Ports
Veeam Backup for Nutanix AHV automatically creates firewall rules for the ports required to allow communication between the Nutanix AHV backup appliance, workers and the backup server.
Important |
Some Linux distributions require manual configuration of firewall rules. For more information, see this Veeam KB article. |
Backup Appliance
The following table describes network ports that must be opened to ensure proper communication of the Nutanix AHV backup appliance with other backup infrastructure components.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Workstation web browser | Nutanix AHV backup appliance | TCP/HTTPS | 443 | Used to access the Nutanix AHV backup appliance web console. |
Nutanix AHV backup appliance | Nutanix REST API | TCP/HTTPS | 9440 | Used to communicate with Nutanix AHV REST API. |
Backup server | TCP | 10006 | Used to connect to Veeam Backup & Replication. | |
Backup server | TCP | 2500 to 3300 | Default range of ports used for malware detection metadata transfer. | |
Workers | TCP | 19000 | Used to communicate with workers. | |
Nutanix AHV server | TCP/iSCSI | 3205, 3260 | Used to access disks attached to Nutanix AHV VMs. | |
Veeam backup repository (or gateway server) | TCP | 2500-3300 | Default range of ports used as transmission channels for jobs and restore sessions. For every TCP connection that a job uses, one port from this range is assigned. | |
Mail server | SMTP | 25 | Used to send email notifications. The port number can be changed. | |
Rocky Linux repositories (mirrors.rockylinux.org, mirrors.fedoraproject.org, rockylinux.map.fastly.net) | TCP/HTTP(S) | 80 (443) | Used to get OS security updates, .NET Core updates and PostgreSQL update packages. The listed mirror URLs are used to get actual URLs that will be used to obtain updates. | |
Veeam Update Repository Amazon CloudFront | TCP/HTTPS | 443 | Used to download Nutanix AHV backup appliance update packages. Note: Veeam Update Repository uses the Amazon CloudFront service to distribute traffic when downloading product updates. | |
Nginx repository (nginx.org/packages/, nginx.org/packages/keys/) | TCP/HTTPS | 443 | Used to download Nginx packages required for Nutanix AHV backup appliance web console updates. |
Workers
The following table describes network ports that must be opened to ensure proper communication of workers with other backup infrastructure components.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Worker | Nutanix REST API | TCP/HTTPS | 9440 | Used to communicate with Nutanix AHV REST API. |
Backup server | TCP | 10006 | Used to connect to Veeam Backup & Replication. | |
Backup server | TCP | 2500 to 3300 | Default range of ports used for malware detection metadata transfer. | |
Backup appliance | TCP | 19001 | Used to communicate with the backup appliance. | |
Nutanix AHV server | TCP/iSCSI | 3205, 3260 | Used to access disks attached to Nutanix AHV VMs. | |
Veeam backup repository (or gateway server) | TCP | 2500-3300 | Default range of ports used as transmission channels for jobs and restore sessions. For every TCP connection that a job uses, one port from this range is assigned. | |
Rocky Linux repositories (mirrors.rockylinux.org, mirrors.fedoraproject.org, rockylinux.map.fastly.net) | TCP/HTTP(S) | 80 (443) | Used to get OS security updates, .NET Core updates and PostgreSQL update packages. Note: The listed mirror URLs are used to get actual URLs that will be used to obtain updates. | |
Veeam Update Repository Amazon CloudFront | TCP/HTTPS | 443 | Used to download Nutanix AHV backup appliance update packages. Note: Veeam Update Repository uses the Amazon CloudFront service to distribute traffic when downloading product updates. | |
Nginx repository (nginx.org/packages/, nginx.org/packages/keys/) | TCP/HTTPS | 443 | Used to download Nginx update packages. |
The following table describes network ports that must be opened to ensure proper communication of the backup server with other backup infrastructure components.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Veeam Backup & Replication console and Veeam ONE server | Backup server | TCP/HTTPS | 8543 | Used to communicate with the Platform Service REST API. |
FLR helper appliance | Backup server | TCP | 2500 | Used to connect to the backup server during file-level restore. |
Mount Service | Backup server | TCP | 9401 | Used to connect to the backup server during file-level restore. |
Backup server | FLR helper appliance | TCP | 22 2500 | Used to connect to the helper appliance during file-level restore. For the full list of ports used for connections to the FLR helper appliance, see the Veeam Backup & Replication User Guide, section Used Ports. |
Backup server | TCP/HTTPS | 6172 | Used by the AHV Platform Service to enable communication with the Veeam Backup & Replication database. | |
Nutanix AHV cluster | TCP/HTTPS | 9440 | Used by the AHV Platform Service to connect to an Nutanix AHV cluster. | |
Nutanix AHV backup appliance | TCP/HTTPS | 443 | Used by the AHV Platform Service to connect to Nutanix AHV backup appliance. |
Note |
For the list of ports used by the backup server to communicate with backup repositories, see the Veeam Backup & Replication User Guide, section Used Ports. |
The vPower NFS Service is a Microsoft Windows service that runs on a Microsoft Windows machine and enables this machine to act as an NFS server. The vPower NFS Service is required to perform such operations as file-level restore and Instant Recovery.
Note |
For the full list of ports required for Performing File-Level Restore, see the Veeam Backup & Replication User Guide, section Used Ports. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Nutanix AHV cluster | Microsoft Windows server with the mount server role running vPower NFS Service | TCP UDP | 111 | Used by the Port Mapper service. |
TCP UDP | 1058+ or 1063+ | Used as default mount port. The number of port depends on where the vPower NFS Service is located:
If port 1058/1063 is occupied, the succeeding port numbers will be used. | ||
TCP UDP | 2049+ | Used as NFS port. If port 2049 is occupied, the succeeding port numbers will be used. |
The following tables describe network ports that must be opened to ensure proper communication of the backup server and backup infrastructure components with the non-persistent runtime components deployed inside the VM guest OS for application-aware processing and indexing.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | VM guest OS (Linux) | TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used as transmission channels for log shipping. | ||
Guest interaction proxy | TCP | 6190 | Used for communication with the guest interaction proxy. | |
TCP | 6290 | Used as a control channel for communication with the guest interaction proxy. | ||
TCP | 445 | Port used as a transmission channel. | ||
Guest interaction proxy | VM guest OS (Microsoft Windows) | TCP | 445 | Required to deploy the runtime coordination process on the VM guest OS. |
TCP | 2500 to 3300 | Default range of ports used as transmission channels for log shipping. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Used by the runtime process deployed inside the VM for guest OS interaction. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
VM guest OS | Guest interaction proxy | TCP | 2500 to 3300 | Default range of ports used as transmission channels for log shipping. |
The following tables describe network ports that must be opened to ensure proper communication between log shipping components.
- Log Shipping Server Connections
- MS SQL Guest OS Connections
- Oracle Guest OS Connections
- PostgreSQL Guest OS Connections
Log Shipping Server Connections
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Log shipping server | TCP | 445 | Required for deploying Veeam Backup & Replication components. |
TCP | 6160 | Default port used by Veeam Installer Service. | ||
TCP | 6162 | Default port used by Veeam Data Mover Service. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
Log shipping server | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Guest interaction proxy | MS SQL VM guest OS | TCP | 445 | Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component. |
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
TCP | 6167 | Used by the Veeam Log Shipping Service for preparing the database and taking logs. | ||
MS SQL VM guest OS | Guest interaction proxy | TCP | 2500 to 3300 | Default range of ports used for communication with a guest interaction proxy. |
MS SQL VM guest OS | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the MS SQL server has a direct connection to the backup repository. |
MS SQL VM guest OS | Log shipping server | TCP | 2500 to 3300 | Default range of ports used for communication with a log shipping server and transfer log backups. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Guest interaction proxy | Oracle VM guest OS (Microsoft Windows) | TCP | 445 | Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component. |
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
TCP | 6167 | Used by the Veeam Log Shipping Service for preparing the database and taking logs. | ||
Backup server | Oracle VM guest OS (Linux) | TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. | ||
Oracle VM guest OS | Guest interaction proxy or backup server | TCP | 2500 to 3300 | Default range of ports used for communication with a guest interaction proxy. |
Oracle VM guest OS | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the Oracle server has a direct connection to the backup repository. |
Oracle VM guest OS | Log shipping server | TCP | 2500 to 3300 | Default range of ports used for communication with a log shipping server and transfer log backups. |
PostgreSQL Guest OS Connections
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | PostgreSQL VM guest OS | TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. | ||
PostgreSQL VM guest OS | Backup server | TCP | 2500 to 3300 | Default range of ports used for communication with a guest interaction proxy. |
PostgreSQL VM guest OS | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the PostgreSQL server has a direct connection to the backup repository. |
PostgreSQL VM guest OS | Log shipping server | TCP | 2500 to 3300 | Default range of ports used for communication with a log shipping server and transfer log backups. |