veeam 10 - ports

[frankive]

We have a site-2-site from an Azure VM to on-premise datacentre.
For now the tunnel has been open for all ports both the ways.

We want to narrow the traffic from on-premise to the azure network with just the ports Veeam 10 needs.
The server in Azure is only running Apis to the on-premise infrastructure (local repositories NAS where one of the hyper-v server in the S2D works like gateway server).

Which port would we need to allow INBOUND from the on-premise infrastrcture to our Azure Network to keep everything working as expected?

[oleg.feoktistov]

Hi Frank,

Given that you have Hyper-V environment, please, check this up-to-date article on used ports.

Thanks,
Oleg

[frankive]

Correect me if I am wrong, but it seems like we dont have to allow any traffic from on-premise to the Azure Virtual Network (where the manage server is) since all traffic always will initiate from the manage server in azure?

[frankive]

Actually the only port I need to allow from the on-premise environment to the veeam server in Azure is port tcp 9401.
Is this correct? All other traffic seems to always be initiated from the Veeamserver itself

[oleg.feoktistov]

Hi Frank,

Yes, the majority of requests are initiated by Backup server itself. However, backup components need to respond to VBR on query status etc., right?
So, dynamic ports range is used for that (49152 to 65535 on Windows).
For example, to communicate with Veeam Installer Service, which sits on Managed Hyper-V server and listens on port 6160:
- Backup server - enable outbound traffic on port 6160 and inbound on dynamic ports.
- Hyper-V - enable outbound traffic on dynamic ports and inbound on 6160.

Thanks,
Oleg

[frankive]

Hmm.. so basically if we allow dynamics port-range INBOUND to the veeamserver, the Veeam server network should be good, correct?
We allow all traffic OUTBOUND from the Veeamserver as default.

[oleg.feoktistov]

Correct. Don't forget port 9401