Loading...

Include child pages

Required outbound connections for Air Gap Protect storage

To communicate with your storage, Air Gap Protect requires that certain endpoints (URLs) be opened.

Summary of endpoints to allowlist

Category	Endpoint	Purpose	Required	Protocol / Port
Authentication	`login.microsoftonline.com`	Azure Active Directory (AAD) authentication to obtain OAuth tokens for AGP service access and Azure Blob Storage (when configured)	Yes	HTTPS / 443
Control plane	`api.mcss.metallic.[region]`	AGP service endpoint for configuration, storage provisioning, credential rotation, job orchestration, and monitoring	Yes	HTTPS / 443
Data plane (Amazon S3)	`*.s3.[region].amazonaws.com`	Amazon S3 endpoint for backup writes, restore reads, and pruning operations (includes bucket-specific endpoints)	Yes (if you use Amazon S3)	HTTPS / 443
Data plane (Azure Blob Storage)	`*.blob.core.windows.net`	Azure Blob Storage endpoint for backup, restore, and pruning operations	Yes (if you use Azure Blob Storage)	HTTPS / 443
Optional	`www.commvault.com`	Access to Commvault-hosted EULA and documentation (non-data path)	No	HTTPS / 443
Optional	`metallic.io`	Access to Commvault SaaS portal and administrative UI (non-data path)	No	HTTPS / 443

Note

Replace [region] with the region the MediaAgent is in.
If your environment requires an HTTP proxy for outbound internet access, configure the proxy.

Amazon S3

Source	Destination	TCP/UDP	Port	Commvault SaaS	Commvault software
Control plane	https://login.microsoftonline.com	TCP	443	--	Yes
Control plane	https://api.mcss.metallic.io (40.75.17.108)	TCP	443	--	Yes
Control plane	https://metallic.io	TCP	443	--	Yes
Control plane	https://www.commvault.com	TCP	443	--	Yes
MediaAgent	s3.[region].amazonaws.com	TCP	443	Yes	Yes
MediaAgent	s3.us-gov-east-1.amazonaws.com	TCP	443	Yes	Yes
MediaAgent	s3.us-gov-west-1.amazonaws.com	TCP	443	Yes	Yes

Azure Blob Storage

Azure global regions

Source	Destination	TCP/UDP	Port	Commvault SaaS	Commvault software
Control plane	https://login.microsoftonline.com	TCP	443	--	Yes
Control plane	https://api.mcss.metallic.io (40.75.17.108)	TCP	443	--	Yes
Control plane	https://metallic.io	TCP	443	--	Yes
Control plane	https://www.commvault.com	TCP	443	--	Yes
MediaAgent	*.blob.core.windows.net	TCP	443	Yes	Yes
MediaAgent	https://login.microsoftonline.com	TCP	443	Yes	Yes

Azure Government regions

Source	Destination	TCP/UDP	Port	Commvault SaaS	Commvault software
Control plane	https://login.microsoftonline.com	TCP	443	--	Yes
Control plane	https://api.mcss.metallic.io (40.75.17.108)	TCP	443	--	Yes
Control plane	https://metallic.io	TCP	443	--	Yes
Control plane	https://www.commvault.com	TCP	443	--	Yes
MediaAgent	*.blob.core.usgovcloudapi.net	TCP	443	Yes	Yes
MediaAgent	https://login.microsoftonline.us	TCP	443	Yes	Yes

Google Cloud Storage

Source	Destination	TCP/UDP	Port	Commvault SaaS	Commvault software
Control plane	https://login.microsoftonline.com	TCP	443	--	Yes
Control plane	https://api.mcss.metallic.io (40.75.17.108)	TCP	443	--	Yes
Control plane	https://metallic.io	TCP	443	--	Yes
Control plane	https://www.commvault.com	TCP	443	--	Yes
MediaAgent	storage.googleapis.com	TCP	443	Yes	Yes

OCI Object Storage

Source	Destination	TCP/UDP	Port	Commvault SaaS	Commvault software
Control plane	https://login.microsoftonline.com	TCP	443	--	Yes
Control plane	https://api.mcss.metallic.io (40.75.17.108)	TCP	443	--	Yes
Control plane	https://metallic.io	TCP	443	--	Yes
Control plane	https://www.commvault.com	TCP	443	--	Yes
MediaAgent	objectstorage.[region].oraclecloud.com	TCP	443	Yes	Yes
MediaAgent	identity.[region].oraclecloud.com	TCP	443	Yes	Yes

Page contents

Summary of endpoints to allowlist
- Azure global regions
- Azure Government regions

Loading...