The following are the minimum network configurations for the installation, registration, and ongoing communication between the CommServe server, MediaAgents, and access nodes in an AWS environment.
Use the following information to configure network ACLs (NACLs) and Security Groups within and across your Amazon VPCs.
The Commvault cvd daemon runs on TCP (8403) and uses mutually authenticated SSL or mutual TLS (mTLS) to authenticate and register clients and then send/receive control and data plane traffic. You can use a different port, such as TCP (443).
Incoming TCP (8403) is required on all MediaAgents and access nodes from the CommServe server. Incoming TCP (8403) is required on all access nodes from the MediaAgents. MediaAgents and access nodes can be hosted on the compute instance.
In the security group sg-1a2b3c4d, the label "All traffic sg-1a2b3c4d" appears for inbound and outbound traffic. This security group configuration allows instances that are part of this security group to communicate with each other.
Encryption of Network Traffic
The AWS Well-Architected Framework recommends encrypting everything in cloud. The following details describe the use of encryption for data in-flight or "on the wire":
By default, all communication from Commvault MediaAgents or clients to Amazon S3 cloud libraries use HTTPS, which ensures that all in-flight traffic is encrypted.
Control-plane traffic between the CommServe server, MediaAgents, and access nodes is encrypted by default.
Data plane traffic between the CommServe server, MediaAgents, and access nodes is encrypted by default.
Recommendation: Enable data-plane encryption on all communication (via public internet, via private communication links). To enable data plane encryption, configure a Commvault network route to force all communication into a Commvault-encrypted tunnel that is FIPS-140-2 compliant.
Commvault supports the use of HTTP proxies (authenticated, transparent) between Commvault components (CommServe server, MediaAgents, access nodes) and AWS service endpoints.
Note: When performing Amazon EC2 backup and recovery using Amazon EBS direct APIs, Commvault does not honor configured HTTP proxies. A direct network path between the access node and the Amazon EBS direct API endpoint is required.
The following pages provide information about Commvault networking requirements and features: