Changing the default port for HTTP(s) access to the APIC GUI

 

Prerequisites

• Make sure and have the appropriate Contracts configured for OOB to permit the access to the desired port. If you do not have this in place, the traffic destined to the new port will be killed by the contracts.
• While not a prerequisite, Since HTTPs access via the GUI is generally the “front door” to your ACI fabric, it’s a good idea to make sure you have another avenue to get into the APIC should you run into access issues via HTTPs.
  • This could be enabling HTTP access (as a backdoor) and then disabling HTTP when your change is complete.
  • Access to the APIC CLI

Changing the default port for HTTPS

Configuring your OOB contract to permit access to the APIC

Note – It is possible you already have enabled the appropriate contracts and enabled OOB connectivity for your fabric in Tenant mgmt. If you have, you can skip this section. However, if you haven’t configured OOB for your APICs with Contracts,  this is something you should do ahead of changing the HTTPS port.

By default, APIC controllers will permit SSH (tcp-22) and HTTPS (443). When you modify the HTTPs port, you will need to permit that traffic to APIC, and you will permit that traffic to the APIC via configuring OOB contracts inside of Tenant mgmt.

Step 1 – Add the APIC(s) to the Static OOB Address List

Tenant > Tenant mgmt > Node Management Addresses > Static Node Management Addresses

• Configure a separate entry for each of your APICs
  • Node IDs for your APIC will range from 1-3 (assuming you have a 3-node APIC cluster).

Step 2 – Provide the Appropriate OOB Contract

Tenant > Tenant mgmt > Node Management EPGs > Out-of-Band EPG default

• Under the “Provided Out-of-Band Contracts” in the policy window, provide the appropriate contract (this could be a the default/common contract, or a specific contract you have created and modified).

Step 3 – Consume the Appropriate OOB Contract

Tenant > Tenant mgmt > External Management Network Instance Profiles > YourInstanceProfile

• Consume the same contract which you provided in the previous step
• Enter the subnets which are allowed to have access to the APIC (0.0.0.0/0 will permit all)

Changing the HTTPS port for the APIC

Fabric > Fabric Policies > Pod Policies > Management Access > default

1. (optional) Enable HTTP access to ensure you have a backdoor and click Submit
2. (optional) Verify connectivity to APIC GUI via HTTP
3. Change the port under HTTPS to desired Port and click Submit
4. Verify connectivity to APIC GUI via HTTP on new port
5. (optional) Once you have verified your connectivity to APIC via HTTPS (new port), disable HTTP.