Private cloud vaults for D2C - x360Recover

Written By Tami Sutcliffe (Super Administrator)

Updated at September 29th, 2023


x360Recover release 10.6.1 now supports Direct-to-Cloud backups on your self-hosted private cloud vaults. 

Enable this feature to provide all the functionality of Axcient-hosted D2C (Direct-to-Cloud)  backups.


Hosting Direct-to-Cloud backups on your self-hosted private vaults has some requirements above and beyond those of normal vault operation. 

Firewall ports

Additional services will be running to receive backup data, so additional firewall ports will need to be opened.

The following firewall ports must be opened from the internet to your vault:

  • TCP 80 (Http)
  • TCP 443 (Https/TLS)
  • TCP 9079 (Thrift/TLS - Endpoint Manager)
  • TCP 9082 (Thrift/TLS – Cloudserver)
  • TCP 9090 (Thrift/TLS – Backup Manager)

Static, public IP address and public DNS ‘A’ record 

Your vault will require a static, public IP address and a public DNS ‘A’ record to provide the Fully Qualified Domain Name (FQDN) address of the vault.

Note: Ensure that your vault is assigned a public Static IP address and has a DNS ‘A’ record created.  Direct-to-Cloud mode requires that the vault be assigned a valid publicly trusted certificate, and certificates cannot be assigned to a simple IP address.  (Certificate management is handled automatically by the system.)

Special Note: For backups of Direct-to-Cloud protected systems to continue while virtualized on the vault, the virtual machine running on the vault must resolve and access the vault by it's FQDN.  

This can be achieved using one of two methods

1. Configure NAT loopback rules on your firewall. This is also known as hairpinning - and will enable the outbound agent network traffic to reach the vault at its local private IP address


2. Configure local DNS zones such that the FQDN of the vault (from the perspective of the virtual machine running on the vault) resolves to the local private IP address of the vault


How to enable Direct-to-Cloud on private vaults

Once you have satisfied the prerequisites for firewall ports, IP address and DNS records, you may enable Direct-to-Cloud functionality.  

1. Login to the vault and navigate to System Settings -> Direct to Cloud

2. Click the check box for Enable Direct to Cloud.


3. Enter a valid FQDN address for the vault and click Get Certificate.

Note: You CANNOT use a simple IP address. You must enter a valid domain URL that is publicly accessible from the internet in order for certificate generation to be completed.  Direct-to-Cloud cannot operate without a valid, publicly trusted certificate.

4. If the certificate registration is completed successfully, click Save to commit the settings.


Certificate registration is provided by Let’s Encrypt, a free public certificate signing service that is widely accepted and is supported by the x360Recover agent. 

Successful signing requires that both HTTP and HTTPS (ports 80 and 443) be opened on the firewall, and that both are accessible to the Let’s Encrypt servers using the FQDN name specified. 

Once the certificate is obtained and settings are saved, Direct-to-Cloud services are now available for this vault. 

Locate the Direct-to-Cloud agent installer DOWNLOAD links on the User page to begin deploying agents.


For more details on configuring and deploying Axcient, refer to this knowledgebase article:

How to launch a virtual machine for instant recovery from a private (self-hosted) cloud vault

For fast, local recovery of a server or workstation, you can launch a virtual machine from a private (self-hosted) cloud vault. 

For complete details, please review. How to launch a virtual machine for instant recovery from a private (self-hosted) vault



 SUPPORT | 720-204-4500 | 800-352-0248

610  |  1502