This is an archive version of the document. To get the most up-to-date information, see the current version.Used Ports
The following table describes network ports that must be opened to ensure proper communication of components in the Veeam Cloud Connect infrastructure.
From | To | Protocol | Port | Notes |
Cloud gateway
| SP backup server | TCP | 6169 | Port on the SP backup server used to listen to cloud commands from the tenant side. Tenant cloud commands are passed to the Veeam Cloud Connect Service via the cloud gateway. |
TCP | 8190, 8191 | Port on the SP backup server used by SP-side network redirector(s) to connect to the Remote Access Console and establish a Remote Desktop Connection to tenant. | ||
TCP | 2500 to 5000 | Port range used during transfer of the Veeam Availability Console agent from the SP backup server to the tenant backup server. | ||
SP backup repository | TCP | 2500 to 5000 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. | |
SP backup proxy | TCP | 2500 to 5000 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. | |
Provider-side network extension appliance | UDP | 1195 | Port used to establish secure VPN connection for network extension during partial site failover. If a tenant has several IP networks, additional odd ports should be opened starting from 1195 — one port per tenant's IP network. For example, a tenant Tenant1 replicates VMs that are connected to 3 IP networks. In the Veeam Cloud Connect infrastructure, the SP deployed a network extension appliance for Tenant1. In this case, the SP needs to open between the network extension appliance and the cloud gateway the following ports: 1195, 1197, 1199. | |
WAN accelerator | TCP | 6164 | Controlling port for RPC calls. | |
TCP | 6165 | Default port used for data transfer between WAN accelerators. | ||
Veeam Availability Console server | TCP | 9999 | Port on the Veeam Availability Console server used to communicate with the tenant backup server. Communication between tenant backup servers and Veeam Availability Console server goes through cloud gateways. | |
SP backup server | Cloud gateway | TCP | 6168 | Port on the cloud gateway used to listen for cloud commands from the Veeam Cloud Connect Service. The service cloud commands from the Veeam Cloud Connect Service are sent to set up, delete and check the status of data transport channels between tenants and the cloud repository. |
Provider-side network extension appliance | TCP | 22 | Port used for communication with the network extension appliance. | |
ICMP | — | SP backup server needs access to the SP network extension appliance via ICMP. | ||
SP backup repository | Cloud gateway | TCP and UDP
| 6180
| Port used for connections during the following operations:
|
SP Veeam Backup & Replication console | SP backup server | TCP | 10003 | Port used by the Veeam Backup & Replication console to connect to the backup server when managing the Veeam Cloud Connect infrastructure. |
Tenant backup server | Cloud gateway | TCP and UDP | 6180 | Port on the cloud gateway used to transport VM data from the tenant side to the SP side (UDP is used only during partial failover of a cloud replica). |
Tenant-side network extension appliance | TCP | 22 | Port used for communication with the network extension appliance. | |
Certificate Revocation Lists | TCP | 80 or 443 (most popular) | Tenant backup server needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the SP. Generally, information about CRL locations can be found on the CA website. | |
Endpoint used by the Automatic Root Certificates Update component | TCP | 443 | Port used by the Automatic Root Certificates Update component for communication with the Windows Update endpoint. Applicable to Microsoft Windows 10 and later, Microsoft Windows Server 2016 and later. To learn more, see Microsoft Docs. | |
Backup server
| Veeam Update Notification Server (dev.veeam.com) | TCP | 80 | Default port used to download information about available updates from the Veeam Update Notification Server over the internet. |
Veeam License Update Server (autolk.veeam.com) | TCP | 443 | Default port used for license auto-update. | |
Backup server | TCP | 10003 | Port used for communication with the Veeam Backup Service (locally on the backup server). | |
Provider-side network extension appliance | Cloud gateway | UDP | 1195 | Port used to establish secure VPN connection for network extension during partial site failover. If a tenant has several IP networks, additional odd ports should be opened starting from 1195 — one port per tenant's IP network. For example, a tenant Tenant1 replicates VMs that are connected to 3 IP networks. In the Veeam Cloud Connect infrastructure, the SP deployed a network extension appliance for Tenant1. In this case, the SP needs to open between the network extension appliance and the cloud gateway the following ports: 1195, 1197, 1199. |
Tenant-side network extension appliance | Cloud gateway | TCP and UDP | 6180 | Port used to carry tenant VM traffic from the tenant network extension appliance to the SP network extension appliance through the cloud gateway. |
Tenant backup proxy (VMware vSphere) or Hyper-V server / off-host backup proxy (Microsoft Hyper-V) | Cloud gateway | TCP and UDP | 6180 | Port used for VM data transport to the cloud repository by backup jobs. |
Tenant backup repository (Microsoft Windows server / Linux server / gateway server for CIFS share) | Cloud gateway | TCP and UDP | 6180 | Port used for VM data transport to the cloud repository by backup copy jobs. |
Remote Access Console | SP backup server | TCP | 8191 | Port used for communication with the Veeam Cloud Connect Service and SP-side network redirector(s). |
TCP | 9392 | Port used for communication with the Veeam Backup Service. | ||
TCP | 10003 | Port used for communication with the Veeam Backup Service. | ||
Remote Access Console | Cloud gateway | TCP | 6180 | Default port used for communication with the SP Veeam Cloud Connect Service and SP-side network redirector(s). |
Certificate Revocation Lists | TCP | 80 or 443 (most popular) | Remote Access Console needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the SP. Generally, information about CRL locations can be found on the CA website. | |
Tenant desktop computer or portable device | Veeam Cloud Connect Portal | TCP | 6443 | Port used for accessing Veeam Cloud Connect Portal by tenants. Veeam Cloud Connect Portal is installed on the SP Veeam Backup Enterprise Manager server as an optional component. It should be published on the internet by the SP administrator. |
To learn what ports are required for other components in the Veeam Cloud Connect infrastructure, see the Used Ports section in the Veeam Backup & Replication User Guide.