The following prerequisites are needed to setup Air Gap Protect as a storage target on Commvault software:
CommServe Server Version
The following minimum version is required for the CommServe server:
Air Gap Protect Type |
Minimum MediaAgent Version |
---|---|
Microsoft Azure Storage |
Commvault Platform Release 2022E (11.28) or later |
Amazon S3 |
Commvault Platform Release 2024E (11.36) or later |
Oracle Cloud Infrastructure Object Storage |
Commvault Platform Release 2024E (11.36) or later |
Google Cloud Storage |
Commvault Platform Release 2025 (11.38) or later |
MediaAgent Version
The following minimum version is required for the MediaAgent:
Air Gap Protect Type |
Minimum MediaAgent Version |
---|---|
Microsoft Azure Storage |
Commvault Platform Release 2022E (11.28) or later |
Amazon S3 |
Commvault Platform Release 2024E (11.36) or later |
Oracle Cloud Infrastructure Object Storage |
Commvault Platform Release 2024E (11.36) or later |
Google Cloud Storage |
Commvault Platform Release 2025 (11.38) or later |
License Requirements
The Air Gap Protect license is required to configure Air Gap Protect.
In addition, you must accept the Commvault Terms and Conditions when you add the license. For more information about adding licenses and accepting the user agreement, see Adding a License in the Command Center.
See Also: License Administration for Air Gap Protect.
Network Requirements
Outbound Connections
For outbound connectivity, the following endpoints must be whitelisted on the CommServe server before configuring Air Gap Protect.
-
https://login.microsoftonline.com
should be whitelisted on both the CommServe server and the MediaAgent. -
https://www.office.com
should be whitelisted on both the CommServe server and the MediaAgent. -
api.mcss.metallic.io
should be whitelisted only on the CommServe server. (IP address : 23.97.4.188). -
https://metallic.io
should be whitelisted on the CommServe server. -
https://www.commvault.com
should be whitelisted on both the CommServe server and the MediaAgent.
In addition, whitelist the endpoints required for specific storage type.
Outbound Connections for Microsoft Azure Storage
For outbound connectivity, the following endpoints must be whitelisted on the MediaAgent before configuring Air Gap Protect on Azure.
Air Gap Protect - Azure (Global Cloud) |
Air Gap Protect - Azure (Government Cloud) |
---|---|
|
|
See https://www.microsoft.com/en-us/download/details.aspx?id=56519 for a list of IP addresses required by:
blob.core.windows.net
login.microsoftonline.com
blob.core.usgovcloudapi.net
login.microsoftonline.us
Note
-
The * in
*.blob.core.windows.net
can be replaced with specific storage account names, once the library is configured. For more information, see Obtaining the Storage Account Name. -
In the list of IP addresses, the "name": "Storage.region" object denotes the region of the Air Gap Protect. For example, "Storage.CanadaEast".
Azure ExpressRoute and Azure Private Link
Azure ExpressRoute circuit and Azure Private Link (Private Endpoint) is supported. For more information, see Configuring Azure ExpressRoute and Private Link.
Outbound Connections for Amazon S3 Storage
For outbound connectivity, the following endpoints must be whitelisted on the MediaAgent before configuring Air Gap Protect on Amazon S3.
s3.[region].amazonaws.com
Outbound Connections for Oracle Cloud Infrastructure Object Storage
For outbound connectivity, the following endpoints must be whitelisted on the MediaAgent before configuring Air Gap Protect on OCI.
objectstorage.[region].oraclecloud.com
identity.[region].oraclecloud.com
Replace [region] with region identifier. See https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm for list of regions and region identifiers. See https://docs.oracle.com/en/-us/iaas/api/#/en/objectstorage/20160918 for a list of OCI endpoints.
Note
-
Port 443 is required for all the listed endpoints.
-
For applying the license, Metrics Reporting server should have the same endpoints as the CommServe server (listed above under Outbound Connections) whitelisted.
HTTP Proxy for CommServe Server and MediaAgent
If the CommServe server and/or the MediaAgent do not have direct access to the internet and have the http proxy configured, make sure to configure the http proxy on the CommServe server and MediaAgent Client or Client Group. For more information, see Configuring an HTTP Proxy for a Server Group.