> Commvault Cloud > Configuration > Network

Network Connectivity

You must be able to connect to the proxies and domains that are associated with your Commvault Cloud environment. Outbound network connectivity is needed for data transfer, device registration, and portal access.

Note

  • Commvault Cloud does not support firewalls that use Server Name Indication (SNI).

  • If you have a Palo Alto Networks firewall and it is blocking Commvault Cloud network traffic, you must configure the firewall to allow web browsing traffic from Commvault Cloud. Make sure to configure security rules based on Commvault Cloud network gateways/CommServe IP address or FQDN group, as well as adding Commvault Cloud application. We do not support URL-based security policy fitering, as our HTTPS headers don't have SNI information. For more information, see Palo Alto Firewalls.

  • For information on excluding Commvault Cloud service endpoints for your firewall, see the KB article "Commvault Cloud Service Endpoints IP Addresses for Hybrid Cloud (On-Prem) Workloads Using Backup Gateways".

  • Any type of SSL inspection will cause tunnel failures.

TCP 443

TCP 443 outbound must be open to access the following:

  • Commvault Cloud backup service (*.metallic.io)

  • Commvault Cloud storage (*.blob.core.windows.net)

  • Azure services (*.cloudapp.azure.com)

  • If applicable, your storage location in AWS (*.s3.amazonaws.com)

For Fedramp only, TCP 443 outbound must be open to access the following:

  • Commvault Cloud backup service (*.gov.metallic.io)

  • Commvault Cloud storage (*.core.usgovcloudapi.net)

  • Azure services (*.cloudapp.usgovcloudapi.net)

  • If applicable, your storage location in AWS (*.s3.amazonaws.com)

TCP 8400 and TCP 8403

TCP 8400 and TCP 8403 must be open between the backup gateway and any on-prem data sources that you want to protect. Depending on the operation, either the client or the backup gateway can open a connection.

On-Prem VMware Servers

To back up on-prem VMware servers, the backup gateway must be able to access the VMware environment and components:

  • vSphere vCenter server: Port for web service (default: 443) must be opened. If vCenter is configured to use non-default ports, the non-default ports must also be opened.

  • vSphere ESX server: Ports for web service (default: 443) and TCP/IP (default: 902) must be opened for the vStorage APIs for data protection.

    Note

    If you use VMware Cloud on AWS (VMC) or Azure VMware Solution (AVS), there are no port requirements for the ESXi hosts.

Hyper-V Virtual Machines

To back up Hyper-V virtual machines (VMs), the Commvault Cloud VM proxy must be able to access the backup gateway on the port for the web service (default: 443).

Tenant Computers

In Commvault Cloud MSP environments, tenant computers must be able to connect to the following URLs (all URLs support HTTPS and can be accessed on port 443):

  • cloud.commvault.com (download software to install, update, or upgrade client computers)

  • downloadcenter.commvault.com (download software to install, update, or upgrade client computers)

  • edc.commvault.com (collect and merge vital information such as hosts, clients, schedules, compression and encryption directives)

  • https://time.akamai.com (fetch Akamai server time to generate Akamai token)

  • *.mapbox.com (provide location of the client or laptop, and fetches data such as city name)

  • *.skyhookwireless.com (provide location of the client or laptop, and fetches data such as city name)

Backup Gateway in Azure

When deploying a backup gateway in Azure using the ARM template, the following URLs need to be whitelisted:

  • https://turindownloadcenter.blob.core.windows.net

  • https://7-zip.org

  • https://aka.ms/vs/17/release/vc_redist.x64.exe

  • https://aka.ms/ssmsfullsetup

  • https://time.akamai.com

  • *.mapbox.com

  • *.skyhookwireless.com

  • Commvault Cloud backup service (*.metallic.io)

  • Commvault Cloud storage (*.blob.core.windows.net)

  • Azure AD (login.microsoftonline.com)

  • Azure services (*.cloudapp.azure.com)

Whitelisting IP Addresses

Commvault Cloud Service Endpoints IP Addresses for Azure Workloads

As a best practice, whitelist access node and proxy IP ranges for Azure Workloads. This applies to backup of Azure VM, Azure Blob, Azure File, ADLS, Azure Kubernetes, Azure Databases, file system, or DB agents in Azure VM using Commvault Cloud SaaS.

For more information, see the KB article "{{ ProductName_SaaS }} Commvault Cloud Service Endpoints IP Addresses for Microsoft 365, SaaS Apps & Azure Workloads".

Commvault Cloud Service Endpoints IP Addresses for Hybrid Cloud (On-Prem) Workloads Using Backup Gateways

As a best practice, add the SaaS Network Proxy IP Ranges to your network "allowed list" or "whitelist". This applies to backup of on-prem workloads like VMWare, Hyper-V, Nutanix, File System in on-prem VM/Server, Databases in on-prem VM/Server, and all other backups including direct to cloud where a backup gateway in Commvault Cloud SaaS is used.

For more information, see the KB article "Commvault Cloud Service Endpoints IP Addresses for Hybrid Cloud (On-Prem) workloads using Backup Gateways"

Commvault Cloud Service Endpoints IP Addresses for Microsoft 365 and SaaS Apps

As a best practice, whitelist access nodes and proxy IP ranges. This applies to backup of Office 365, Dynamics 365, and Salesforce using Commvault Cloud SaaS.

For more information, see the KB article "Commvault Cloud Service Endpoints IP Addresses for Microsoft 365 and SaaS Apps".

Commvault Cloud Service Endpoints IP Addresses for SIEM/Webhook and Azure Key Vault

In some scenarios, the Commvault Cloud As-A-Service software requires you to add the SaaS Infrastructure public firewall IP ranges to your network's "allowed list" or "whitelist" for inbound connectivity. This applies to configuration of SIEM and Webhook or enabling access to your Azure KeyVault in Commvault Cloud SaaS.

For more information, see the KB article "Commvault Cloud Service Endpoints IP Addresses for SIEM/Webhook and Azure Key Vault".

Loading...