Skip to main content
All CollectionsEnterprise WorkloadsProtect VMware Virtual MachinesVMware Reference Reads
Firewall rules for protecting Enterprise Workloads
Firewall rules for protecting Enterprise Workloads
Updated over 2 months ago

Firewall rules for data protection of Enterprise Workloads

If a firewall is configured in your environment, ensure that the following patterns are allowed for seamless backups and restores.

  • *.druva.com

  • *s3.amazonaws.com/*

  • s3-*.amazonaws.com

  • s3*.*.amazonaws.com

Click to determine your deployment region

To determine your deployment region, perform the following steps:

  1. Log in to the Druva Cloud Platform console.

  2. After logging in, check your URL:

    • If it starts with console.druva.com, your account is deployed in the US deployment region.


      ​

    • If it starts with ap1-console.druva.com, your account is deployed in the APAC deployment region.

URLs for the US deployment region

  • login.druva.com

  • globalapis.druva.com

  • phoenix.druva.com

  • downloads.druva.com

  • deviceapigw-phoenix.druva.com

  • backup-phoenix.druva.com

  • pub-devicemgmt-devicenotifier-dcp.druva.com

  • devicemgmt-reverseproxy-dcp.druva.com

πŸ“ Note

You must configure the firewall rules to allow both the FQDN and Alias URLs.

Purpose

FQDN

Alias

Log download

https://dprod-devicestore-file.s3.us-east-1.amazonaws.com

https://druva-us0-devicefile-zqztwnudbwnx5u8j1bx4x6qbq8dmhuse1a-s3alias.s3.us-east-1.amazonaws.com

Proxy upgrade

https://dprod-devicestore-package.s3.us-east-1.amazonaws.com

https://druva-us0-devicepack-mkpuot7uiirhb5wrphs1a9h946aeeuse1b-s3alias.s3.us-east-1.amazonaws.com

URLs for the APAC deployment region

  • login.druva.com

  • globalapis.druva.com

  • phoenix.druva.com

  • downloads.druva.com

  • deviceapigw-ap1-phoenix.druva.com

  • backup-ap1-phoenix.druva.com

  • pub-devicemgmt-devicenotifier-ap1-dcp.druva.com

  • devicemgmt-reverseproxy-ap1-dcp.druva.com

πŸ“ Note

You must configure the firewall rules to allow both the FQDN and Alias URLs.

Purpose

FQDN

Alias

Log download

https://ap1-dprod-devicestore-file.s3.ap-southeast-1.amazonaws.com

https://druva-ap1-devicefile-gkztbhmogjger59x4d8qps3gomasnaps1a-s3alias.s3.ap-southeast-1.amazonaws.com

Proxy upgrade

https://ap1-dprod-devicestore-package.s3.ap-southeast-1.amazonaws.com

https://druva-ap1-devicepack-4bkkqwrp4harurgb7hrocaya9cme4aps1b-s3alias.s3.ap-southeast-1.amazonaws.com

Common storage URLs for backup proxy 7.0.0 and later

For backup proxy with version 7.0.0 or later, if you have configured firewall rules in your environment, allow the following S3 URLs to access storage during backup and restore:

πŸ“ Note

You must configure the firewall rules to allow both the FQDN and Alias URLs.

Storage Region

S3 FQDN

S3 Alias

Hong Kong (ap-east-1)

https://s3.ap-east-1.amazonaws.com/

https://druvaphn-ape1-3qpd1n8aqdth45hba5ghxpceb9thkape1a-s3alias.s3.ap-east-1.amazonaws.com/

Mumbai (ap-south-1)

https://s3.ap-south-1.amazonaws.com/

https://druvaphn-aps1-kuia8bkbftwcbn4y8ihzdhck3y4zgaps3a-s3alias.s3.ap-south-1.amazonaws.com/

Singapore (ap-southeast-1)

https://s3.ap-southeast-1.amazonaws.com/

https://druvaphn-apse1-9k6pu5kyjr3813xemeo14r9dioukwaps1a-s3alias.s3.ap-southeast-1.amazonaws.com/

Sydney (ap-southeast-2)

https://s3.ap-southeast-2.amazonaws.com/

https://druvaphn-apse2-xifjr44ehwn4skab8xgg4kwzgg1qcaps2a-s3alias.s3.ap-southeast-2.amazonaws.com/

Tokyo (ap-northeast-1)

https://s3.ap-northeast-1.amazonaws.com/

https://druvaphn-apne1-3tzzk6pokwpj7o3c8r3cquw8ithxoapn1a-s3alias.s3.ap-northeast-1.amazonaws.com/

Northern Virginia (us-east-1)

https://s3.amazonaws.com/

https://s3.us-east-1.amazonaws.com/

https://druvaphn-use1-3eshkjg74za3gfuc3rqj51ab5m8c1use1a-s3alias.s3.amazonaws.com/

https://druvaphn-use1-3eshkjg74za3gfuc3rqj51ab5m8c1use1a-s3alias.s3.us-east-1.amazonaws.com/

Northern California (us-west-1)

https://s3.us-west-1.amazonaws.com/

https://druvaphn-usw1-ak8kj98wzehr3qfiyepxt9ypq4yfrusw1a-s3alias.s3.us-west-1.amazonaws.com/

Oregon (us-west-2)

https://s3.us-west-2.amazonaws.com/

https://druvaphn-usw2-oxfxnrq6z6cjd5p7kbmefgzk6d73ausw2a-s3alias.s3.us-west-2.amazonaws.com/

Montreal (ca-central-1)

https://s3.ca-central-1.amazonaws.com/

https://druvaphn-cac1-acawpxxtj4ichfwxtxberrmj7w3jkcan1a-s3alias.s3.ca-central-1.amazonaws.com/

Frankfurt (eu-central-1)

https://s3.eu-central-1.amazonaws.com/

https://druvaphn-euc1-eiytn963i4jtmpue5xt1i9fdb9kjweuc1a-s3alias.s3.eu-central-1.amazonaws.com/

Ireland (eu-west-1)

https://s3.eu-west-1.amazonaws.com/

https://druvaphn-euw1-u39y9y4kon6oan1omsg9f9wjtmp4oeuw1a-s3alias.s3.eu-west-1.amazonaws.com/

London (eu-west-2)

https://s3.eu-west-2.amazonaws.com/

https://druvaphn-euw2-u8om1ejedb58a7oh4ad85p4qc7q3aeuw2a-s3alias.s3.eu-west-2.amazonaws.com/

Paris (eu-west-3)

https://s3.eu-west-3.amazonaws.com/

https://druvaphn-euw3-pswryckcmqamxuiicf7gjets9hafoeuw3a-s3alias.s3.eu-west-3.amazonaws.com/

Stockholm (eu-north-1)

https://s3.eu-north-1.amazonaws.com/

https://druvaphn-eun1-do7rfzp8s3xuz8nm7cwfjzcqbf3pgeun1a-s3alias.s3.eu-north-1.amazonaws.com/

SΓ£o Paulo (sa-east-1)

https://s3.sa-east-1.amazonaws.com/

https://druvaphn-sa1-poghxe43kh71og6pghcfrzfuxziphsae1a-s3alias.s3.sa-east-1.amazonaws.com/

UAE (me-central-1)

https://s3.me-central-1.amazonaws.com/

https://druvaphn-mec1-hupms3wzwebgdbjgiyikzebx7mi84mec1a-s3alias.s3.me-central-1.amazonaws.com/

Ports and communication protocols

The following table describes the port and communication protocols used for communication between Druva and various VMware components. For more information, see Ports and communication protocols for VMware virtual machines.

πŸ“ Note
​Communication happens from a backup proxy to other parties on various ports. Here, the backup proxy is the communication initiator, which is unidirectional. These ports are used for outgoing (unidirectional) communication, not incoming communication. However, data in the form of a response can flow in the opposite direction. Standard system ports such as 22 (SSH) and 2049 (NFS-SERVER) are used for incoming requests.

Port

Communication Protocol

Description

443

HTTPS+SSL

Druva uses Port 443 to establish a secure connection and communication between the following:

  • Backup Proxy to Druva Cloud

  • Backup Proxy to CloudCache

  • Backup Proxy to vCenter Server

πŸ“ Note
​Port 443 is required if the ESXi host is directly registered with Druva for backup. Backup proxy establishes connection with ESXi host over Port 443 only if it registered with Druva as Standalone ESXi. If the ESXi host is registered with Druva through vCenter Server, backup proxy communicates with the ESXi host over Port 902.

902

TCP/UDP

Druva uses port 902 to establish a connection between the backup proxy and ESXi host registered with Druva through vCenter Server.

By default, VMware uses the port 902 for the vixDiskLib connection (All Transport Modes). You must use the VixDiskLib to access a virtual disk. All operations require a VixDiskLib connection to access virtual disk data.

3542

HTTPS+SSL

For application-aware backups, the backup proxy uses VMware Tools to inject two executables and a few supporting files such as certificates into the guest OS of the virtual machine. When the executables run, they start guest OS processes called guestossvc and PhoenixSQLGuestPlugin . The backup proxy uses the opened port 3542 on the guest OS so that it can communicate with guestossvc to run SQL Server backups. Ensure that this port is open on the guest OS. In addition, the backup proxy should reach the virtual machine directly over IPv4.
​
The backup proxy also uses this port to restore databases to the virtual machine.

3545

HTTPS+SSL

For application-aware backups, the SQL executable service PhoenixSQLGuestPlugin queries the Microsoft VSS APIs to back up and restore SQL Server databases. The guestossvc service interacts with the PhoenixSQLGuestPlugin service using this port. The PhoenixSQLGuestPlugin service cannot directly communicate with the backup proxy.

3389/22

TCP/UDP

During the backup cycle, the backup proxy sends network packets to Windows virtual machines (where VMware tools are installed) on port 3389 to identify if the RDP port is open or not. For Linux virtual machines, the port is 22, which is used for SSH.

This is used for Disaster Recovery or DR restores.

123

UDP

Backup proxy accesses NTP server on Port 123 (UDP) for time synchronization.

443

HTTPS+TLS

Druva uses TLS 1.2 or a secure connection that happens between the following:

  • Backup proxy and Druva Cloud

  • Backup proxy and CloudCache

  • CloudCache and Druva Cloud

Related Articles
Firewall, Antivirus and Network Configuration for Druva Enterprise Workloads
How to deploy CloudFormation stack template for migrating VPC Private Link infrastructure
Ports and communication protocols for Nutanix AHV
Deploying CloudFormation stack template for migrating VPC Private Link infrastructure
Prerequisite check for AWS proxy VPC and subnet
Did this answer your question?