Used Ports

In this article

    The following table describes network ports that must be opened to ensure proper communication of the Veeam Cloud Connect infrastructure components.

    To learn what ports are required for other Veeam Backup & Replication components in the Veeam Cloud Connect infrastructure, see the Used Ports section in the Veeam Backup & Replication User Guide.

    From

    To

    Protocol

    Port

    Notes

    Cloud gateway

    SP backup server

    TCP

    6169

    Port on the SP backup server used to listen to cloud commands from the tenant side. Tenant cloud commands are passed to the Veeam Cloud Connect Service through the cloud gateway.

    TCP

    8190, 8191

    Port on the SP backup server used by SP-side network redirector(s) to connect to the Remote Access Console and establish a Remote Desktop Connection to tenant.

    TCP

    2500 to 5000

    Port range used during transfer of the Veeam Service Provider Console agent from the SP backup server to the tenant backup server.

    SP backup repository

    TCP

    2500 to 3300

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    SP backup proxy

    TCP

    2500 to 3300

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

    For replication of Microsoft Hyper-V VMs, the SP backup proxy resides on the target Hyper-V host.

    For replication of VMware vSphere VMs, the role of the backup proxy can be assigned to the backup server or another machine in the Veeam backup infrastructure.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Provider-side network extension appliance

    UDP

    1195

    Port used to establish secure VPN connection for network extension during partial site failover.

    If a tenant has several IP networks, additional odd ports should be opened starting from 1195 — one port per tenant's IP network.

    For example, a tenant Tenant1 replicates VMs that are connected to 3 IP networks. In the Veeam Cloud Connect infrastructure, the SP deployed a network extension appliance for Tenant1. In this case, the SP needs to open between the network extension appliance and the cloud gateway the following ports: 1195, 1197, 1199.

    WAN accelerator

    TCP

    6165

    Default port used for data transfer between WAN accelerators.

    Veeam Service Provider Console server

    TCP

    9999

    Port on the Veeam Service Provider Console server used to communicate with the tenant backup server.

    Communication between tenant backup servers and Veeam Service Provider Console server goes through cloud gateways.

     

    SP backup server

    Cloud gateway

    TCP

    6160

    Default port used by the Veeam Installer Service for deployment of the Veeam Cloud Gateway Service and during failover operations.

    TCP

    6168

    Port on the cloud gateway used to listen for cloud commands from the Veeam Cloud Connect Service. The service cloud commands from the Veeam Cloud Connect Service are sent to set up, delete and check the status of data transport channels between tenants and the cloud repository.

    Provider-side network extension appliance

    TCP

    22

    Port used for communication with the network extension appliance.

    ICMP

    SP backup server needs access to the SP network extension appliance over ICMP.

    Domain controller(s)

    TCP and UDP

    389

    Port used for LDAP connections to Active Directory domain controller(s) for Active Directory tenants authentication.

    TCP

    636

    Ports used for LDAPS connections to Active Directory domain controller(s) for Active Directory tenants authentication.

    WAN accelerator

    TCP

    6164

    Controlling port for RPC calls.

    SP backup repository
    (or gateway server)

    Cloud gateway

    TCP and UDP

     

    6180

     

    Port used for connections during the following operations:

    • Creating a replica from a cloud backup
    • Replica seeding from a cloud backup

    SP Veeam Backup & Replication console

    SP backup server

    TCP

    10003

    Port used by the Veeam Backup & Replication console to connect to the backup server when managing the Veeam Cloud Connect infrastructure.

    Tenant backup server

    Cloud gateway

    TCP and UDP

    6180

    Port on the cloud gateway used to transport VM data from the tenant side to the SP side (UDP is used only during partial failover of a cloud replica).

    Tenant-side network extension appliance

    TCP

    22

    Port used for communication with the network extension appliance.

    Certificate Revocation Lists

    TCP

    80 or 443 (most popular)

    Tenant backup server needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the SP.

    Generally, information about CRL locations can be found on the CA website.

    Endpoint used by the Automatic Root Certificates Update component

    TCP

    443

    Port used by the Automatic Root Certificates Update component for communication with the Windows Update endpoint.

    Applicable to Microsoft Windows 10 and later, Microsoft Windows Server 2016 and later.

    To learn more, see Microsoft Docs.

     

    Backup server

     

    Veeam Update Notification Server (dev.veeam.com)

    TCP

    80

    Default port used to download information about available updates from the Veeam Update Notification Server over the internet.

    Veeam License Update Server (autolk.veeam.com)

    TCP

    443

    Default port used for license auto-update.

    Backup server

    TCP

    10003

    Port used for communication with the Veeam Backup Service (locally on the backup server).

    Provider-side network extension appliance

    Cloud gateway

    UDP

    1195

    Port used to establish secure VPN connection for network extension during partial site failover.

    If a tenant has several IP networks, additional odd ports should be opened starting from 1195 — one port per tenant's IP network.

    For example, a tenant Tenant1 replicates VMs that are connected to 3 IP networks. In the Veeam Cloud Connect infrastructure, the SP deployed a network extension appliance for Tenant1. In this case, the SP needs to open between the network extension appliance and the cloud gateway the following ports: 1195, 1197, 1199.

    Tenant-side network extension appliance

    Cloud gateway

    TCP and UDP

    6180

    Port used to carry tenant VM traffic from the tenant network extension appliance to the SP network extension appliance through the cloud gateway.

    Tenant backup proxy (VMware vSphere) or Hyper-V server / off-host backup proxy (Microsoft Hyper-V)

    Cloud gateway

    TCP and UDP

    6180

    Port used for VM data transport to the cloud repository by backup jobs.

    Tenant backup repository (Microsoft Windows server / Linux server / gateway server for CIFS share)

    Cloud gateway

    TCP and UDP

    6180

    Port used for VM data transport to the cloud repository by backup copy jobs.

    Remote Access Console
    (SP LAN)

    SP backup server

    TCP

    8191

    Port used for communication with the Veeam Cloud Connect Service and SP-side network redirector(s).

    TCP

    9392

    Port used for communication with the Veeam Backup Service.

    TCP

    10003

    Port used for communication with the Veeam Backup Service.

    Remote Access Console
    (Internet)

    Cloud gateway

    TCP

    6180

    Default port used for communication with the SP Veeam Cloud Connect Service and SP-side network redirector(s).

    Certificate Revocation Lists

    TCP

    80 or 443 (most popular)

    Remote Access Console needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the SP.

    Generally, information about CRL locations can be found on the CA website.

    Tenant desktop computer or portable device

    Veeam Cloud Connect Portal

    TCP

    6443

    Port used for accessing Veeam Cloud Connect Portal by tenants.

    Veeam Cloud Connect Portal is installed on the SP Veeam Backup Enterprise Manager server as an optional component. It should be published on the internet by the SP administrator.

     

    I want to report a typo

    There is a misspelling right here:

     

    I want to let the Veeam Documentation Team know about that.