Skip to main content
By default, all ports on your Nova Cloud instance are closed except for SSH (port 22). This guide shows you how to open ports for web services, Jupyter notebooks, APIs, and other applications.

Default Port Configuration

When you create an instance, the firewall (UFW — Uncomplicated Firewall) is pre-configured with:
PortStatusProtocolPurpose
22OpenTCPSSH access
All othersClosedBlocked by default for security
If you created your instance with a template that includes a WebUI (Stable Diffusion, ComfyUI, or Linux Desktop), the WebUI is accessible through the portal when you click Connect on your instance — you do not need to open ports for it. See the Connecting guide for details.

Opening Ports

Connect to your instance via SSH first, then use ufw commands to manage ports.

Open a Single Port

# Open a TCP port (most common)
sudo ufw allow 8888/tcp

# Open a UDP port
sudo ufw allow 9090/udp

# Open a port for both TCP and UDP
sudo ufw allow 3000

Open a Range of Ports

# Open ports 8000 through 8100
sudo ufw allow 8000:8100/tcp

Verify Your Rules

sudo ufw status
You’ll see output like: 
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
8888/tcp                   ALLOW       Anywhere
8080/tcp                   ALLOW       Anywhere

Common Port Configurations

Here are the ports you’ll most commonly need to open, depending on your workload:

Machine Learning & Data Science

ServicePortCommand
Jupyter Notebook / Lab8888sudo ufw allow 8888/tcp
TensorBoard6006sudo ufw allow 6006/tcp
MLflow5000sudo ufw allow 5000/tcp
Weights & Biases (local)8080sudo ufw allow 8080/tcp
Ray Dashboard8265sudo ufw allow 8265/tcp

AI Image Generation

ServicePortCommand
Stable Diffusion (A1111)7860sudo ufw allow 7860/tcp
ComfyUI8188sudo ufw allow 8188/tcp
Fooocus7865sudo ufw allow 7865/tcp
InvokeAI9090sudo ufw allow 9090/tcp

Web & API Development

ServicePortCommand
HTTP80sudo ufw allow 80/tcp
HTTPS443sudo ufw allow 443/tcp
FastAPI / Uvicorn8000sudo ufw allow 8000/tcp
Flask5000sudo ufw allow 5000/tcp
Node.js / Express3000sudo ufw allow 3000/tcp
Gradio7860sudo ufw allow 7860/tcp

LLM Inference

ServicePortCommand
vLLM8000sudo ufw allow 8000/tcp
Text Generation Inference (TGI)8080sudo ufw allow 8080/tcp
Ollama11434sudo ufw allow 11434/tcp
LocalAI8080sudo ufw allow 8080/tcp
Open WebUI3000sudo ufw allow 3000/tcp

Restricting Access by IP

For production services, you may want to restrict port access to specific IP addresses rather than opening them to the entire internet.

Allow Only Your IP

# Only allow your IP to access port 8888
sudo ufw allow from 203.0.113.50 to any port 8888 proto tcp

Allow a Subnet

# Allow an entire subnet
sudo ufw allow from 10.0.0.0/24 to any port 8080 proto tcp
Find your public IP address by searching “what is my IP” in your browser, or run curl ifconfig.me from your local machine.

Closing Ports

Remove a Specific Rule

# Close a port
sudo ufw delete allow 8888/tcp

View and Delete by Rule Number

# List rules with numbers
sudo ufw status numbered

# Delete rule by number
sudo ufw delete 3

Example: Running Jupyter Notebook

Here’s a complete example of setting up Jupyter Notebook accessible from your browser:
1

Connect to your instance

ssh ubuntu@<your-vm-ip>
2

Open port 8888

sudo ufw allow 8888/tcp
3

Install and start Jupyter

pip install jupyterlab
jupyter lab --ip=0.0.0.0 --port=8888 --no-browser
Jupyter will print a URL with a token. Copy it.
4

Access from your browser

Open your browser and go to:
http://<your-vm-ip>:8888/lab?token=<your-token>
Replace <your-vm-ip> with your instance’s IP and <your-token> with the token from the terminal output.

Example: Serving a Model with vLLM

1

Connect to your instance

ssh ubuntu@<your-vm-ip>
2

Open port 8000

sudo ufw allow 8000/tcp
3

Start vLLM

pip install vllm
vllm serve meta-llama/Llama-3.1-8B-Instruct --host 0.0.0.0
4

Send a request from your local machine

curl http://<your-vm-ip>:8000/v1/chat/completions \
  -H "Content-Type: application/json" \
  -d '{
    "model": "meta-llama/Llama-3.1-8B-Instruct",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'

Security Best Practices

Opening ports exposes your instance to the internet. Follow these practices to stay secure.
  • Only open ports you need. Every open port is a potential attack surface.
  • Use IP restrictions for sensitive services. Don’t expose database ports (3306, 5432, 6379) to the entire internet.
  • Use authentication. Always configure services with authentication tokens or passwords (e.g., Jupyter’s token, API keys).
  • Bind to 0.0.0.0 only when needed. Services bound to 127.0.0.1 are only accessible from the instance itself (via SSH tunneling), which is more secure.
  • Consider SSH tunneling as an alternative to opening ports. See below.

Alternative: SSH Tunneling

Instead of opening ports in the firewall, you can use SSH tunneling to securely access services through your SSH connection. This is more secure because the service never needs to be exposed to the internet. 
# Forward local port 8888 to the instance's port 8888
ssh -L 8888:localhost:8888 ubuntu@<your-vm-ip>
Then access the service at http://localhost:8888 in your browser. The traffic is encrypted through your SSH connection.

Tunnel Multiple Ports

ssh -L 8888:localhost:8888 -L 6006:localhost:6006 ubuntu@<your-vm-ip>
This forwards both Jupyter (8888) and TensorBoard (6006) at once.
SSH tunneling is ideal for development and testing. For production services that need to be accessible by others, open the port with ufw instead.

Troubleshooting

Check these in order:
  1. Is the service running? SSH into the instance and verify: ss -tlnp | grep <port>
  2. Is the service bound to the right address? It must be bound to 0.0.0.0, not 127.0.0.1. Start your service with --host 0.0.0.0 or --bind 0.0.0.0.
  3. Is the port open in UFW? Check with: sudo ufw status | grep <port>
  4. Is the instance running? Verify in the console dashboard.
UFW should be pre-installed on all Nova Cloud instances. If it’s missing:
sudo apt update && sudo apt install ufw -y
sudo ufw enable
sudo ufw allow 22/tcp  # Don't lock yourself out!
If you accidentally blocked port 22, you cannot SSH in. Use the console to Stop and then Destroy the instance, and create a new one. Always ensure port 22 is allowed before modifying UFW rules.
The service is probably bound to 127.0.0.1 (localhost only). Change the bind address to 0.0.0.0:
# Instead of:
jupyter lab --port=8888

# Use:
jupyter lab --ip=0.0.0.0 --port=8888
Most frameworks have a --host or --bind flag for this.

What’s Next?

Connecting to an Instance

Learn about SSH access and the WebUI portal.

Choosing a GPU

Pick the right GPU and configuration for your workload.