Unified Backup Networking and Bandwidth Requirements


This article describes local and off-site networking requirements and best practices for Unified Backup appliances and the Datto Endpoint Backup solution.

NOTE  As of January 3, 2017, Datto appliances no longer support SNMP.


  • Datto SIRIS
  • Datto ALTO
  • Datto NAS
  • Datto Endpoint Backup


By default, Datto disables local network access to the Datto device UI. You can enable local access under Configuration > Global Device Settings > Local Access Control in the Datto Device Web UI.

Network link speed requirements

A 100 Mbps network cannot efficiently transfer large datasets between the protected machines and a Datto appliance. You must have a gigabit network connection between all protected machines and the Datto appliance over your LAN.

All SIRIS 3 and 4 devices, as well as Datto NAS 3 and 4 series (except for the DN-3A), must use a gigabit connection. They will not function on a slower connection.

Datto strongly recommends placing the Datto appliance and all protected machines on the same LAN. If you must set up backups over a WAN, you will need a 50 Mbps dedicated uplink for every terabyte of protected data. Otherwise, backups will not be reliable. Even if you meet this requirement, the latency between endpoints will significantly decrease backup throughput. The higher the latency, the lower the performance.

Any device function performed through a site to site VPN/MPLS will be subject to degraded performance.

Network architecture considerations

Datto expects that you will deploy BDR appliances in a secure LAN environment. Inbound access from untrusted WAN hosts should be blocked at the edge of the network (via the router/firewall) to limit the accessibility of appliance network daemons and services. For more information, see Secure Deployment Best Practices For Datto Appliances.

WAN uplink considerations

To reliably synchronize with the Datto Cloud, ensure that your connection is at least 1 Mbps (125 KBps) uplink per terabyte of protected data stored locally on the Datto device. To check how much data your Datto appliance is currently protecting, see this article.

For every 1 Mbps of upload capacity that you dedicate to off-site traffic, you will be able to upload approximately 10 GB of change per day.


  • 2 Mbps of upload capacity would net approximately 20 GB of change uploaded per day.
  • 10 Mbps of upload capacity would net approximately 100 GB of change uploaded per day.
  • 100 Mbps of upload capacity would net approximately 1 TB of change uploaded per day.

Offsiting 1 TB of change over a 1 Mbps uplink will take approximately 100 days. For images this large, Datto recommends using the RoundTrip service to send the original base image offsite.

Network MTU considerations

The Datto appliance will most reliably communicate with our monitoring servers when you set the router's MTU size to 1500 bytes. Since the Datto appliance is also using a 1500 byte MTU size, this will prevent packet fragmentation, which can cause issues with communication to our monitoring servers.

Port access and IP allowlist requirements

Ports 25566 and 25568 (listed as 6001-47000 when WinNAT is enabled) must be open.

Depending on your network security configuration, you may need to allow-list python.map.fastly.net for optimal device communication. Additionally, all protected machines must be able to resolve mothership.dtc.datto.com, agent-update.datto.com, and dattolocal.net in the local DNS.

Additional port access requirements will vary, depending on the type of agent deployed. See the specific agent documentation linked below for more information.

You may need to contact your ISP if they throttle port 22 or SSH traffic, as this may cause performance issues with synchronization.

Firewall considerations

Many next-generation firewalls and unified threat management (UTM) platforms include threat detection technology which can interrupt or interfere with cloud synchronization. These vary by vendor, and may require additional adjustments. See SIRIS, ALTO and NAS: Datto Appliances and firewalls for more information.

Agent-based and agentless solution requirements

For networking requirements specific to Datto's various agent and agentless backup solutions, see the following articles:

Internet access requirements

  • The Datto appliance must have access to the Datto Cloud for backup replication and remote device management. Also, all ICMP packets must be allowed through the firewall.
  • Datto recommends disabling any application-layer filtering of traffic destined for or originating from your Datto appliance.

For device management, to synchronize time, and to download operating system updates, all backup appliances must be able to resolve the following Datto sites in the local DNS:

  • dattobackup.com
  • datto.com
  • device-packages.dattobackup.com
  • device-images.datto.com
  • ntp.dattobackup.com
  • dlt-rly-*.datto.com
  • fra-rly-*.datto.com
  • syd-rly-*.datto.com

NOTE  (* is a wild card; these domains will continue to expand)

For operating system maintenance, the Datto appliance must also be able to resolve the following community sites in the local DNS:

  • ntp.ubuntu.com - Ubuntu managed Network Time Portal server, used to synchronize time
  • us.archive.ubuntu.com - Ubuntu managed application repository
  • security.ubuntu.com - Ubuntu managed application repository
  • ppa.launchpad.net - Ubuntu managed application repository

Access to an NTP server is required for virtualizations to synchronize to the correct time zone. When a Windows VM lacks access to an NTP server, the Windows Time Service will synchronize to the hardware clock. For cloud VMs, this will mean that they set their time zone to UTC.

In addition to the partner portal (dattobackup.com) users must be able to reach the following in order to configure 2fa and display the QR code image.

  • api.qrserver.com

Cloud infrastructure, DNS failback, and device management

All Datto appliances must have outbound access to the following IP ranges for Cloud infrastructure, DNS failback, and device management:

IP Range Ports UDP/TCP Purpose


Both DNS

80, 443


SupportTools 443 TCP Datto Portal 443 TCP Cloud restores 443 TCP Image / package server

443, 80 TCP Device Web 21 TCP Bandwidth testing

North America
Asia Pacific

80, 443, and 2200-2250 TCP Device Web and cloud storage

Hybrid virtualizations, VPN tunneling, and off-site storage

The Datto appliance must have outbound access to port 22 (TCP) for data synchronization and ports 1194-65535 (TCP/UDP ) for hybrid virtualizations, VPN tunneling, and off-site storage.

United States

  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Pennsylvania)
  • (Utah)
  • (Utah)
  • (Utah)
  • (Utah)
  • (Utah)


  • (Toronto)
  • (Calgary)
  • (Montreal)
  • (Toronto)
  • (Toronto)


  • (UK)
  • (UK)
  • (UK)
  • (Iceland)
  • (Iceland)
  • (Iceland)
  • (Germany)
  • (Germany)
  • (Germany)
  • (Germany)

ANZ (Australia and New Zealand)

  • (Sydney, Australia)
  • (Melbourne, Australia)
  • (Sydney, Australia)



NOTE  It is normal to see the Datto appliance repeatedly connecting to one or more of the IP addresses listed above as it checks in with our monitoring servers.

To learn which Cloud storage node your Datto device uses, open the backup appliance's GUI. On the Overview screen, you will see replication information similar to the example below:


IPMI considerations

NOTE  Datto strongly recommends enabling IPMI on Datto appliances that include this feature and configuring the IPMI port with a static IPv4 address. Enabling IPMI will allow you to access the device for remote troubleshooting if you cannot access the GUI.

IPMI access requires the local network to be within a private IP range (,, per IANA standards (external link).

Virtual SIRIS considerations

When performing an off-site hybrid virtualization on a virtual device bridged to your local network, ensure you have enabled promiscuous mode and forged transmits on the port group or virtual switch to which the vSIRIS is connected.

Port 8805 must remain open for Datto to communicate with the Hypervisor.

Additional Resources