Veeam Backup for Microsoft Azure 5a
User Guide
Related documents
Search

Ports

The following network ports must be open to ensure proper communication of components in the Veeam Backup for Microsoft Azure architecture.

Tip

To allow inbound access to an Azure service, you can use the IP address, DNS name or virtual network service tag of the service. If you want to use an IP address, you can download a .JSON file with the full list of Azure IP ranges and service tags from the Microsoft Download Center.

From

To

Protocol

Port

Description

Workstation web browser

Backup appliance

TCP

443

Required to access the Web UI component from a user workstation.

Required to communicate with the REST API service running on the backup appliance.

Worker instance

TCP

443

Required to access the Veeam File Level Recovery browser running on a worker instance during the file-level recovery process.

Backup appliance

Veeam Update Notification Server
(DNS name: repository.veeam.com)

TCP

443

Required to download information on available product updates.

Ubuntu Security Update repository
(DNS name: security.ubuntu.com)

HTTP

80

Required to get OS security updates.

Ubuntu NTP Server
(DNS name: ntp.ubuntu.com)

UDP

123

Required to run a time sync service for Linux VMs.

Note: This connection is required only if you updated Veeam Backup for Microsoft Azure from the Web UI.

Ubuntu Archive repository
(DNS name: azure.archive.ubuntu.com)

HTTP

80

Required to get APT updates when updating the backup appliance manually using the terminal.

APT repository of PostgreSQL packages
(DNS name: apt.postgresql.org)

HTTP

80

DotNetCore Update Repository
(DNS name: packages.microsoft.com)

TCP

443

Required to get .NET updates.

SMTP server
(DNS name or IP address of the SMTP server)

TCP

25

Required to send email notifications.

Note: The TCP 25 port is the port that is most commonly used by SMTP servers.

Azure AD service
(service tag: AzureActiveDirectory)

TCP

443

Required to add service and repository accounts.

Note: If you use Azure Government, add a DNS name or an IP address of Microsoft Graph API (graph.microsoft.net) to the security rule. Otherwise, Veeam Backup for Microsoft Azure will not be able to add service and repository accounts.

Azure Resource Manager service
(service tag: AzureResourceManager)

TCP

443

Azure Storage service
(service tag: Storage)

TCP

443

Required to communicate with Azure storage accounts.

 

ServiceBus service
(DNS name: servicebus.windows.net)

TCP

443

Required to communicate with user workstations.

Azure Key Vault service
(service tag: AzureKeyVault)

TCP

443

Required to encrypt backup repositories using cryptographic keys.

Azure Virtual Network service
(service tag: VirtualNetwork)

HTTPS

443

Required to verify MD5 keys of Volume Shadow Copy Service binary files.

Note: This connection is required to back up Azure resources that operate in private environment only.

Other required Azure services

HTTPS

443

Required to perform data protection and disaster recovery operations.

Azure VMs

ServiceBus service
(DNS name: servicebus.windows.net)

TCP

443

Required to communicate with Windows-based Azure VMs with enabled guest processing option. For more information, see Performing Backup.

Azure Storage service
(service tag: Storage)

TCP

443

Required to download Volume Shadow Copy Service binary files.

Worker instances

Ubuntu Security Update repository
(DNS name: security.ubuntu.com)

HTTP

80

Required to get OS security updates.

Ubuntu Archive repository
(DNS name: azure.archive.ubuntu.com)

HTTP

80

Required to get APT updates.

ServiceBus service
(DNS name: servicebus.windows.net)

TCP

443

Required to communicate with Windows-based Azure VMs with enabled guest processing option. For more information, see Performing Backup.

SQL Servers
(service tag: Sql.<region>, where <region> is the code name of the Azure region)

TCP

1433, 11000-11999

Required to connect to SQL Servers.

Note: The usage of the specified TCP ports depends on the networking settings of SQL Servers. If the Redirect option is selected, port 1433 is used to establish only the first connection. If the Proxy option is selected, port 1433 is used to establish all connections by default. For more information on networking settings of SQL Servers, see Microsoft Docs.

Azure SQL Managed Instances
(DNS name or IP address of the Managed Instance)

TCP

3342

Required to connect to Azure SQL Managed Instances using public endpoints.

TCP

1433, 11000-11999

Required to connect to Azure SQL Managed Instances using private endpoints.

Note: The usage of the specified TCP ports depends on the networking settings of SQL Servers. If the Redirect option is selected, port 1433 is used to establish only the first connection. If the Proxy option is selected, port 1433 is used to establish all connections by default. For more information on networking settings of SQL Servers, see Microsoft Docs.

Azure Storage service
(service tag: Storage)

TCP

443

Required to download worker binary files from Veeam storage accounts.

Other required Azure services

HTTPS

443

Required to perform data protection and disaster recovery operations.

ServiceBus service

Worker instances

TCP

443

Required to perform image-level backup and restore operations.

Backup appliance

TCP

443

Required to communicate with Windows-based Azure VMs with enabled guest processing option. For more information, see Performing Backup.

View all results across Veeam
Back to document search