The operation of VMware Site Recovery requires certain ports to be open.

The components that make up the VMware Site Recovery service, namely vCenter Server, vSphere Web Client, Site Recovery Manager Server, the vSphere Replication appliance, and vSphere Replication servers, require different ports to be open. You must ensure that all the required network ports are open for VMware Site Recovery to function correctly. Site Recovery Manager and vSphere Replication do not have public IP addresses. You must use a VPN or Direct Connect to access the HTML 5 user interface. It is recommended to use the private IP address as a Resolution Address for vCenter Server FQDN when using a VPN.

When creating Management Gateway Firewall rules for Inbound access to vCenter Server in a VMware Cloud on AWS SDDC, do not use Any as source for the traffic. VMware Cloud might automatically deactivate access to such SDDC for security reasons. Create a User Defined Group with members of some subset of IP addresses used in your on-premises SDDC instead.

Figure 1. Site Recovery Manager for Windows at the on-premises SDDC
Network ports of Site Recovery Manager for Windows at the on-premises SDDC.
Figure 2. Site Recovery Manager Virtual Appliance at the on-premises SDDC
Network ports of Site Recovery Manager Virtual Appliance at the on-premises SDDC.

vCenter Server and ESXi Server network port requirements for Site Recovery Manager

Site Recovery Manager requires certain ports to be open onvCenter Server, Platform Services Controller, and on ESXi Server.

Default Port Protocol or Description Source Target Description
443 HTTPS Site Recovery Manager vCenter Server Default SSL Web port.
443 HTTPS Site Recovery Manager vCenter Server Traffic from Site Recovery Manager Server to local and remote vCenter Server.
443 HTTPS Site Recovery Manager on the recovery site Recovery site ESXi host. Traffic from the Site Recovery Manager Server on the recovery site to ESXi hosts when recovering or testing virtual machines with configured IP customization, or callout commands on recovered virtual machines.
902 TCP and UDP Site Recovery Manager Server on the recovery site. Recovery site ESXi host. Traffic from the Site Recovery Manager Server on the recovery site to ESXi hosts when recovering or testing virtual machines with IP customization, with configured callout commands on recovered virtual machines, or that use raw disk mapping (RDM). All NFC traffic for updating or patching the VMX files of virtual machines that are replicated using vSphere Replication use this port.

Site Recovery Manager Server network ports

The Site Recovery Manager Server instances on the protected and recovery sites require certain ports to be open.

Default Port Protocol or Description Source Target Endpoints or Consumers
443 HTTPS Site Recovery Manager vCenter Server Default SSL Web Port for incoming TCP traffic.
443 HTTPS Site Recovery Manager HTML 5 user interface Site Recovery Manager Default port for the Site Recovery Manager HTML 5 user interface.
443 HTTPS Site Recovery Manager vCenter Server Traffic from Site Recovery Manager Server to local and remote vCenter Server.
443 HTTPS Site Recovery Manager on the recovery site Recovery site ESXi host. Traffic from the Site Recovery Manager Server on the recovery site to ESXi hosts when recovering or testing virtual machines with configured IP customization, or callout commands on recovered virtual machines.
443 HTTPS vSphere Client Site Recovery Manager Appliance All management traffic to Site Recovery Manager Server goes to this port. This includes traffic by external API clients for task automation and HTTPS interface for downloading the UI plug-in and icons. This port must be accessible from the vCenter Server proxy system. Used by vSphere Client to download the Site Recovery Manager client plug-in.
443 TCP Site Recovery Manager Appliance https://vcsa.vmware.com Customer Experience Improvement Program (CEIP) for Site Recovery Manager
902 TCP and UDP Site Recovery Manager Server on the recovery site. Recovery site ESXi host. Traffic from the Site Recovery Manager Server on the recovery site to ESXi hosts when recovering or testing virtual machines with IP customization, with configured callout commands on recovered virtual machines, or that use raw disk mapping (RDM). All NFC traffic for updating or patching the VMX files of virtual machines that are replicated using vSphere Replication use this port.
5480 HTTPS Web Browser Site Recovery Manager Appliance Site Recovery Manager Appliance Management Interface
9086 HTTPS vSphere Web Client Site Recovery Manager for Windows All management traffic to Site Recovery Manager Server for Windows goes to this port. This includes traffic by external API clients for task automation and HTTPS interface for downloading the UI plug-in and icons. This port must be accessible from the vCenter Server proxy system. Used by vSphere Web Client to download the Site Recovery Manager client plug-in.

Site Pairing Port Requirements

Port Protocol Source Target Description
9086 HTTPS vCenter Server Site Recovery Manager Server for Windows vCenter Server and target Site Recovery Manager for Windows communication.
9086 HTTPS Site Recovery Manager Server for Windows Site Recovery Manager Server for Windows on target site Bi-directional communication between Site Recovery Manager for Windows servers.
443 HTTPS vCenter Server Site Recovery Manager Server Appliance vCenter Server and target Site Recovery Manager Appliance communication.
443 HTTPS Site Recovery Manager Server Appliance Site Recovery Manager Server Appliance on target site Bi-directional communication between Site Recovery Manager Appliance servers.
443 HTTPS Site Recovery Manager Platform Services Controller and vCenter Server Site Recovery Manager to vCenter Server communication - local and remote.

Network ports that must be open on Site Recovery Manager and vSphere Replication Protected and Recovery sites

Site Recovery Manager and vSphere Replication require that the protected and recovery sites can communicate.

Port Protocol or Description Source Target Endpoints or Consumers
31031 Initial replication traffic The ESXi host of the replicated VM on the source site vSphere Replication appliance on the recovery site From the ESXi host at the protected site to the vSphere Replication appliance at the recovery site
32032 TCP The ESXi host of the replicated VM on the source site vSphere Replication server at the target site Initial and outgoing replication traffic from the ESXi host at the source site to the vSphere Replication appliance or vSphere Replication server at the target site for replication traffic with network encryption.
31031 Unencrypted replication traffic The ESXi host of the replicated VM on the source site All ESXi hosts in the cluster of the target datastore. Required for replications in Scale-out mode.
32032 TCP The ESXi host of the replicated VM on the source site All ESXi hosts in the cluster of the target datastore. Required for replications in Scale-out mode.
8043 HTTPS vSphere Replication appliance on either site vSphere Replication appliance on either site Management traffic between vSphere Replication appliances.
8043 HTTPS Site Recovery Manager vSphere Replication appliance on the recovery and protected sites Management traffic between Site Recovery Manager instances and vSphere Replication appliances.

vSphere Replication appliance network ports

Port Protocol or Description Source Target Endpoints or Consumers
443 TCP vSphere Replication appliance Remote Lookup Service All calls to the remote Lookup Service.
443 HTTPS Site Recovery HTML 5 user interface vSphere Replication appliance Default port for the Site Recovery HTML 5 user interface when you open it from the vSphere Replication appliance.
443 HTTPS Site Recovery HTML 5 user interface Local and remote vCenter Server or all vCenter Server instances in Enhanced Linked Mode with a registered vSphere Replication. Default port for the Site Recovery HTML 5 user interface when you open it from the vSphere Replication appliance.
443 HTTPS Site Recovery HTML 5 user interface Local and remote Platform Services Controllerinstances or all Platform Services Controller instances in Enhanced Linked Mode with a registered vSphere Replication. Default port for the Site Recovery HTML 5 user interface when you open it from the vSphere Replication appliance.
443 TCP Site Recovery HTML 5 user interface Remote Site Recovery Manager аppliance TCP port 443 must be open when you access the Site Recovery HTML 5 user interface from the vSphere Replication appliance.
443 HTTP vSphere Replication server in the vSphere Replication appliance ESXi host (intra-site) Traffic between the vSphere Replication server and the ESXi hosts on the same site.
443 HTTP ESXi host (intra-site) vSphere Replication server in the vSphere Replication appliance Traffic between the ESXi host and the vSphere Replication server on the same site.
443 TCP vSphere Replication appliance Local and remote vCenter Server All management traffic to the vCenter Server.
443 TCP vSphere Replication appliance https://vcsa.vmware.com Customer Experience Improvement Program (CEIP) for vSphere Replication.
9084 HTTP vSphere Replication appliance Local vCenter Server Used for uploading the hbr agent VIB to vCenter Server during the installation of the VIB file to the source ESXi hosts.
902 TCP and UDP vSphere Replication server in the vSphere Replication appliance on secondary site ESXi host (intra-site) on secondary site Used by vSphere Replication servers to send replication traffic to the destination ESXi hosts.
5480 HTTPS Browser vSphere Replication appliance vSphere Replication virtual appliance management interface (VAMI) Web UI. Required only for on-premises site, not required for VMware Cloud on AWS site.
8043 SOAP vSphere Replication appliance vSphere Replication appliance Inter-site communication from the vSphere Replication Management servers of the primary and the secondary site.
8043 SOAP vCenter Server vSphere Replication appliance Intra-site communication used for SDRS.
8123 SOAP vSphere Replication appliance vSphere Replication server Intra-site management traffic from the vSphere Replication Management server to additional vSphere Replication servers in the environment.
31031 Initial and ongoing replication traffic ESXi host on source site vSphere Replication server in the vSphere Replication appliance on the secondary site or an external vSphere Replication server on the secondary site Initial and outgoing replication traffic from the ESXi host at the source site to the vSphere Replication appliance or vSphere Replication server at the target site.
32032 TCP ESXi host on the source site vSphere Replication server at the target site Initial and outgoing replication traffic from the ESXi host at the source site to the vSphere Replication appliance or vSphere Replication server at the target site for replication traffic with network encryption.

vSphere Replication server network ports

If you deploy additional vSphere Replication servers, ensure that the subset of the ports that vSphere Replication servers require are open on those servers.

Port Protocol or Description Source Target Endpoints or Consumers
902 TCP and UDP vSphere Replication server in the vSphere Replication appliance on secondary site ESXi host (intra-site) on secondary site Traffic (specifically the NFC service to the destination ESXi servers) between the vSphere Replication server and the ESXihosts on the same site.
5480 VAMI Web UI for additional vSphere Replication servers Browser vSphere Replication server Administrator's web browser. Required only for on-premises site, not required for VMware Cloud on AWS site.
8123 SOAP vSphere Replication Management server vSphere Replication server Intra-site management traffic from the vSphere Replication appliance or vSphere Replication Management server to the vSphere Replication servers.
31031 Initial and ongoing replication traffic ESXi host on source site vSphere Replication server From the ESXi host at the protected site to the vSphere Replication appliance or vSphere Replication server at the recovery site.
32032 TCP ESXi host on the source site vSphere Replication server at the target site Initial and outgoing replication traffic from the ESXi host at the source site to the vSphere Replication appliance or vSphere Replication server at the target site for replication traffic with network encryption.