SIRIS, ALTO, and DNAS Networking & Bandwidth Requirements

Follow

Topic

This article describes the local and offsite networking requirements and best-practices for Datto business continuity appliances.

As of January 3, 2017, SNMP is no longer supported on Datto appliances.

Environment

  • Datto SIRIS
  • Datto ALTO
  • Datto NAS

Description

Network link speed requirements

Since a 100 Mbps network cannot efficiently transfer large datasets between the protected machines and a Datto appliance, gigabit network connections are required between all protected machines and the Datto appliance over a LAN.

All SIRIS 3 and Datto NAS 3 devices (except for the DN-3A) must be connected using a gigabit connection. They will not function on a slower connection.

Datto strongly recommends placing the Datto appliance and all protected machines on the same LAN. If you must set up backups over a WAN, you will need a 50 Mbps dedicated uplink for every terabyte of protected data. Otherwise, backups will not be reliable. Even if this requirement is met, the latency between endpoints will significantly decrease backup throughput. The higher the latency, the lower the throughput.

Any device function performed through a site to site VPN/MPLS will be subject to degraded performance.

Network architecture considerations

Datto expects that BDR appliances will be deployed in a secure LAN environment. Inbound access from untrusted WAN hosts should be blocked at the edge of the network (via the router/firewall) to limit the accessibility of appliance network daemons and services. For more information, see Secure Deployment Best Practices For Datto Appliances..

WAN uplink considerations

To reliably synchronize with the Datto Cloud, ensure that your connection is at least 1 Mbps (125 KBps) uplink per terabyte of protected data stored locally on the Datto device. To check how much data your Datto appliance is currently protecting, see this article.

For every 1Mbps of upload capacity that you dedicate to offsite traffic you will be able to upload approximately 10GB of change per day.

Examples

  • 2 Mbps of upload capacity would net approximately 20GB of change uploaded per day.
  • 10 Mbps of upload capacity would net approximately 100GB of change uploaded per day.
  • 100 Mbps of upload capacity would net approximately 1TB of change uploaded per day.

Offsiting 1TB of change over a 1Mbps uplink will take approximately 100 days. For images of this size, Datto recommends that any new SIRIS, ALTO or DNAS deployment use the complimentary RoundTrip service to send the initial full base image offsite. 

Network MTU considerations

The Datto appliance will most reliably communicate with our monitoring servers when the router's MTU size is set to 1500 bytes. Since the Datto appliance is also using a 1500 byte MTU size, this will prevent packet fragmentation, which can cause issues with communication to our monitoring servers.

Port access and IP whitelist requirements

Port access requirements will vary, depending on the type of agent deployed.

Datto Windows Agent:

  • Allow ports 3262 and port 3260 (TCP) inbound to the Datto appliance from the Windows Agent.
  • Allow port 25568 (TCP) inbound to the Windows agent from the Datto appliance. 

ShadowSnap Agent:

  • For unencrypted backups, Allow port 139 (TCP/UDP) inbound to the Datto appliance from the ShadowSnap agent. 
  • For encrypted backups, Allow port 3260 (TCP) inbound to the Datto appliance from the ShadowSnap agent.
  • Allow port 25566 (TCP) inbound to the ShadowSnap agent from the Datto appliance.
Depending on your network setup, you may also need to open port 25566 (UDP) inbound to the agent and/or port 445 (TCP) inbound to the Datto appliance (for Samba communication to devices that don't use NetBIOS).

Datto Linux Agent

  • Allow port 3260 (TCP) inbound to the Datto appliance from the Datto Linux Agent.
  • Allow port 25567 (TCP) inbound to the Datto appliance from the Datto Linux Agent.

Datto Mac Agent

  • Allow port 3260 (TCP) inbound to the Datto appliance from the Datto Mac Agent.
  • Allow port 25569 (TCP) inbound to the Datto appliance from the Datto Mac Agent.
Depending on your network security configuration, you may need to whitelist inbound.dattoremote.com for correct Remote Web functionality, and python.map.fastly.net for optimal device communication.

Internet access requirements for protected machines

Datto strongly recommends enabling IPMI on Datto appliances which include this feature, and configuring the IPMI port with a static IPv4 address. This will allow you to remotely access the device for troubleshooting if necessary.
  • The Datto appliance must have access to the Datto Cloud for backup replication and remote device management. In addition, all ICMP packets must be allowed through the firewall.
  • Datto recommends disabling any application-layer filtering of traffic destined for, or originating from, your Datto appliance.

For device management, to synchronize time, and to download operating system updates, all backup appliances must be able to resolve the following Datto sites in the local DNS:

  • dattobackup.com
  • datto.com
  • device-packages.dattobackup.com
  • device-images.datto.com
  • ntp.dattobackup.com

For operating system maintenance, the Datto appliance must also be able to resolve the following community sites in the local DNS:

  • ntp.ubuntu.com - Ubuntu managed Network Time Portal server, used to synchronize time
  • us.archive.ubuntu.com - Ubuntu managed application respiratory
  • security.ubuntu.com - Ubuntu managed application respiratory
  • ppa.launchpad.net - Ubuntu managed application respiratory

All Datto appliances must be able to access the following IP ranges for Cloud infrastructure, DNS failback, and device management:

  • 8.8.8.8
  • 8.34.181.199/32
  • 8.34.176.0/24
  • 47.19.105.0/24
  • 162.244.87.51
  • 162.244.85.60
  • 162.244.87.37/32 port 5044
  • 162.244.87.38/32 port 5044
  • 162.244.87.0/24, port 443 and port 80
  • 198.49.95.0/24
  • 198.137.225.0/24, port 80 and the range 2200-2250
  • 206.201.136.0/24
  • 206.201.137.0/24
  • 27.111.249.1/24
  • 206.201.137.0/24

Depending on your country, the Datto appliance must have outbound access to port 22 (TCP) for data synchronization and 1194 (TCP) for hybrid virtualization VPN tunnel from the following IP ranges for the offsite storage nodes:

United States

  • 8.34.176.0/23
  • 8.34.165.0/24
  • 8.34.181.0/24
  • 192.30.37.0/24
  • 198.49.95.0/24
  • 162.244.84.0/24
  • 162.244.85.0/24
  • 206.201.139.0/24
  • 206.201.136.0/23
  • 206.201.137.0/24

Canada

  • 70.33.207.240/28 (Ontario)
  • 70.33.207.241/28
  • 70.33.242.128/25 (Ontario)
  • 198.137.227.0/24 (Alberta)
  • 206.201.134.0/24

EMEA

  • 176.74.168.192/26 (UK)
  • 66.155.20.0/24 (UK)
  • 185.217.56.0/24 (UK)
  • 185.217.58.0/24 (Iceland)
  • 198.137.225.0/24 (Germany)
  • 185.217.57.0/24 (Germany)

ANZ (Australia and New Zealand)

  • 27.111.249.128/25 (255.255.255.128)
  • 103.109.129.0/24 (Australia)

Singapore

  • 198.137.226.0/24
  • 103.109.128.0/24
It is normal to see the Datto appliance repeatedly connecting to one or more of the IP addresses listed above as it checks in with our monitoring servers.

To find out which Cloud storage node your Datto appliance is connecting to, open the appliance's web UI. The information is displayed on the Overview screen. 

Figure 1: Offsite server IP address

Virtual SIRIS considerations

On virtual devices, if you perform an offsite hybrid virtualization that is bridged to your local network, ensure you've enabled promiscuous mode and forged transmits on the port group or virtual switch to which the vSIRIS is connected.

Additional Resources


Was this article helpful?

40 out of 47 found this helpful

You must sign in before voting on this article.

Want to talk about it? Head on over to our Community Forum!