> Software > Get started

Configure network connectivity for Commvault

Commvault uses a service-based architecture where components communicate over secure, outbound-first connections to perform backup, restore, and management operations.

How communication works

Understanding how components communicate helps you configure firewall rules correctly and avoid over-permissive or incomplete configurations.

Commvault communication follows these principles:

  • Most connections are outbound from your environment

  • Components communicate over secure HTTPS (TCP 443) whenever possible

  • Some workflows require direct communication between components for data transfer

Control plane and data plane

Commvault separates communication into these types:

  • Control plane traffic: Used for authentication, job orchestration, and configuration. This traffic typically uses HTTPS (TCP 443)

  • Data plane traffic: Used for transferring backup and restore data. This traffic might use additional ports depending on your deployment

  • Your resources and access nodes initiate outbound connections to Commvault services.

  • Backup data is sent directly to cloud storage

  • In most cases, no inbound firewall rules are required

  • Components such as clients, MediaAgents, and the control plane communicate with each other

  • Some connections are initiated by clients, while others are initiated by infrastructure components

  • You must allow communication between components based on your architecture

Key concepts

  • Directionality:

    • Outbound: Initiated from your environment to another system

    • Inbound: Initiated from another system into your environment. Most Commvault deployments minimize inbound connections

  • Initiation: For each connection, one component always initiates communication. Firewall rules must allow traffic in the correct direction for that initiating component

  • Conditional connectivity: Some connections are required in these cases:

    • During backup operations

    • During restore operations

    • When specific features are enabled

Connectivity flow for backups

During backups, data typically flows outward from your workloads.

Flow:

  1. The access node initiates a connection to the workload.

  2. The access node sends control traffic to Commvault services over HTTPS (TCP 443).

  3. Backup data is transferred to cloud storage.

Key characteristics:

  • Connections are primarily outbound

  • Backup data flows from workloads to storage

  • No inbound connections are required in most cases

Flow:

  1. The client communicates with the MediaAgent over TCP 8400

  2. The MediaAgent coordinates backup operations

  3. Backup data is written to storage using configured data ports

Key characteristics:

  • Clients typically initiate communication

  • Data flows from client → MediaAgent → storage

  • Additional ports might be used for data transfer

Connectivity flow for restores

Restore operations often require different connectivity than backups.

Flow:

  1. The access node retrieves backup data from storage

  2. The access node initiates a connection to the target workload

  3. Data is transferred back to the workload

Key characteristics:

  • Restore traffic might require connectivity to the target environment

  • Network paths used during restore might differ from backup paths

Flow:

  1. The MediaAgent reads backup data from storage

  2. The MediaAgent sends data to the client

  3. The client receives and restores the data

Key characteristics:

  • The MediaAgent might initiate data transfer to the client

  • Misconfigured inbound rules can cause restore failures even if backups succeed

Common connectivity problems

  • Backups succeed but restores fail due to missing inbound rules

  • Firewall rules allow control traffic but block data transfer ports

  • SSL inspection interferes with secure communication

  • Dynamic port ranges are too small for concurrent jobs

Network and port requirements

Use the following requirements to configure firewall rules in your environment.

In most cases, only outbound HTTPS (TCP 443) is required. No inbound firewall rules are needed unless you configure an access node.

Core connectivity

  • Open TCP 443 (HTTPS) outbound to:

    • *.metallic.io: Commvault services

    • *.blob.core.windows.net: Azure storage

    • *.cloudapp.azure.com: Azure infrastructure

    • *.s3.amazonaws.com: AWS storage (if used)

Access node connectivity

  • If you configure an access node, open these ports:

    • TCP 8400: Control communication between the access node and workloads

    • TCP 8403: Data transfer between the access node and workloads

Firewall requirements

  • Do not use:

    • SSL inspection

    • SNI-based filtering

    • URL-based filtering

  • Allow traffic using FQDNs (recommended) or IP ranges

IP allowlisting

Allow Commvault service IP ranges for:

  • Access node communication

  • Cloud and SaaS workloads

Core communication ports

  • Open:

    • TCP 8400 (default CVD port)

    • TCP 8403 (data/control traffic)

  • Allow communication between:

    • Control plane

    • MediaAgents

    • Clients

Additional ports (if applicable)

  • Web / Command Center: TCP 80, 443

  • Control plane ↔ SQL Server: TCP 1433

  • Index server: TCP 81

  • Search / Web services: TCP 27000

  • MediaAgent data transfer: Dynamic port range (configurable)

Data transfer ports

  • Backup and restore operations use a dynamic port range by default.

  • If firewalls are restrictive:

    • Configure a fixed port range

    • Make sure the range supports concurrent jobs

Firewall requirements

  • Allow required communication between components based on your architecture

  • Avoid deep packet inspection or SSL inspection on internal traffic

  • Use consistent port configurations across all nodes

IP allowlisting

If integrating with cloud or external services:

  • Allow outbound access to required service endpoints

  • Maintain updated allowlists based on your environment

×

Loading...