Prerequisites for Air Gap Protect

The following prerequisites are needed to setup Air Gap Protect as a storage target on Commvault software:

CommServe Server Version

The following minimum version is required for the CommServe server:

Air Gap Protect Type

Minimum MediaAgent Version

Microsoft Azure Storage

Commvault Platform Release 2022E (11.28) or later

Amazon S3

Commvault Platform Release 2024E (11.36) or later

Oracle Cloud Infrastructure Object Storage

Commvault Platform Release 2024E (11.36) or later

Google Cloud Storage

Commvault Platform Release 2025 (11.38) or later

MediaAgent Version

The following minimum version is required for the MediaAgent:

Air Gap Protect Type

Minimum MediaAgent Version

Microsoft Azure Storage

Commvault Platform Release 2022E (11.28) or later

Amazon S3

Commvault Platform Release 2024E (11.36) or later

Oracle Cloud Infrastructure Object Storage

Commvault Platform Release 2024E (11.36) or later

Google Cloud Storage

Commvault Platform Release 2025 (11.38) or later

License Requirements

The Air Gap Protect license is required to configure Air Gap Protect.

In addition, you must accept the Commvault Terms and Conditions when you add the license. For more information about adding licenses and accepting the user agreement, see Adding a License in the Command Center.

See Also: License Administration for Air Gap Protect.

Network Requirements

Outbound Connections

For outbound connectivity, the following endpoints must be whitelisted on the CommServe server before configuring Air Gap Protect.

  • https://login.microsoftonline.com should be whitelisted on both the CommServe server and the MediaAgent.

  • https://www.office.com should be whitelisted on both the CommServe server and the MediaAgent.

  • api.mcss.metallic.io should be whitelisted only on the CommServe server. (IP address : 23.97.4.188).

  • https://metallic.io should be whitelisted on the CommServe server.

  • https://www.commvault.com should be whitelisted on both the CommServe server and the MediaAgent.

In addition, whitelist the endpoints required for specific storage type.

Outbound Connections for Microsoft Azure Storage

For outbound connectivity, the following endpoints must be whitelisted on the MediaAgent before configuring Air Gap Protect on Azure.

Air Gap Protect - Azure (Global Cloud)

Air Gap Protect - Azure (Government Cloud)

  • *.blob.core.windows.net. (All endpoints that contain.blob.core.windows.net must be whitelisted.)

  • https://login.microsoftonline.com

  • *.blob.core.usgovcloudapi.net. (All endpoints that contain .blob.core.usgovcloudapi.net must be whitelisted.)

  • https://login.microsoftonline.us

See https://www.microsoft.com/en-us/download/details.aspx?id=56519 for a list of IP addresses required by:

blob.core.windows.net

login.microsoftonline.com

blob.core.usgovcloudapi.net

login.microsoftonline.us

Note

  • The * in *.blob.core.windows.net can be replaced with specific storage account names, once the library is configured. For more information, see Obtaining the Storage Account Name.

  • In the list of IP addresses, the "name": "Storage.region" object denotes the region of the Air Gap Protect. For example, "Storage.CanadaEast".

Azure ExpressRoute circuit and Azure Private Link (Private Endpoint) is supported. For more information, see Configuring Azure ExpressRoute and Private Link.

Outbound Connections for Amazon S3 Storage

For outbound connectivity, the following endpoints must be whitelisted on the MediaAgent before configuring Air Gap Protect on Amazon S3.

  • s3.[region].amazonaws.com

Outbound Connections for Oracle Cloud Infrastructure Object Storage

For outbound connectivity, the following endpoints must be whitelisted on the MediaAgent before configuring Air Gap Protect on OCI.

  • objectstorage.[region].oraclecloud.com
  • identity.[region].oraclecloud.com

Replace [region] with region identifier. See https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm for list of regions and region identifiers. See https://docs.oracle.com/en/-us/iaas/api/#/en/objectstorage/20160918 for a list of OCI endpoints.

Note

  • Port 443 is required for all the listed endpoints.

  • For applying the license, Metrics Reporting server should have the same endpoints as the CommServe server (listed above under Outbound Connections) whitelisted.

HTTP Proxy for CommServe Server and MediaAgent

If the CommServe server and/or the MediaAgent do not have direct access to the internet and have the http proxy configured, make sure to configure the http proxy on the CommServe server and MediaAgent Client or Client Group. For more information, see Configuring an HTTP Proxy for a Server Group.

Loading...