Veeam and Network Segmentation: Firewall Rules for Every Component
Veeam and Network Segmentation: Firewall Rules for Every Component
1. Why This Article Exists
Veeam's official port documentation is spread across a dozen pages in the help center, organized by product guide rather than by network flow. If you are a network engineer building firewall rules for a segmented Veeam deployment, you have to cross-reference the vSphere user guide, the Hyper-V user guide, the Cloud Connect guide, the Agent Management guide, and the Enterprise Manager guide to build a complete rule set. Most people get this wrong the first time because they miss one flow and backups fail silently until someone notices.
This article consolidates every component-to-component port requirement into a single reference. All port numbers are confirmed against the Veeam v13 help center documentation. VBR automatically creates Windows Firewall rules on Windows machines. On Linux machines and third-party firewalls, you must create these rules manually.
v13 Change: Port 443
In v13, the VBR management port changed from 9392 to 443 for the web UI. The REST API remains on port 9419. Both must be accessible from the management network.
2. Backup Server (Core Ports)
The backup server is the hub. Every other component communicates with it. These ports must be open from/to the VBR server for core operations.
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| VBR Server | Windows Managed Servers | 135, 137-139, 445 | TCP/UDP | RPC, NetBIOS, SMB (ADMIN$ share for component deployment) |
| VBR Server | Windows Managed Servers | 6160 | TCP | Veeam Installer Service |
| VBR Server | All Managed Servers | 6162 | TCP | Veeam Data Mover (Transport Service) |
| VBR Server | All Managed Servers | 2500-3300 | TCP | Data transmission channels (one port per task) |
| VBR Server | Linux Managed Servers | 22 | TCP | SSH (initial deployment and configuration changes) |
| Console/Browser | VBR Server | 443 | TCP | Web UI (v13) |
| Console/Browser | VBR Server | 9419 | TCP | REST API and Swagger UI |
| VBR Server | PostgreSQL | 5432 | TCP | Configuration database (if external PostgreSQL) |
ADMIN$ Share Requirement
VBR needs access to the ADMIN$ share (TCP 445) on Windows managed servers to deploy runtime components. Windows Firewall blocks this by default. If you manage firewall rules via Group Policy, explicitly allow TCP 445 inbound from the VBR server IP on all Windows proxies, repositories, and mount servers. As of v13.0.1, Linux proxies cannot perform application-aware processing on Windows VMs, so a Windows proxy with ADMIN$ access is still required for that function.
3. Backup Proxy (VMware, Hyper-V, General Purpose)
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| VBR Server | Proxy | 6160 | TCP | Veeam Installer Service |
| VBR Server | Proxy | 6162 | TCP | Veeam Data Mover |
| VBR Server | Proxy | 2500-3300 | TCP | Data transmission channels |
| Proxy | Repository | 2500-3300 | TCP | Data transfer from proxy to repository |
| Proxy (VMware) | ESXi Hosts | 443 | TCP | NBD/NBDSSL transport mode |
| Proxy (VMware) | ESXi Hosts | 902 | TCP | NFC (VMware Network File Copy) for data transfer |
| Proxy (Hyper-V) | Hyper-V Host | 445 | TCP | SMB for data access |
For VMware hot-add transport mode, the proxy must be a VM on the same ESXi host or cluster as the VMs being backed up. No additional network ports are required for hot-add because data flows through the virtual disk attach mechanism, not the network. For SAN transport mode (direct storage access), the proxy needs FC or iSCSI connectivity to the storage array, which is a storage network requirement, not a firewall rule.
4. Backup Repository (Windows, Linux, Hardened)
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| VBR Server | Repository | 6162 | TCP | Veeam Data Mover (management) |
| Proxy | Repository | 2500-3300 | TCP | Data transmission |
| VBR Server | Windows Repository | 6160 | TCP | Veeam Installer Service |
| VBR Server | Linux Repository | 22 | TCP | SSH (initial deployment only, disable after for hardened) |
| Repository | Object Storage | 443 | TCP | HTTPS for S3/Azure Blob/GCS capacity tier offload |
For hardened repositories, SSH (port 22) is only required during initial managed server setup and component upgrades. After setup, disable SSH. All ongoing communication uses the Veeam Transport Service on port 6162 and data channels on 2500-3300 using certificate-based authentication.
5. Mount Server
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| VBR Server | Mount Server | 6170 | TCP | Mount Service communication |
| VBR Server | Mount Server | 6162 | TCP | Veeam Data Mover |
| Mount Server | Target VM (FLR) | 2500-3300 | TCP | File Level Recovery data transfer |
| Mount Server (vPower NFS) | ESXi Hosts | 6161 | TCP | vPower NFS Service |
| Mount Server (vPower NFS) | ESXi Hosts | 111, 1058+, 2049+ | TCP/UDP | NFS portmapper, mount, NFS protocol |
The vPower NFS ports (6161, 111, 1058+, 2049+) are only needed if you use Instant VM Recovery, SureBackup, or On-Demand Sandbox. These features mount backup data as an NFS datastore on the ESXi host. If you do not use these features, the vPower NFS ports can remain closed.
6. VMware vSphere Infrastructure
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| VBR Server | vCenter Server | 443 | TCP | vSphere Web Services SDK (HTTPS) |
| VBR Server | ESXi Hosts | 443 | TCP | ESXi management (for direct host operations) |
| Proxy | ESXi Hosts | 443 | TCP | NBD/NBDSSL data transport |
| Proxy | ESXi Hosts | 902 | TCP | NFC data transport |
7. Guest Interaction (Application-Aware Processing, FLR)
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| VBR Server / Proxy | Windows VM Guest | 445, 135 | TCP | Runtime process deployment for AAP |
| VBR Server / Proxy | Windows VM Guest | 6160, 11731 | TCP | Veeam Installer Service (default and failover) |
| VBR Server / Proxy | Windows VM Guest | 6173 | TCP | Veeam Guest Helper (persistent agent for guest processing) |
| VBR Server | Linux VM Guest | 22 | TCP | SSH control channel for guest processing |
| VBR Server / Mount Server | VM Guest | 2500-3300 | TCP | Data transfer for FLR and guest processing |
| VBR Server | Windows VM Guest | 49152-65535 | TCP | Dynamic RPC (if default firewall rules do not cover VBR runtime) |
Application-aware processing is what makes Veeam's SQL, Oracle, AD, and Exchange backups transactionally consistent. If these ports are blocked, AAP will fail and you get crash-consistent backups only. The "RPC function call failed" error during guest processing is almost always a firewall issue on the guest or between the proxy and the guest network.
8. Veeam ONE
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| Veeam ONE Server | VBR Server | 9419 | TCP | REST API data collection |
| Veeam ONE Server | vCenter Server | 443 | TCP | vSphere infrastructure monitoring |
| Veeam ONE Agent | Veeam ONE Server | 2805 | TCP | Agent communication |
| Browser | Veeam ONE Web UI | 1239 | TCP | Veeam ONE Reporter web interface |
9. Cloud Connect Gateway
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| Tenant VBR / Agent | Cloud Connect Gateway | 6180 | TCP | Cloud Connect management and data (default) |
| Cloud Connect Gateway | SP VBR Server | 6162 | TCP | Data Mover to internal infrastructure |
| Cloud Connect Gateway | SP Repository | 2500-3300 | TCP | Data transfer to cloud repository |
Port 6180 is the only port that needs to be exposed to the public internet for Cloud Connect. All tenant traffic flows through this single port. It carries both control plane and data plane traffic, encrypted with TLS. Do not expose any other VBR port to the internet.
10. Enterprise Manager
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| Browser | Enterprise Manager | 9443 | TCP | EM Web UI |
| Enterprise Manager | VBR Server | 9392 | TCP | VBR server communication |
| Enterprise Manager | PostgreSQL / SQL Server | 5432 / 1433 | TCP | EM configuration database |
| REST API Client | Enterprise Manager | 9398 | TCP | EM REST API (separate from VBR REST API on 9419) |
11. Agent Management
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| VBR Server | Windows Agent | 6160 | TCP | Veeam Installer Service (push deployment) |
| VBR Server | Linux Agent | 22 | TCP | SSH (push deployment) |
| Agent (Win/Lin) | VBR Server | 6162 | TCP | Management communication |
| Agent (Win/Lin) | Repository | 2500-3300 | TCP | Backup data transfer |
12. Plug-in Workloads (AHV, Proxmox)
| From | To | Port | Protocol | Purpose |
|---|---|---|---|---|
| VBR Server | Nutanix Prism Central | 9440 | TCP | Prism Central REST API |
| AHV Worker | Repository | 2500-3300 | TCP | Backup data transfer |
| AHV Worker | VBR Server | 6162 | TCP | Management |
| VBR Server | Proxmox Host | 8006 | TCP | Proxmox API |
| Proxmox Worker | Repository | 2500-3300 | TCP | Backup data transfer |
| Proxmox Worker | VBR Server | 6162 | TCP | Management |
13. Putting It Together: A Segmented Network Design
Here is a reference design for a segmented Veeam deployment with four network zones.
Zone 1: Management Network
Contains the VBR server, Veeam ONE server, Enterprise Manager, and admin workstations. Firewall allows outbound to all other zones on the specific ports listed above. No inbound from the backup data network except for REST API polling (if Veeam ONE is on the management network and VBR is elsewhere).
Zone 2: Production / Hypervisor Network
Contains vCenter, ESXi hosts, Hyper-V hosts, and VM guest networks. Firewall allows inbound from management network (VBR to vCenter on 443, VBR to ESXi on 443/902) and inbound from the proxy network (proxy to ESXi on 443/902). Guest processing requires inbound from proxy/VBR to guest VMs on the guest interaction ports.
Zone 3: Backup Data Network
Contains backup proxies and backup repositories. This is the high-bandwidth zone where actual backup data flows. Firewall allows inbound from production network (proxy reads from hypervisor) and outbound to repository on 2500-3300. The management network reaches this zone on 6160, 6162, and 2500-3300. Object storage offload goes from repository to the internet on 443.
Zone 4: Isolated Recovery / Cloud Connect
Contains the Cloud Connect gateway, SureBackup lab, and instant recovery staging. The gateway exposes port 6180 to the internet (or to tenant networks). Internally, it communicates with the SP VBR server and repository on the standard ports. SureBackup labs should be completely isolated from production with no routing to prevent accidental production impact during recovery testing.
The Most Common Mistake
Opening "all traffic" between VBR and everything else because the port list is long. That defeats the purpose of segmentation. Build your rules per component, per direction. The tables in this article give you exactly what you need and nothing more.
Key Takeaways
- Port 6162 (Veeam Data Mover) and 2500-3300 (data channels) are the two ranges that appear in almost every component flow. These are your baseline.
- Port 6160 (Installer Service) is needed for Windows component deployment and upgrades.
- Port 443 serves triple duty: vSphere management, VBR Web UI (v13), and object storage offload. Segment these by source/destination, not just port number.
- Port 9419 (REST API) and 9398 (EM REST API) are separate endpoints on separate services. Do not confuse them.
- Cloud Connect uses a single external port (6180). This is the only port that should face the internet.
- Application-aware processing (SQL, Oracle, AD) requires guest network access on ports 445, 135, 6160, 6173, and the dynamic RPC range. Blocked guest ports are the number one cause of crash-consistent-only backups.
- For hardened repositories, SSH (22) is only needed during initial setup and upgrades. Close it permanently between those events.
- VBR auto-creates Windows Firewall rules. On Linux and third-party firewalls, you create them manually.