The operation of VMware Site Recovery requires certain ports to be open.
The components that make up the VMware Site Recovery service, namely vCenter Server, vSphere Web Client, Site Recovery Manager Server, the vSphere Replication appliance, and vSphere Replication servers, require different ports to be open. You must ensure that all the required network ports are open for VMware Site Recovery to function correctly. Site Recovery Manager and vSphere Replication do not have public IP addresses. You must use a VPN or Direct Connect to access the HTML 5 user interface. It is recommended to use the private IP address as a Resolution Address for vCenter Server FQDN when using a VPN.
When creating Management Gateway Firewall rules for Inbound access to vCenter Server in a VMware Cloud on AWS SDDC, do not use Any as source for the traffic. VMware Cloud might automatically deactivate access to such SDDC for security reasons. Create a User Defined Group with members of some subset of IP addresses used in your on-premises SDDC instead.
vCenter Server and ESXi Server network port requirements for Site Recovery Manager
Site Recovery Manager requires certain ports to be open onvCenter Server, Platform Services Controller, and on ESXi Server.
| Default Port | Protocol or Description | Source | Target | Description |
|---|---|---|---|---|
| 443 | HTTPS | Site Recovery Manager | vCenter Server | Default SSL Web port. |
| 443 | HTTPS | Site Recovery Manager | vCenter Server | Traffic from Site Recovery Manager Server to local and remote vCenter Server. |
| 443 | HTTPS | Site Recovery Manager on the recovery site | Recovery site ESXi host. | Traffic from the Site Recovery Manager Server on the recovery site to ESXi hosts when recovering or testing virtual machines with configured IP customization, or callout commands on recovered virtual machines. |
| 902 | TCP and UDP | Site Recovery Manager Server on the recovery site. | Recovery site ESXi host. | Traffic from the Site Recovery Manager Server on the recovery site to ESXi hosts when recovering or testing virtual machines with IP customization, with configured callout commands on recovered virtual machines, or that use raw disk mapping (RDM). All NFC traffic for updating or patching the VMX files of virtual machines that are replicated using vSphere Replication use this port. |
Site Recovery Manager Server network ports
The Site Recovery Manager Server instances on the protected and recovery sites require certain ports to be open.
| Default Port | Protocol or Description | Source | Target | Endpoints or Consumers |
|---|---|---|---|---|
| 443 | HTTPS | Site Recovery Manager | vCenter Server | Default SSL Web Port for incoming TCP traffic. |
| 443 | HTTPS | Site Recovery Manager HTML 5 user interface | Site Recovery Manager | Default port for the Site Recovery Manager HTML 5 user interface. |
| 443 | HTTPS | Site Recovery Manager | vCenter Server | Traffic from Site Recovery Manager Server to local and remote vCenter Server. |
| 443 | HTTPS | Site Recovery Manager on the recovery site | Recovery site ESXi host. | Traffic from the Site Recovery Manager Server on the recovery site to ESXi hosts when recovering or testing virtual machines with configured IP customization, or callout commands on recovered virtual machines. |
| 443 | HTTPS | vSphere Client | Site Recovery Manager Appliance | All management traffic to Site Recovery Manager Server goes to this port. This includes traffic by external API clients for task automation and HTTPS interface for downloading the UI plug-in and icons. This port must be accessible from the vCenter Server proxy system. Used by vSphere Client to download the Site Recovery Manager client plug-in. |
| 443 | TCP | Site Recovery Manager Appliance | https://vcsa.vmware.com | Customer Experience Improvement Program (CEIP) for Site Recovery Manager |
| 902 | TCP and UDP | Site Recovery Manager Server on the recovery site. | Recovery site ESXi host. | Traffic from the Site Recovery Manager Server on the recovery site to ESXi hosts when recovering or testing virtual machines with IP customization, with configured callout commands on recovered virtual machines, or that use raw disk mapping (RDM). All NFC traffic for updating or patching the VMX files of virtual machines that are replicated using vSphere Replication use this port. |
| 5480 | HTTPS | Web Browser | Site Recovery Manager Appliance | Site Recovery Manager Appliance Management Interface |
| 9086 | HTTPS | vSphere Web Client | Site Recovery Manager for Windows | All management traffic to Site Recovery Manager Server for Windows goes to this port. This includes traffic by external API clients for task automation and HTTPS interface for downloading the UI plug-in and icons. This port must be accessible from the vCenter Server proxy system. Used by vSphere Web Client to download the Site Recovery Manager client plug-in. |
Site Pairing Port Requirements
| Port | Protocol | Source | Target | Description |
|---|---|---|---|---|
| 9086 | HTTPS | vCenter Server | Site Recovery Manager Server for Windows | vCenter Server and target Site Recovery Manager for Windows communication. |
| 9086 | HTTPS | Site Recovery Manager Server for Windows | Site Recovery Manager Server for Windows on target site | Bi-directional communication between Site Recovery Manager for Windows servers. |
| 443 | HTTPS | vCenter Server | Site Recovery Manager Server Appliance | vCenter Server and target Site Recovery Manager Appliance communication. |
| 443 | HTTPS | Site Recovery Manager Server Appliance | Site Recovery Manager Server Appliance on target site | Bi-directional communication between Site Recovery Manager Appliance servers. |
| 443 | HTTPS | Site Recovery Manager | Platform Services Controller and vCenter Server | Site Recovery Manager to vCenter Server communication - local and remote. |
Network ports that must be open on Site Recovery Manager and vSphere Replication Protected and Recovery sites
Site Recovery Manager and vSphere Replication require that the protected and recovery sites can communicate.
| Port | Protocol or Description | Source | Target | Endpoints or Consumers |
|---|---|---|---|---|
| 31031 | Initial replication traffic | ESXi host | vSphere Replication appliance on the recovery site | From the ESXi host at the protected site to the vSphere Replication appliance at the recovery site |
| 32032 | TCP | ESXi host on the source site | vSphere Replication server at the target site | Initial and outgoing replication traffic from the ESXi host at the source site to the vSphere Replication appliance or vSphere Replication server at the target site for replication traffic with network encryption. |
| 8043 | HTTPS | vSphere Replication appliance on either site | vSphere Replication appliance on either site | Management traffic between vSphere Replication appliances. |
| 8043 | HTTPS | Site Recovery Manager | vSphere Replication appliance on the recovery and protected sites | Management traffic between Site Recovery Manager instances and vSphere Replication appliances. |
vSphere Replication appliance network ports
| Port | Protocol or Description | Source | Target | Endpoints or Consumers |
|---|---|---|---|---|
| 80 | TCP | vSphere Replication appliance | All local and remote PSCs in same vCenter Single Sign-On domain (only if external Platform Services Controller is used) | All management traffic to the vSphere Replication appliance goes to port 80 on the vCenter Server proxy system. |
| 80 | TCP | vSphere Replication appliance | Local vCenter Server | All management traffic to the vSphere Replication appliance goes to port 80 on the vCenter Server proxy system. |
| 80 | HTTP | vSphere Replication server in the vSphere Replication appliance | ESXi host (intra-site) | Used to establish the connection before initial replication starts. |
| 443 | TCP | vSphere Replication appliance | All local and remote Platform Services Controllers in same SSO domain (only if external Platform Services Controller is used) | All management traffic to the vSphere Replication appliance. |
| 443 | TCP | vSphere Replication appliance | Local and remote vCenter Server | All management traffic to the vSphere Replication appliance. |
| 443 | HTTPS | Site Recovery HTML 5 user interface | vSphere Replication appliance | Default port for the Site Recovery HTML 5 user interface when you open it from the vSphere Replication appliance. |
| 443 | TCP | vSphere Replication appliance | https://vcsa.vmware.com | Customer Experience Improvement Program (CEIP) for vSphere Replication. |
| 902 | TCP and UDP | vSphere Replication server in the vSphere Replication appliance on secondary site | ESXi host (intra-site) on secondary site | Used by vSphere Replication servers to send replication traffic to the destination ESXi hosts. |
| 5480 | HTTPS | Browser | vSphere Replication appliance | vSphere Replication virtual appliance management interface (VAMI) Web UI. Required only for on-premises site, not required for VMware Cloud on AWS site. |
| 7444 | TCP | vSphere Replication appliance | vCenter Server (intra-site) | |
| 7444 | TCP | vCenter Server | All local and remote PSCs | |
| 8123 | SOAP | vSphere Replication appliance | vSphere Replication server | Intra-site management traffic from the vSphere Replication Management server to additional vSphere Replication servers in the environment. |
| 10443 | HTTPS | vSphere Web Client on the primary site | vCenter Server Inventory Service on the target site | ThevSphere Replication UI uses the Inventory Service of the remote vCenter Server to list target datastores. |
| 31031 | Initial and ongoing replication traffic | ESXi host on source site | vSphere Replication server in the vSphere Replication appliance on the secondary site or an external vSphere Replication server on the secondary site | Initial and outgoing replication traffic from the ESXi host at the source site to the vSphere Replication appliance or vSphere Replication server at the target site. |
| 32032 | TCP | ESXi host on the source site | vSphere Replication server at the target site | Initial and outgoing replication traffic from the ESXi host at the source site to the vSphere Replication appliance or vSphere Replication server at the target site for replication traffic with network encryption. |
vSphere Replication server network ports
If you deploy additional vSphere Replication servers, ensure that the subset of the ports that vSphere Replication servers require are open on those servers.
| Port | Protocol or Description | Source | Target | Endpoints or Consumers |
|---|---|---|---|---|
| 902 | TCP and UDP | vSphere Replication server in the vSphere Replication appliance on secondary site | ESXi host (intra-site) on secondary site | Traffic (specifically the NFC service to the destination ESXi servers) between the vSphere Replication server and the ESXihosts on the same site. |
| 5480 | VAMI Web UI for additional vSphere Replication servers | Browser | vSphere Replication server | Administrator's web browser. Required only for on-premises site, not required for VMware Cloud on AWS site. |
| 8123 | SOAP | vSphere Replication Management server | vSphere Replication server | Intra-site management traffic from the vSphere Replication appliance or vSphere Replication Management server to the vSphere Replication servers. |
| 31031 | Initial and ongoing replication traffic | ESXi host on source site | vSphere Replication server | From the ESXi host at the protected site to the vSphere Replication appliance or vSphere Replication server at the recovery site. |
| 32032 | TCP | ESXi host on the source site | vSphere Replication server at the target site | Initial and outgoing replication traffic from the ESXi host at the source site to the vSphere Replication appliance or vSphere Replication server at the target site for replication traffic with network encryption. |
