Firewall Ports for Cohesity-Deployed SaaS Connectors
A typical SaaS Connector connects with the Cohesity DataProtect as a Service and the Data Sources. The following diagrams show the source, destination, ports, and protocols for traffic flow between the Cohesity-deployed SaaS Connector and the Data Sources, and the Cohesity-deployed SaaS Connector and Cohesity DataProtect as a Service.
More information is provided in the sections that follow the diagrams.
Firewall Port Requirements for AWS SaaS Connector
Firewall Port Requirements for Azure SaaS Connector
Legend
SaaS Connector Management
Ensure that the following ports are open to allow communication between the Cohesity-deployed SaaS Connector(s) and Cohesity DataProtect as a Service:
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| SaaS Connector |
|
443 | TCP | Connection used for control path. |
| SaaS Connector | *.awsglobalaccelerator.com | 443 | TCP | Connection used for control path. |
| SaaS Connector |
|
443 | TCP | Used to send telemetry data. |
| SaaS Connector | *.cloudfront.net | 443 | TCP | To download upgrade packages. |
| SaaS Connector | 8.8.8.8 or internal DNS | 53 | TCP, UDP | Host resolution. |
| SaaS Connector | time.google.com or internal NTP | 123, 323 | UDP |
Incoming NTP requests are detected by port 123. Chrony is the default implementation of NTP used by recent versions of CentOS and RHEL. Open port 323 if you want to use the Chronyc tool to monitor the synchronization status of Chrony and make changes if necessary. |
| SaaS Connector | rt.cohesity.com | 22 or 443 | TCP | The Cohesity Support Channel uses Secure Shell (SSH) and listens through port 22 or 443. Port 22 is used by default and can be updated to 443 using the Cohesity CLI. For more information, see Manage the Support Channel. |
| AWS SaaS Connector Specific | ||||
| SaaS Connector |
production-rielcheck-us.dmaas.helios.cohesity.com helios-production-rigelcheck-1.s3.us-east-2.amazonaws.com |
443 | TCP | Required to perform connectivity checks with the Cohesity Cloud Services. |
| SaaS Connector |
*.s3.<region>.amazonaws.com
|
443 | TCP | Connection used for data path. |
| SaaS Connector |
|
11117 | TCP | Connection used for data path. |
| Azure SaaS Connector Specific | ||||
| SaaS Connector |
prodsarigelcheck.blob.core.windows.net rigelcheck-azure.cohesity.com |
443 | TCP | Precheck endpoints for connectivity. |
| SaaS Connector |
*.blob.core.windows.net *.dmaas.helios.cohesity.com |
443 | TCP | Connection used for data path. |
| SaaS Connector | management.azure.com Login.windows.net | 443 | TCP | |
AWS
Ensure that the following ports are open to allow communication between the Cohesity SaaS Connector(s) and AWS account:
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| SaaS Connector | AWS EC2 and RDS Ingest | 443 | TCP |
Required for Backup and Recovery operations. |
| SaaS Connector | AWS RDS instance |
5432 or User-configured-Postgres port |
TCP | Required for communication with Postgres server. |
| SaaS Connector | AWS RDS instance | 11117 | TCP | Required for Postgres backup and recovery. |
| SaaS Connector | AWS EC2 | 50051 | TCP | Required for EC2 file-level recovery. |
| AWS EC2 and RDS Ingest | SaaS Connector | 443 | TCP | Required for Backup and Recovery operations. |
Azure
Ensure that the following ports are open to allow communication between the Cohesity SaaS Connector(s) and Azure Source:
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| SaaS Connector | Azure VM and SQL | 443 | TCP |
Required for Backup and Recovery operations. |
| Azure VM and SQL | SaaS Connector | 443 | TCP | |
| Azure VM and SQL | SaaS Connector | 1443 | TCP | |
| SaaS Connector | Azure VM | 50051 | TCP | Required for Azure VM file-level recovery. |
