Enterprise Workloads Editions: β Business | β Enterprise(Purchase Separately) | β Elite
Druva communicates with your virtual infrastructure via ports and communication protocols that are secure for communication and data transition. The following topic lists the ports that Druva uses for secure connection and communication.
AWS Proxy
AWS Proxy communicates with Druva Cloud and with AWS services like EC2, S3, SQS, IAM, and EBS, Lambda, and Logs. AWS Proxy does not communicate with Failover EC2 Instance directly over a network. At the time of AWS Proxy deployment, Druva does not configure an inbound rule in the security group for TCP port 22 for login.
AWS Proxy (Inbound rules)
Source | Type | Protocol | Port range | Target | Description |
My IP | SSH | TCP | 22 | AWS Proxy | This is an optional inbound rule. |
AWS Proxy ( Outbound rules)
Source | Type | Protocol | Port range | Target | Description |
AWS Proxy | HTTPS | TCP | 443 | 0.0.0.0/0 | Use to communicate with Druva Cloud and AWS Services |
Failover EC2 Instance
Failover EC2 Instance communicates with AWS Services like S3 and SQS and does not communicate with AWS Proxy directly over a network.
At the time of DR Failover job, Druva temporarily assigns a temporary security group with necessary inbound and outbound rules to the Failover EC2 Instance. At the end of the DR Failover job, Druva assigns your Failover Settings Security group to the Failover EC2 Instance. Hence, you can select any security group containing any inbound or outbound rules in Failover Settings.
As part of the verification of the Failover EC2 Instance, depending on the Operating System, you can configure the necessary ports and login inside the Failover EC2 Instance.
If you want to trigger a DR Failback job for the Failover EC2 Instance, then configure the following ports inside the security group:
Linux Failover EC2 Instance (Inbound rules)
Source | Type | Protocol | Port range | Target | Description |
My IP (Post DR Failover Job) | SSH | TCP | 22 | Failover EC2 Instance | This is an optional inbound rule. You can use this rule to log into the Failover EC2 Instance via SSH client such as Putty. |
Destination VMware Network (Post DR Failback Job) | SSH | TCP | 22 | Destination VMware Failback VM | You need this inbound rule for DR Failback. Use this rule to transfer data during DR Failback from Failover EC2 Instance to VMware Failback VM. |
Linux Failover EC2 Instance (Outbound rules)
As the origin of outbound traffic is the Failover EC2 Instance itself, we recommend allowing all outbound traffic on the Failover EC2 Instance.
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | All Traffic | ALL | ALL | Anywhere IPv4 (0.0.0.0) | Use this outbound rule for DR Failback. |
If you do not want to allow all outbound traffic, then you can configure the following rules to allow logging in using your domain credentials after the DR Failover job completes or during the DR Failback job.
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | SSH | TCP | 22 | Destination VMware Failback VM | You need this outbound rule for DR Failback. Use this rule to transfer data during DR Failback from Failover EC2 Instance to VMware Failback VM. |
Failover EC2 Instance | DNS | TCP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | DNS | UDP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | TCP | 389 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAPS | TCP | 636 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | UDP | 389 | Domain Controller Network | Use this outbound rule to log to the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job |
Failover EC2 Instance | custom TCP | TCP | 88 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | custom UDP | UDP | 88 | Domain Controller Network | Use this outbound rule to log to the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Windows Failover EC2 Instance (Inbound rules)
Source | Type | Protocol | Port range | Target | Description |
Destination VMware Network | SMB | TCP | 445 | Failover EC2 Instance | Use this inbound rule for DR Failback. This connection is used to communicate with the Failover EC2 Instance Admin Share. |
Destination VMware Network | Custom TCP | TCP | 50000 | Failover EC2 Instance | Use this inbound for DR Failback. |
My IP (Post DR Failover Job) | RDP | TCP | 3389 | Failover EC2 Instance | This is an optional inbound rule for DR Failover.
This rule is not required for DR Failback. |
Windows Failover EC2 Instance (Outbound rules)
As the origin of outbound traffic is the Failover EC2 Instance itself, we recommended allowing all outbound traffic on the Failover EC2 Instance.
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | All Traffic | ALL | ALL | Anywhere IPv4 (0.0.0.0) | Use this outbound rule for DR Failback. |
If you do not want to allow all outbound traffic, then you can configure the following rules for allowing login using your domain credentials after the DR Failover job completes or during the DR Failback job.
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | DNS | TCP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | DNS | UDP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | TCP | 389 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | UDP | 389 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | Kerberos | TCP | 88 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | Kerberos | UDP | 88 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | SMB | TCP | 445 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
AWS SQS Endpoint
As AWS SQS Endpoint is VPC Interface Endpoint, it must allow incoming connections on port 443. For more information, see Amazon ECS interface VPC endpoints (AWS PrivateLink).
Source | Type | Protocol | Port range | Target | Description |
Private Subnet of the VPC | HTTPS | HTTPS | 443 | SQS Interface Endpoint | Make sure the Interface Endpoint allows 443 inbound rule. For more information, see Amazon ECS interface VPC endpoints (AWS PrivateLink). |
VMware ESX
During the VMware backup job and the DR Failback job, Druva VMware Proxy communicates with VMware ESX on port 902.
Source | Type | Protocol | Port range | Target | Description |
VMware Proxy | Custom | TCP | 902 | VMware ESX | Use port 902 to establish a connection between the Backup proxy and ESXi host registered with Druva through vCenter Server. |
VMware Proxy
During the DR Failback Job, VMware Proxy communicates with the Failback VM over HTTPS protocol.
Source | Type | Protocol | Port range | Target | Description |
Failback VM | HTTPS | HTTP | 443 | VMware Proxy | Failback VM connects to the VMware Proxy over HTTPS 443 port for sending Failback progress updates. |