This article describes the local and off-site networking requirements and best-practices for Datto Business Continuity & Disaster Recovery (BCDR) appliances and solutions.
- Datto SIRIS
- Datto ALTO
- Datto NAS
- Datto Direct to Cloud (DTC)
- Network link speed requirements
- Network architecture considerations
- WAN uplink considerations
- Network MTU considerations
- Port access and IP whitelist requirements
- Internet access requirements for protected machines
- Virtual SIRIS considerations
- Additional Resources
Network link speed requirements
Since a 100 Mbps network cannot efficiently transfer large datasets between the protected machines and a Datto appliance, gigabit network connections are required between all protected machines and the Datto appliance over a LAN.
Datto strongly recommends placing the Datto appliance and all protected machines on the same LAN. If you must set up backups over a WAN, you will need a 50 Mbps dedicated uplink for every terabyte of protected data. Otherwise, backups will not be reliable. Even if this requirement is met, the latency between endpoints will significantly decrease backup throughput. The higher the latency, the lower the throughput.
Any device function performed through a site to site VPN/MPLS will be subject to degraded performance.
Network architecture considerations
Datto expects that BDR appliances will be deployed in a secure LAN environment. Inbound access from untrusted WAN hosts should be blocked at the edge of the network (via the router/firewall) to limit the accessibility of appliance network daemons and services. For more information, see Secure Deployment Best Practices For Datto Appliances.
WAN uplink considerations
To reliably synchronize with the Datto Cloud, ensure that your connection is at least 1 Mbps (125 KBps) uplink per terabyte of protected data stored locally on the Datto device. To check how much data your Datto appliance is currently protecting, see this article.
For every 1 Mbps of upload capacity that you dedicate to off-site traffic, you will be able to upload approximately 10 GB of change per day.
- 2 Mbps of upload capacity would net approximately 20 GB of change uploaded per day.
- 10 Mbps of upload capacity would net approximately 100 GB of change uploaded per day.
- 100 Mbps of upload capacity would net approximately 1 TB of change uploaded per day.
Offsiting 1 TB of change over a 1 Mbps uplink will take approximately 100 days. For images of this size, Datto recommends that any new SIRIS, ALTO or DNAS deployment use the complimentary RoundTrip service to send the initial full base image off-site.
Network MTU considerations
The Datto appliance will most reliably communicate with our monitoring servers when the router's MTU size is set to 1500 bytes. Since the Datto appliance is also using a 1500 byte MTU size, this will prevent packet fragmentation, which can cause issues with communication to our monitoring servers.
Port access and IP whitelist requirements
Port access requirements will vary, depending on the type of agent deployed.
Ports 25566 and 25568 (listed as 6001-47000 when WinNAT is enabled) must be open
- Allow ports 3262 and port 3260 (TCP) inbound to the Datto appliance from the Windows Agent.
- Allow port 25568 (TCP) inbound to the Windows agent from the Datto appliance.
- For unencrypted backups, allow port 139 (TCP/UDP) inbound to the Datto appliance from the ShadowSnap agent.
- For encrypted backups, allow port 3260 (TCP) inbound to the Datto appliance from the ShadowSnap agent.
- For ShadowSnap agent licensing and activation, allow port 80 TCP outbound from the protected machine to activate.storagecraft.com (188.8.131.52).
- Allow port 25566 (TCP) inbound to the ShadowSnap agent from the Datto appliance.
- Allow port 3260 (TCP) inbound to the Datto appliance from the Datto Linux Agent.
- Allow port 25567 (TCP) inbound to the Datto Linux Agent from the Datto appliance.
- Allow port 3260 (TCP) inbound to the Datto appliance from the Datto Mac Agent.
- Allow port 25569 (TCP) inbound to the Datto Mac Agent from the Datto appliance.
Internet access requirements for protected machines
- The Datto appliance must have access to the Datto Cloud for backup replication and remote device management. Also, all ICMP packets must be allowed through the firewall.
- Datto recommends disabling any application-layer filtering of traffic destined for or originating from your Datto appliance.
For device management, to synchronize time, and to download operating system updates, all backup appliances must be able to resolve the following Datto sites in the local DNS:
For operating system maintenance, the Datto appliance must also be able to resolve the following community sites in the local DNS:
- ntp.ubuntu.com - Ubuntu managed Network Time Portal server, used to synchronize time
- us.archive.ubuntu.com - Ubuntu managed application repository
- security.ubuntu.com - Ubuntu managed application repository
- ppa.launchpad.net - Ubuntu managed application repository
All Datto appliances must be able to access the following IP ranges for Cloud infrastructure, DNS failback, and device management:
- 184.108.40.206/32 port 5044
- 220.127.116.11/32 port 5044
- 18.104.22.168/24, port 443 and port 80
- 22.214.171.124/24, port 80 and 2200
Depending on your country, the Datto appliance must have outbound access to port 22 (TCP) for data synchronization and 1194 (TCP) for hybrid virtualization VPN tunnel from the following IP ranges for the off-site storage nodes:
- 126.96.36.199/28 (Ontario)
- 188.8.131.52/25 (Ontario)
- 184.108.40.206/24 (Alberta)
- 220.127.116.11/26 (UK)
- 18.104.22.168/24 (UK)
- 22.214.171.124/24 (UK)
- 126.96.36.199/24 (Iceland)
- 188.8.131.52/24 (Germany)
- 184.108.40.206/24 (Germany)
- 220.127.116.11/24 (Germany)
ANZ (Australia and New Zealand)
- 18.104.22.168/25 (255.255.255.128)
- 22.214.171.124/24 (Australia)
To find out which Cloud storage node your Datto appliance is connecting to, open the appliance's web UI. The information is displayed on the Overview screen.
Virtual SIRIS considerations
On virtual devices, if you perform an off-site hybrid virtualization that is bridged to your local network, ensure you've enabled promiscuous mode and forged transmits on the port group or virtual switch to which the vSIRIS is connected.