FlashArray Port Assignments

This article is to serve as a reference for which ports Pure Storage uses by service. Please keep in mind that firewall
rules apply to the management IPs of BOTH controllers as well as the Virtual IP and should be configured as such for
Pure1 Connectivity. This is because we phone home logs from both controllers individually. The virtual IP only is not
enough because it only redirects to the primary controller. Moreover the virtual IP changes through failovers, etc.

Outgoing Ports to a Public Network - External Connectivity

After Purity 4.9, when FlashArray connects to Pure1 Cloud, it will first try connecting via the new methods of HTTPS and
SSH over HTTPS. The FlashArray must be able to connect to these ports to do the following:

• Send Logs: Send array diagnostic, log, and performance data to Pure1 Cloud (via HTTPS).
• RemoteAssist: Enable Pure Storage Support, when given permission from the customer, to view and administer
the FlashArray via RemoteAssist sessions (via SSH over HTTPS).
• ActiveCluster Cloud Mediator: Allow use of the ActiveCluster Pure1 Cloud Mediator.

If the FlashArray fails to connect Pure1 Cloud via the new methods, by default, it will fall back to using the connection
methods of SSH and SSH over HTTPS used before Purity 4.9. These ports are summarized in the table below. In order
to connect to Pure1 Cloud even when the new connection methods fail, the FlashArray should enable these ports.
However, the following ports should be disabled if the FlashArray only wants HTTPS outgoing connections.

Purity Transport Application

Component Port Direction Additional Information
Version Protocol Protocol

Pure1
4.9.0+ 443 TCP HTTPS Outbound
Cloud For IPv4, use both the following IP block
and hostnames:

• IP block 52.40.255.224/27 [1]

• Hostnames:

◦ *.cloud-
Pure1 SSH over support.purestorage.com
4.9.0+ 443 TCP Outbound
Cloud HTTPS
For IPv6, we currently do not support
static IPs. Use the following hostnames:

• *.cloud-support.purestorage.com

©2018 Copyright Pure Storage. All rights reserved.

1
 Purity Transport Application
Component Port Direction Additional Information
Version Protocol Protocol

Please add all of the above to your

whitelist.

[1]
This is an IP CIDR block. This refers
to 32 IPs (52.40.255.224 -
52.40.255.255). Most firewalls will
accept the whole block, so it can be
entered as one-line in most cases.

Pure1
4.8.x- 22 TCP SSH Outbound
Cloud Use with the following hostnames / IP
addresses:

• phlb1.purestorage.com
(50.112.109.24)
• phlb2.purestorage.com
(50.112.109.205)
• *.cloud-support.purestorage.com
(52.40.255.224/27) [1]
• Additional IP's used (Prior to 4.9.x
only)
◦ 50.112.109.24
◦ 50.112.109.205
Pure1 SSH over
4.8.x- 443 TCP Outbound ◦ 52.64.175.227
Cloud HTTPS
◦ 52.64.233.172
◦ 52.11.11.2
◦ 52.11.27.144
◦ 52.76.11.29
◦ 52.74.190.195
◦ 52.17.31.75
◦ 52.30.94.237
◦ 54.232.253.142
◦ 54.94.198.85

©2018 Copyright Pure Storage. All rights reserved.

2
 Purity Transport Application
Component Port Direction Additional Information
Version Protocol Protocol

Please add all of the above to your

whitelist.

[1]
This is an IP CIDR block. This refers
to 32 IPs (52.40.255.224 -
52.40.255.255). Most firewalls will
accept the whole block, so it can be
entered as one-line in most cases.

Internal Information: Do not share externally.

For customers that cannot whitelist wildcards, you may try the following FQDN's:

rest.cloud-support.purestorage.com
restricted-rest.cloud-support.purestorage.com
ra.cloud-support.purestorage.com
restricted-ra.cloud-support.purestorage.com

Ports Used by Purity for Services - Internal Connectivity Only

The following table lists the Purity Services and the associated ports that must be open on the FlashArray. Unless
otherwise noted, all service ports must be open on the specified interface. Note that some services use more than one
port.

Please note, if any of these services are being accessed over a WAN, you will need to open these ports to the Public
Network.

Network Transport Application

Service Port Direction Additional Information
Interface Protocol Protocol

137,
UDP Inbound
138
CIFS Required for Purity RUN
139,
TCP Inbound
445

DNS 53 UDP, TCP DNS Outbound Directory Name Services

©2018 Copyright Pure Storage. All rights reserved.

3
 Network Transport Application
Service Port Direction Additional Information
Interface Protocol Protocol

Used to route alert and other

email messages.
The default port here is 25, but
Email 25 TCP SMTP Outbound it can be user-defined. If your
environment has a different
port, please update your
firewall settings accordingly.

iSCSI
3260 Host Port TCP iSCSI Inbound
Service

Used to manage array

integration with a directory
LDAP
service using LDAP. Only
(Directory 389 TCP LDAP Outbound
required if integrating with a
Services)
directory service. Can be user-
defined.

Used to manage array

integration with a directory
LDAPS
service using LDAPS (LDAP
(Directory 636 TCP LDAPS Outbound
over TLS/SSL). Only required if
Services)
integrating with a directory
service. Can be user-defined.

Management
22 TCP SSH Inbound
Port

Management
80 TCP HTTP Inbound Redirects to HTTPS port 443
Port
Management
Service
Management Used by the SNMP MIB to
161 UDP SNMP -
Port collect array information.

Management Used to access the Purity GUI

443 TCP HTTPS Inbound
Port & REST API

2049,
NFS UDP, TCP Required for Purity RUN
4045

Used to synchronize the array

NTP 123 - UDP Outbound
time to the NTP server.

If the ActiveCluster on-prem

On-Prem
80 TCP Outbound VM is outside of the local
Mediator
firewall

©2018 Copyright Pure Storage. All rights reserved.

4
 Network Transport Application
Service Port Direction Additional Information
Interface Protocol Protocol

Proxy 80, Used for HTTP proxy. Can be

TCP HTTP Outbound
Server 443 user-defined.

Used for async replication and

ActiveCluster.

Inbound Default bond, named

(Target) "replbond", used to receive
Replication
8117 TCP - replication data. Open this port
Port
Outbound on the target array.
(Source) NOTE: In order to replicate
data between two arrays, open
Replication
ports 443 and 8117 on the
Service
firewall so that they are
reachable

Used to establish initial source

Inbound to target array connection
Management (Both)
443 TCP HTTPS Note: Arrays must be able to
Port
Outbound reach each other's
(Both) management IP or FQDN in
order to establish a connection.

Required by replication to
communicate between two
arrays. Open port 443 on the
firewall.

Inbound Pure Storage’s Plug-Ins and

REST API 443 TCP HTTPS +
Outbound SDKs utilize the REST API
service for communication to
the array. So, if you are using
any plug-ins / SDKs, please
ensure this port is open.

5989 TCP Inbound

SMI-S
427 TCP, UDP Inbound Use this port for SLP (Service

©2018 Copyright Pure Storage. All rights reserved.

5
 Network Transport Application
Service Port Direction Additional Information
Interface Protocol Protocol

Location Protocol). SMI-S will

+ work with SLP disabled
Outbound however need to enable this
port if running a discovery job.

Used to send SNMP trap

SNMP Trap 162 TCP, UDP Outbound
messages

Used for system logging. Can

Syslog 514 TCP - Outbound
be user-defined

The VASA service provides

APIs for control path operations
VASA 8084 TCP Inbound
between ESXi/vSphere
(supporting VVol feature).

Inbound
vSphere 443,
TCP +
Web Plugin 9443
Outbound

Other Ports
Please note that destination ports 44444 through 44507 (UDP) may be used by Purity for diagnostic purposes.

Internal Information: Do not share externally.

So to summarize: By experimentation, UDP ports 44444-44507 are used by tracepath whenever

gather_diagnostics is run (e.g. during hourly phone home). Other UDP ports are randomly used for DNS
queries.

©2018 Copyright Pure Storage. All rights reserved.

6