Help Center
Choose product document...
Veeam Backup & Replication 9.5
Veeam Cloud Connect Guide

Used Ports

The following table describes network ports that must be opened to ensure proper communication of components in the Veeam Cloud Connect infrastructure.

From

To

Protocol

Port

Notes

Cloud gateway

 

SP backup server

TCP

6169

Port on the SP Veeam backup server used to listen to cloud commands from the tenant side. Tenant cloud commands are passed to the Veeam Cloud Connect Service via the cloud gateway.

TCP

8190, 8191

Port on the SP Veeam backup server used by SP-side network redirector(s) to connect to the Remote Access Console and establish a Remote Desktop Connection to tenant.

TCP

2500 to 5000

Port range used during transfer of the Veeam Availability Console agent from the SP Veeam backup server to the tenant backup server.

TCP

9392

Port used by the Remote Access Console for communication with the Veeam Backup Service.

SP backup repository

TCP

2500 to 5000

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

SP backup proxy

TCP

2500 to 5000

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

Provider-side network extension appliance

UDP

1195

Port used to establish secure VPN connection for network extension during partial site failover.

If a tenant has several IP networks, additional odd ports should be opened starting from 1195 — one port per tenant's IP network.

For example, a tenant Tenant1 replicates VMs that are connected to 3 IP networks. In the Veeam Cloud Connect infrastructure, the SP deployed a network extension appliance for Tenant1. In this case, the SP needs to open between the network extension appliance and the cloud gateway the following ports: 1195, 1197, 1199.

WAN accelerator

TCP

6164

Controlling port for RPC calls.

TCP

6165

Default port used for data transfer between WAN accelerators.

Veeam Availability Console server

TCP

9999

Port on the Veeam Availability Console server used to communicate with the tenant backup server.

Communication between tenant backup servers and Veeam Availability Console server goes through cloud gateways.

SP backup server

Cloud gateway

TCP

6168

Port on the cloud gateway used to listen for cloud commands from the Veeam Cloud Connect Service. The service cloud commands from the Veeam Cloud Connect Service are sent to set up, delete and check the status of data transport channels between tenants and the cloud repository.

Provider-side network extension appliance

TCP

22

Port used for communication with the network extension appliance.

ICMP

SP backup server needs access to the SP network extension appliance via ICMP.

SP backup repository
(or gateway server)

Cloud gateway

TCP and UDP

 

6180

 

Port used for connections during the following operations:

  • Creating a replica from a cloud backup
  • Replica seeding from a cloud backup

Tenant backup server

Cloud gateway

TCP and UDP

6180

Port on the cloud gateway used to transport VM data from the tenant side to the SP side (UDP is used only during partial failover of a cloud replica).

Tenant-side network extension appliance

TCP

22

Port used for communication with the network extension appliance.

Certificate Revocation Lists

TCP

80 or 443 (most popular)

Tenant backup server needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the SP.

Generally, information about CRL locations can be found on the CA website.

Endpoint used by the Automatic Root Certificates Update component

TCP

443

Port used by the Automatic Root Certificates Update component for communication with the Windows Update endpoint.

Applicable to Microsoft Windows 10 and later, Microsoft Windows Server 2016 and later.

To learn more, see https://docs.microsoft.com/en-us/windows/privacy/manage-windows-endpoints#certificates.

 

Backup server

 

Veeam Update Notification Server (dev.veeam.com)

TCP

80

Default port used to download information about available updates from the Veeam Update Notification Server over the Internet.

Veeam License Update Server (autolk.veeam.com)

TCP

443

Default port used for license auto-update.

Backup server

TCP

10003

Port used for communication with the Veeam Backup Service (locally on the backup server).

Provider-side network extension appliance

Cloud gateway

UDP

1195

Port used to establish secure VPN connection for network extension during partial site failover.

If a tenant has several IP networks, additional odd ports should be opened starting from 1195 — one port per tenant's IP network.

For example, a tenant Tenant1 replicates VMs that are connected to 3 IP networks. In the Veeam Cloud Connect infrastructure, the SP deployed a network extension appliance for Tenant1. In this case, the SP needs to open between the network extension appliance and the cloud gateway the following ports: 1195, 1197, 1199.

Tenant-side network extension appliance

Cloud gateway

TCP and UDP

6180

Port used to carry tenant VM traffic from the tenant network extension appliance to the SP network extension appliance through the cloud gateway.

Tenant backup proxy (VMware vSphere) or Hyper-V server/off-host backup proxy (Microsoft Hyper-V)

Cloud gateway

TCP and UDP

6180

Port used for VM data transport to the cloud repository by backup jobs.

Tenant backup repository (Microsoft Windows server/ Linux server/ gateway (for CIFS share)

Cloud gateway

TCP and UDP

6180

Port used for VM data transport to the cloud repository by backup copy jobs.

Remote Access Console
(SP LAN)

SP backup server

TCP

8191

Port used for communication with the Veeam Cloud Connect Service and SP-side network redirector(s).

TCP

9392

Port used for communication with the Veeam Backup Service.

TCP

10003

Port used for communication with the Veeam Backup Service.

Remote Access Console
(Internet)

Cloud gateway

TCP

6180

Default port used for communication with the SP Veeam Cloud Connect Service and SP-side network redirector(s).

Certificate Revocation Lists

TCP

80 or 443 (most popular)

Remote Access Console needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the SP.

Generally, information about CRL locations can be found on the CA website.

Tenant desktop computer or portable device

Veeam Cloud Connect Portal

TCP

6443

Port used for accessing Veeam Cloud Connect Portal by tenants.

Veeam Cloud Connect Portal is installed on the SP Veeam Backup Enterprise Manager server as an optional component. It should be published on the internet by the SP administrator.

To learn what ports are required for other components in the Veeam Cloud Connect infrastructure, see the Ports section in Veeam Backup & Replication User Guide at: https://www.veeam.com/documentation-guides-datasheets.html.

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Agent Management Guide

Veeam Backup Explorers User Guide

PowerShell Reference

RESTful API Reference

Veeam Backup FREE Edition User Guide

Veeam Backup for Microsoft Office 365

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation