- Notes, cautions, and warnings
- Preface
- PowerProtect Data Manager for Kubernetes Overview
- About asset sources, assets, and storage
- Prerequisites
- Supported Internet Protocol versions
- Port usage
- Role-based security
- Data-in-flight encryption
- Roadmap for Kubernetes cluster protection
- Roadmap for Tanzu Kubernetes guest cluster protection
- Updating PowerProtect Data Manager from version 19.9 or earlier to the latest version in a Kubernetes environment
- Enabling the Kubernetes Cluster
- Adding a Kubernetes cluster asset source
- Prerequisites to Tanzu Kubernetes guest cluster protection
- Prerequisites to Kubernetes cluster discovery
- Enable an asset source
- Delete an asset source
- Add a VMware vCenter Server
- Add a Kubernetes cluster
- Controller Configurations
- Add a VM Direct Engine
- Protection engine limitations
- Managing Storage, Assets, and Protection for Kubernetes Clusters
- Add protection storage
- Replication triggers
- Add a protection policy for Kubernetes namespace protection
- Add a Cloud Tier objective to a protection policy
- Add a service-level agreement
- Extended retention
- Edit the retention period for backup copies
- Delete backup copies
- Using the PowerFlex volumegroup snapshot extension
- Protecting PVCs in PowerScale access zones
- Restoring Kubernetes Namespaces and PVCs
- Kubernetes Cluster Best Practices and Troubleshooting
- Configuration changes required for use of optimized data path and first class disks
- Recommendations and considerations when using a Kubernetes cluster
- Support Network File System (NFS) root squashing
- Update the Velero or OADP version used by PowerProtect Data Manager
- VM Direct protection engine overview
- Troubleshooting network setup issues
- Troubleshooting Kubernetes cluster issues
- Specify volumesnapshotclass for v1 CSI snapshots
- Enabling protection when the vSphere CSI driver is installed as a process
- Customizing PowerProtect Data Manager pod configuration
- Backups fail or hang on OpenShift after a new PowerProtect Data Manager installation or update from a 19.9 or earlier release
- Data protection operations for high availability Kubernetes cluster might fail when API server not configured to send ROOT certificate
- Kubernetes cluster on Amazon Elastic Kubernetes Service certificate considerations
- Removing PowerProtect Data Manager components from a Kubernetes cluster
- Increase the number of worker threads in Supervisor cluster backup-driver if Velero timeout occurs
- Velero pod backup and restore might fail if namespace being protected contains a large number of resources
- Pull images from Docker Hub as authenticated user if Docker pull limits reached
- Application-Consistent Database Backups in Kubernetes
- About application-consistent database backups in Kubernetes
- Obtain and deploy the CLI package
- About application templates
- Deploy application templates
- Perform application-consistent backups
- Verify application-consistent backups
- Disaster recovery considerations
- Granular-level restore considerations
- Log truncation considerations
PowerProtect Data Manager 19.11 Kubernetes User Guide
Port usage
This table summarizes the port requirements for PowerProtect Data Manager and its associated internal and external components or systems. PowerProtect Data Manager audits and blocks all ports that are not listed below.
The PowerProtect DD Security Configuration Guide provides more information about ports for DD systems and protocols.
| Source system | Destination system | Port | Protocol | TLS supported | Notes |
|---|---|---|---|---|---|
| Backup clients | DD system | 111 | TCP | No | Dynamic port detection and mapping. Used only for port verification, not for data. |
| Backup clients1 | DD system | 2049 | Proprietary | TLS 1.2 | Optional DD Boost client TLS encryption. |
| Backup clients1 | DD system | 2052 | TCP | No | NFS mountd, not for data. |
| Backup clients | DD Global Scale | 2053 | TCP | TLS 1.2 | DD Boost connection. |
| Backup clients1 | PowerProtect Data Manager | 8443 | HTTPS | TLS 1.2 | REST API service. |
| Backup clients | VMAX SE server | 2707 | Proprietary | TLS 1.2 | Backup clients require access to the default port 2707 on the VMAX SE server. Applies to Storage Direct. |
| Callhome (SupportAssist) | PowerProtect Data Manager | 22 | SSH | TLS 1.2 | SSH for support and administration. Encrypted by private key or optional certificates. |
| Callhome (SupportAssist) | PowerProtect Data Manager | 443 | HTTPS | TLS 1.2 | SSH for remote support. |
| ESXi | DD system | 111 | TCP | No | Dynamic port detection and mapping. Used only for port verification, not for data. |
| ESXi | DD system2 | 2049 | Proprietary | TLS 1.2 | NFS datastore and DD Boost. NFS is unencrypted. DD Boost is encrypted. |
| ESXi | DD system2 | 2052 | TCP | No | NFS mountd, not for data. |
| Kubernetes cluster | DD system | 111 | TCP | No | Dynamic port detection and mapping. Used only for port verification, not for data. |
| Kubernetes cluster | DD system | 2049 | Proprietary | TLS 1.2 | Optional DD Boost client TLS encryption. |
| Kubernetes cluster | DD system | 2052 | TCP | TLS 1.2 | NFS mountd, not for data. |
| Kubernetes cluster | ESXi | 902 | TCP | TLS 1.2 | vSphere client access for PVCs using VMware CSI. Not required for Tanzu Kubernetes Guest clusters. |
| Kubernetes cluster | Protection engine | 9090 | HTTPS | TLS 1.2/1.3 | Required for Tanzu Kubernetes Guest clusters. |
| Kubernetes cluster | vCenter | 443 | HTTPS | TLS 1.2 | Primary management interface for vSphere using the vCenter Server, including the vSphere client for PVCs using VMware CSI. Not required for Tanzu Kubernetes Guest clusters. |
| NAS protection engine | NAS appliance | 443 | HTTPS | TLS 1.2 | Management access for Unity and PowerStore appliances. |
| NAS protection engine | NAS appliance | 8080 | HTTPS | TLS 1.2 | Management access for PowerScale/Isilon appliances. |
| PowerProtect Data Manager | Backup clients | 7000 | HTTPS | TLS 1.2 | Microsoft SQL Server, Oracle, Microsoft Exchange Server, SAP HANA, and file system. Requirement applies to Application Direct and VM Direct. |
| PowerProtect Data Manager | Callhome (SupportAssist) | 25 | SMTP | TLS 1.2 | TLS version in use depends on the mail server. TLS used where possible. |
| PowerProtect Data Manager | Callhome (SupportAssist) | 465 | TCP | TLS 1.2 | |
| PowerProtect Data Manager | Callhome (SupportAssist) | 587 | TCP | TLS 1.2 | |
| PowerProtect Data Manager | Callhome (SupportAssist) | 9443 | HTTPS | TLS 1.2 | REST API for service notification. |
| PowerProtect Data Manager | DD system | 111 | TCP | No | Dynamic port detection and mapping. Used only for port verification, not for data. |
| PowerProtect Data Manager | DD system | 2049 | Proprietary | No | Server DR NFS connections. Used only for metadata, client name, and indexing, not for backup data. |
| PowerProtect Data Manager | DD system | 2052 | TCP/UDP | No | NFS mountd, not for data. |
| PowerProtect Data Manager | DD system | 3009 | HTTPS | TLS 1.2 | Communication with DDMC for configuration and discovery. |
| PowerProtect Data Manager | ESXi | 443 | HTTPS | TLS 1.2 | Depends on ESXi configuration and version. |
| PowerProtect Data Manager | Kubernetes cluster | 6443 | Proprietary | TLS 1.2 | Connects to the Kubernetes API server. Encryption depends on the Kubernetes cluster configuration. PowerProtect Data Manager supports TLS 1.2. |
| PowerProtect Data Manager | LDAP server | 389 | TCP/UDP | No | Insecure LDAP port, outbound only. Use port 636 for encryption. |
| PowerProtect Data Manager | LDAP server | 636 | TCP | TLS 1.2 | LDAPS, depending on LDAP configuration in use. Outbound only. |
| PowerProtect Data Manager | NAS appliance | 443 | HTTPS | TLS 1.2 | Management access for Unity and PowerStore appliances. |
| PowerProtect Data Manager | NAS appliance | 8080 | HTTPS | TLS 1.2 | Management access for PowerScale/Isilon appliances. |
| PowerProtect Data Manager | NAS share | 139 | TCP | TLS 1.2 | Windows file server shares (CIFS). |
| PowerProtect Data Manager | NAS share | 443 | HTTPS | TLS 1.2 | NetApp shares (NFS and CIFS). Also used for NAS share verification check. |
| PowerProtect Data Manager | NAS share | 445 | TCP | TLS 1.2 | Windows file server shares (CIFS). |
| PowerProtect Data Manager | NAS share | 2049 | TCP | TLS 1.2 | Linux file server shares (NFS). |
| PowerProtect Data Manager | NTP server | 123 | NTP | No | Time synchronization. |
| PowerProtect Data Manager | PowerProtect Data Manager - Catalog | 9760 | TCP | Internal only. Blocked by firewall. | |
| PowerProtect Data Manager | PowerProtect Data Manager - Configuration Manager | 55555 | TCP | Internal only. Blocked by firewall. | |
| PowerProtect Data Manager | PowerProtect Data Manager - Elastic Search | 9200 | TCP | Internal only. | |
| PowerProtect Data Manager | PowerProtect Data Manager - Elastic Search | 9300 | TCP | Internal only. | |
| PowerProtect Data Manager | PowerProtect Data Manager - Embedded VM proxy | 9095 | TCP | Internal only. Blocked by firewall. | |
| PowerProtect Data Manager | PowerProtect Data Manager - Quorum peer | 2181 | TCP | Internal only. Blocked by firewall. | |
| PowerProtect Data Manager | PowerProtect Data Manager - RabbitMQ | 5672 | TCP | Internal only. Blocked by firewall. | |
| PowerProtect Data Manager | PowerProtect Data Manager - Secrets manager | 9092 | TCP | Internal only. | |
| PowerProtect Data Manager | PowerProtect Data Manager - VM Direct infrastructure manager | 9097 | TCP | Internal only. Blocked by firewall. | |
| PowerProtect Data Manager | PowerProtect Data Manager - VM Direct orchestration | 9096 | TCP | Internal only. Blocked by firewall. | |
| PowerProtect Data Manager | Protection engine | 22 | SSH | TLS 1.2 | SSH for support and administration. Encrypted by private key or optional certificates. |
| PowerProtect Data Manager | Protection engine | 9090 | HTTPS | TLS 1.2 | REST API service. |
| PowerProtect Data Manager | Protection engine | 96133 | Proprietary | TLS 1.2 | |
| PowerProtect Data Manager | Reporting engine | 9002 | TCP | TLS 1.2 | REST API service. |
| PowerProtect Data Manager | Search Engine | 9613 | Proprietary | TLS 1.2 | Infrastructure node agent management of Search Engine nodes. |
| PowerProtect Data Manager | Search Engine | 14251 | Proprietary | TLS 1.2 | Search query REST API endpoint. |
| PowerProtect Data Manager | SMI-S | 5989 | HTTPS | TLS 1.2 | Communication with SMI-S provider. Discovery. |
| PowerProtect Data Manager | Storage Direct system | 3009 | HTTPS | TLS 1.2 | Discovery. |
| PowerProtect Data Manager | Syslog server | 514 | TCP/UDP | TLS 1.2 | Log forwarding to Syslog server. |
| PowerProtect Data Manager | Syslog server | 6514 | TCP | TLS 1.2 | Log forwarding to Syslog server. |
| PowerProtect Data Manager | Syslog server | 10514 | TCP | TLS 1.2 | Log forwarding to Syslog server. |
| PowerProtect Data Manager | UI | 443 | HTTPS | TLS 1.2 | Between the browser host and the PowerProtect Data Manager system. |
| PowerProtect Data Manager | Update Manager UI | 14443 | HTTPS | TLS 1.2 | Connects the host that contains the update package to the PowerProtect Data Manager system. |
| PowerProtect Data Manager | vCenter | 443 | HTTPS | TLS 1.2 | vSphere API for direct restore, discovery, initiating Hot Add transport mode, and restores including Instant Access restore. Depends on vCenter configuration. |
| PowerProtect Data Manager | vCenter | 7444 | Proprietary | TLS 1.2 | vCenter single sign-on. |
| PowerProtect Data Manager | VMAX Solutions Enabler server | 2707 | Proprietary | TLS 1.2 | Storage Direct functionality. PowerProtect Data Manager uses the Solutions Enabler default server port for configuration steps and to control active snapshot management for SnapVX, including for PP-VMAX. |
| Protection engine | DD system | 111 | TCP | No | Dynamic port detection and mapping. Used only for port verification, not for data. |
| Protection engine | DD system | 2049 | Proprietary | TLS 1.2 | Optional DD Boost client TLS encryption. |
| Protection engine | DD system | 2052 | TCP | No | NFS mountd, not for data. |
| Protection engine | DD system | 3009 | HTTPS | TLS 1.2 | DD REST API service. |
| Protection engine | ESXi | 443 | HTTPS | TLS 1.2 | Client connections. |
| Protection engine | ESXi | 902 | TCP | TLS 1.2 | vSphere client access. |
| Protection engine | Guest VM | 96133 | Proprietary | TLS 1.2 | VM Direct Agent provides capabilities for file-level restore and application-aware protection. |
| Protection engine | NAS agent Docker container | 443 | HTTPS | TLS 1.2 | Applies for NAS only. Internal only. Blocked by firewall. |
| Protection engine | Search Engine | 14251 | TCP | TLS 1.2 | Search query REST API endpoint. |
| Protection engine | vCenter | 443 | HTTPS | TLS 1.2 | Primary management interface for vSphere using the vCenter server, including the vSphere client. |
| Protection engine | vCenter | 7444 | TCP | TLS 1.2 | Secure token service. |
| Protection engine | Protection engine - RabbitMQ | 4369 | TCP | Internal only. Blocked by firewall. | |
| Protection engine | Protection engine - RabbitMQ | 5672 | TCP | Internal only. Blocked by firewall. | |
| Reporting engine | PowerProtect Data Manager | 8443 | TCP | TLS 1.2 | REST API service for collecting reporting data. |
| Search Engine | DD system | 111 | TCP | No | Server DR. Dynamic port detection and mapping. Used only for port verification, not for data. |
| Search Engine | DD system | 2049 | Proprietary | No | Server DR NFS connections. Used only for metadata, client name, and indexing, not for backup data. |
| Search Engine | DD system | 2052 | TCP/UDP | No | Server DR. NFS mountd, not for data. |
| Source DD system | Target DD system | 111 | TCP | No | Dynamic port detection and mapping. Used only for port verification, not for data. |
| Source DD system | Target DD system | 2049 | Proprietary | TLS 1.2 | |
| Source DD system | Target DD system | 2051 | Proprietary | TLS 1.2 | |
| Source DD system | Target DD system | 2052 | TCP | No | NFS mountd, not for data. |
| Target DD system | Source DD system | 111 | TCP | No | Dynamic port detection and mapping. Used only for port verification, not for data. |
| Target DD system | Source DD system | 2049 | Proprietary | TLS 1.2 | |
| Target DD system | Source DD system | 2051 | Proprietary | TLS 1.2 | |
| Target DD system | Source DD system | 2052 | TCP | No | NFS mountd, not for data. |
| Update Manager UI | PowerProtect Data Manager | 14443 | HTTPS | TLS 1.2 | Connects the host that contains the update package to the PowerProtect Data Manager system. |
| User | PowerProtect Data Manager | 22 | SSH | TLS 1.2 | SSH for support and administration. Encrypted by private key or optional certificates. |
| User | PowerProtect Data Manager | 80 | HTTP | No | Redirect to HTTPS. |
| User | PowerProtect Data Manager | 443 | HTTPS | TLS 1.2 | Connects the browser host to the PowerProtect Data Manager system. |
| User | PowerProtect Data Manager | 8443 | HTTPS | TLS 1.2 | REST API service. |
| User | Search Engine | 22 | SSH | TLS 1.2 | SSH for support and administration. Encrypted by private key or optional certificates. |
| User | Protection engine | 22 | SSH | TLS 1.2 | SSH for support and administration. Encrypted by private key or optional certificates. |
| vCenter | ESXi | 443 | HTTPS | TLS 1.2 | vSphere client to ESXi/ESX host management connection. |
| vCenter | PowerProtect Data Manager | 443 | HTTPS | TLS 1.2 | vCenter plug-in UI. |
| vCenter | PowerProtect Data Manager | 8443 | HTTPS | TLS 1.2 | REST API service. |
| vCenter | PowerProtect Data Manager | 9009 | HTTPS | TLS 1.2/1.3 | vSphere APIs for Storage Awareness (VASA) provider, storage policy based management (SPBM) service within PowerProtect Data Manager. |
The term "protection engine" in this table refers to all types of protection engine: VM Direct, NAS, and Kubernetes, unless otherwise specified.
For VM application-aware backups, open the ports for the protection engine and for the backup clients on the guest VM.
For NAS assets, open any custom ports between PowerProtect Data Manager, the NAS protection engine, and the NAS that may be required for access to specific shares. You can supply custom port information for connections to NAS appliances and shares as part of the process for adding NAS asset sources.
1 Applies to Application Direct, Storage Direct, and VM Direct (VM application-aware only).
2 Instant access restore. NFS connection established under
PowerProtect Data Manager control of vSphere from the ESXi node to the DD system. Can be directed to any ESXi node, so allowed ports would be between any ESXi node to any DD system used by
PowerProtect Data Manager.
3 Port number is a default which you can change on a per-agent basis, and which can change dynamically in case of listening conflicts.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\