Ports

As Microsoft Azure Plug-in for Veeam Backup & Replication is installed on the same machine where Veeam Backup & Replication runs, it uses the same ports as those described in the Veeam Backup & Replication User Guide, section Ports. In addition, Microsoft Azure Plug-in for Veeam Backup & Replication also uses ports listed in the following table.

Tip

To allow inbound access to an Azure service, you can use the IP address, DNS name or virtual network service tag of the service. If you want to use an IP address, you can download a .JSON file with the full list of Azure IP ranges and service tags from the Microsoft Download Center.

 

From

To

Protocol

Port

Description

Web browser (local machine)

Backup appliance

TCP/HTTPS

443

Required to access the Web UI component from a user workstation.

[Optional] Default port required to communicate with the public REST API service running on the backup appliance. For more information on Veeam Backup for Microsoft Azure REST API, see the Veeam Backup for Microsoft Azure REST API Reference.

Worker instances

TCP/HTTPS

443

Required to access the file-level recovery browser running on a worker instance during the file-level restore process.

Backup appliance

Veeam Update Repository
(DNS name: repository.veeam.com), Amazon CloudFront
(DNS names: cloudfront.net, amazonaws.com)

TCP/HTTPS

443

Required to download available product updates, worker deployment packages and restore utilities.

Note: Veeam Update Repository uses the Amazon CloudFront service to distribute traffic when downloading product updates.

Ubuntu Security Repository
(DNS name: security.ubuntu.com) and OS Update Repository (DNS name: archive.ubuntu.com)

TCP/HTTP

80

Required to get OS security updates.

PostgreSQL Apt Repository
(DNS name: apt.postgresql.org)

TCP/HTTP, TCP/HTTPS

80, 443

Required to get PostgreSQL updates.

PostgreSQL Website
(DNS name: postgresql.org)

TCP/HTTPS

443

Required to download the PostgreSQL Apt Repository key https://www.postgresql.org/media/keys/ACCC4CF8.asc.

Microsoft Package Repository
(DNS name: packages.microsoft.com)

TCP/HTTPS

443

Required to get .NET updates.

SMTP server
(DNS name or IP address of the SMTP server)

TCP/SMTP

25

Required to send email notifications.

Note: The TCP 25 port is the port that is most commonly used by SMTP servers.

Microsoft Entra ID service
(service tag: AzureActiveDirectory)

TCP/HTTPS

443

Required to add service accounts.

 

Azure Resource Manager service
(service tag: AzureResourceManager)

TCP/HTTPS

443

Azure Storage service
(service tag: Storage)

TCP/HTTPS

443

Required to access Azure storage accounts, and to communicate with worker instances using the Azure Queue Storage messaging service.

If you are planning to protect Windows-based Azure VMs, this port is also required to use the Azure Queue Storage messaging service to communicate with Volume Shadow Copy Service (VSS) agents installed on source Azure VMs with enabled guest processing option. For more information, see Performing Backup.

Azure Key Vault service
(service tag: AzureKeyVault)

TCP/HTTPS

443

Required to encrypt backup repositories using cryptographic keys.

Azure Virtual Network service
(service tag: VirtualNetwork)

TCP/HTTPS

443

Required to communicate with storage accounts where Veeam applications and scripts are stored.

Note: This connection is required to back up Azure resources that operate in private environments only.

nginx web server
(DNS name: nginx.org)

TCP/HTTPS

443

Required to upgrade the backup appliance.

Azure VMs

Azure Storage service
(service tag: Storage)

TCP/HTTPS

443

[Applies to Windows-based Azure VMs only] Required to download VSS binary files.

Worker instances

Ubuntu Security Repository
(DNS name: security.ubuntu.com) and OS Update Repository (DNS name: archive.ubuntu.com)

TCP/HTTP

80

Required to get OS security updates.

PostgreSQL Apt Repository
(DNS name: apt.postgresql.org)

TCP/HTTP

80

Required to get PostgreSQL updates.

PostgreSQL Website
(DNS name: postgresql.org)

TCP/HTTPS

443

Required to download the PostgreSQL Apt Repository key https://www.postgresql.org/media/keys/ACCC4CF8.asc.

Azure SQL Database
(service tag: Sql.<region>, where <region> is the code name of the Azure region)

TCP

1433, 11000-11999

Required to connect to SQL Servers.

Note: The usage of the specified TCP ports depends on the networking settings of SQL Servers. If the Redirect option is selected, port 1433 is used to establish only the first connection. If the Proxy option is selected, port 1433 is used to establish all connections by default. For more information on networking settings of SQL Servers, see Microsoft Docs.

Azure SQL Managed Instances
(DNS name or IP address of the Managed Instance)

TCP

3342

Required to connect to Azure SQL Managed Instances using public endpoints.

TCP

1433, 11000-11999

Required to connect to Azure SQL Managed Instances using private endpoints.

Note: The usage of the specified TCP ports depends on the networking settings of SQL Servers. If the Redirect option is selected, port 1433 is used to establish only the first connection. If the Proxy option is selected, port 1433 is used to establish all connections by default. For more information on networking settings of SQL Servers, see Microsoft Docs.

Azure Cosmos DB for PostgreSQL (service tag: AzureCosmosDB)

TCP

5432

Required to connect to Cosmos DB for PostgreSQL accounts.

Azure Storage service
(service tag: Storage)

TCP

443

Required to download worker binary files from Veeam storage accounts.

[Deprecated in Veeam Backup for Microsoft Azure version 7.0] Service Bus service

Worker instances

TCP

443

Required to perform image-level backup and restore operations.

Backup appliance

TCP

443

Required to communicate with Windows-based Azure VMs with enabled guest processing option. For more information, see Performing Backup.

Microsoft Azure Plug-in for Veeam Backup & Replication

Backup server

TCP

6172

Port used by Microsoft Azure Plug-in for Veeam Backup & Replication to connect to a component that enables communication with the Veeam Backup & Replication database.

Backup appliance

TCP/HTTPS

443

Port used for communication with Veeam Backup for Microsoft Azure.

Azure Resource Manager service

(DNS name: management.azure.com)

TCP/HTTPS

443

Required to communicate with Microsoft Azure.

Microsoft Entra ID service

(DNS name: login.microsoftonline.com)

TCP/HTTPS

443

Microsoft Graph API

(DNS name: graph.microsoft.com)

TCP/HTTPS

443

Required to check permissions of Microsoft Entra applications during the upgrade of Microsoft Azure Plug-in for Veeam Backup & Replication.

AWS CheckIP service

(DNS name: checkip.amazonaws.com)

TCP/HTTPS

443

Required to get the public IP address of the Veeam Backup & Replication server during the deployment of Microsoft Azure Plug-in for Veeam Backup & Replication.

Azure Storage service

(DNS name: <blob_name>.blob.core.windows.net, where <blob_name> is the name of the Azure storage account)

TCP/HTTPS

443

Required to access Azure storage accounts when creating backup repositories using Microsoft Azure Plug-in for Veeam Backup & Replication.

Veeam Backup & Replication console and Veeam ONE server

Backup server

TCP

20443

Port used to connect to Microsoft Azure Plug-in for Veeam Backup & Replication.

 

Note

When you deploy a backup appliance from the Veeam Backup & Replication console, Veeam Backup & Replication automatically creates firewall rules for the required ports to allow communication between the backup server and the appliance components.

Page updated 12/6/2024

Page content applies to build 7.1.0.22