Firewall Ports for Cohesity-Deployed SaaS Connectors

A typical SaaS Connector connects with the Cohesity DataProtect as a Service and the Data Sources. The following diagrams show the source, destination, ports, and protocols for traffic flow between the Cohesity-deployed SaaS Connector and the Data Sources, and the Cohesity-deployed SaaS Connector and Cohesity DataProtect as a Service.

More information is provided in the sections that follow the diagrams.

Firewall Port Requirements for AWS SaaS Connector

Firewall Port Requirements for Azure SaaS Connector

Legend

SaaS Connector Management

Ensure that the following ports are open to allow communication between the Cohesity-deployed SaaS Connector(s) and Cohesity DataProtect as a Service:

Source Destination Port Protocol Purpose
SaaS Connector helios.cohesity.com 443 TCP Connection used for control path.
SaaS Connector *.awsglobalaccelerator.com 443 TCP Connection used for control path.
SaaS Connector helios-data.cohesity.com 443 TCP Used to send telemetry data.
SaaS Connector *.cloudfront.net 443 TCP To download upgrade packages.
SaaS Connector 8.8.8.8 or internal DNS 53 TCP, UDP Host resolution.
SaaS Connector time.google.com or internal NTP 123, 323 UDP

Incoming NTP requests are detected by port 123.

Chrony is the default implementation of NTP used by recent versions of CentOS and RHEL. Open port 323 if you want to use the Chronyc tool to monitor the synchronization status of Chrony and make changes if necessary.

SaaS Connector rt.cohesity.com 22 or 443 TCP The Cohesity Support Channel uses Secure Shell (SSH) and listens through port 22 or 443. Port 22 is used by default and can be updated to 443 using the Cohesity CLI. For more information, seeManage the Support Channel.
AWS SaaS Connector Specific
SaaS Connector

production-rielcheck-us.dmaas.helios.cohesity.com

helios-production-rigelcheck-1.s3.us-east-2.amazonaws.com

443 TCP Required to perform connectivity checks with the Cohesity Cloud Services.
SaaS Connector

*.s3.<region>.amazonaws.com

*.dmaas.helios.cohesity.com

443 TCP Connection used for data path.
SaaS Connector

*.dmaas.helios.cohesity.com

11117 TCP Connection used for data path.
Azure SaaS Connector Specific
SaaS Connector

prodsarigelcheck.blob.core.windows.net

rigelcheck-azure.cohesity.com

443 TCP Precheck endpoints for connectivity.
SaaS Connector

*.blob.core.windows.net

*.dmaas.helios.cohesity.com

443 TCP Connection used for data path.
SaaS Connector management.azure.com Login.windows.net 443 TCP  

AWS

Ensure that the following ports are open to allow communication between the Cohesity SaaS Connector(s) and AWS account:

Source Destination Port Protocol Purpose
SaaS Connector AWS EC2 and RDS Ingest 443 TCP

Required for Backup and Recovery operations.

SaaS Connector AWS RDS instance

5432

or

User-configured-Postgres port

TCP Required for communication with Postgres server.
SaaS Connector AWS RDS instance 11117 TCP Required for Postgres backup and recovery.
SaaS Connector AWS EC2 50051 TCP Required for EC2 file-level recovery.
AWS EC2 and RDS Ingest SaaS Connector 443 TCP Required for Backup and Recovery operations.

Azure

Ensure that the following ports are open to allow communication between the Cohesity SaaS Connector(s) and Azure Source:

Source Destination Port Protocol Purpose
SaaS Connector Azure VM and SQL 443 TCP

Required for Backup and Recovery operations.

Azure VM and SQL SaaS Connector 443 TCP
Azure VM and SQL SaaS Connector 1443 TCP
SaaS Connector Azure VM 50051 TCP Required for Azure VM file-level recovery.