, October 18, 2018 3:43 PM
  • Hi,

    I've got your description, and two questions to confirm.

    1 A & B deployed on a physical switch or a virtual switch within Hyper-V?

    2 This VM is a clustered VM deployed on that Hyper-V reside vlan A?

    Here's the articles listed network ports which need to be open across the Hyper-V and clustering.

    Windows Server Failover Clustering/SQL Server Firewall Access Rules

    Network Ports Related to Hyper-V

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    If you have any questions or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, October 19, 2018 7:19 AM
    Moderator
  • HI,

    1 - A and B are deployed on a physical switch.

    2 - I have failover clustering enabled. The hypervisors and cluster have IP's in VLAN A. The VM's have IP's from VLAN B.

    So basically if my "source" is A I need to know which ports I need open to "destination" B....

    Usually my VLANs are not as restrictive so I do not need to worry about ACL's between the two.

    Thanks

    Friday, October 19, 2018 11:14 AM
  • You may be able to get what you need from this one.

    https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, October 19, 2018 1:14 PM
  • "VLAN A = Hypervisors / cluster service

    VLAN B = Application VM"

    Yes, that is basically the way I did it, only I would often have 4-6 VLANs defined.  Multiple for host communications and multiple for VM communications, depending upon the needs.  I never touched the Windows firewall.  Never had an issue.  One VLAN talking to another VLAN was generally not desired or needed, but if it were, routing was implemented to allow it.

    So if you are saying that you have all ports blocked between the VMs and hosts, then you will need to open whichever protocols you want to use.  I don't think it is a VLAN issue.  It sounds like you need to make a list of the protocols you want to use and then open those particular ports.


    tim

    • Marked as answer by Heybuzzz76 Tuesday, October 30, 2018 3:06 PM
    Friday, October 19, 2018 2:08 PM
  • https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

    I think I will have section 5 and 20 open from the hypervisor VLAN "source" to the VM VLAN "destination". I'm not sure if it would need to be bi-directional though. I will MS would create clear documentation for Hyper-v like VMware does for vSphere. 

    Thanks

    Friday, October 19, 2018 4:52 PM
  • Dave provided a link earlier that points to network port requirements for Windows.  There are no specific network ports required for Hyper-V.  Port requirements are defined by the OSes and applications running in the VMs.

    tim

    Monday, October 22, 2018 2:15 PM