Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters
  3. Section III. Monitoring and Management
  4. Managing the Load Balancer service
  5. About the Load Balancer service
Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters

About the Load Balancer service

Key features of the Load Balancer service:

Note:

Load Balancer services are not created for media servers from NetBackup 10.5 release. If the setup is upgraded from a pre 10.4 release, the load balancer services are available post upgrade. It is recommended to clear the Load Balancer services. Refer to the following section:

See Steps for upgrading Cloud Scale from multiple media load balancer to none.

  • Load balancer services are created in primary server deployment that allows you to access the NetBackup application from public domains.

  • In the primary server CR spec, networkLoadBalancer section is used for handling the IP address and DNS name allocation for load balancer services. If ipList is provided in CR spec, IP address count must not be less than the count specified in replica for media server and for primary server, only one IP address must be mentioned.

  • The networkLoadBalancer section can be used to provide static IP address and DNS name allocation to the Load Balancer services.

  • (AKS-specific)

    • The networkLoadBalancer section can be used to provide static IP address and DNS name allocation to the loadbalancer services. For more information to create and use static loadbalancer, see Microsoft documentation.

      Static IP addresses and FQDN if used must be created before being used. Refer the below section:

      • Pre-allocation of static IP address and FQDN from resource group

        In this case, it is required to provide the network resource group in annotations. This resource group is the resource group of load balancer public IPs that are in the same resource group as the cluster infrastructure (node resource group). This static FQDN and IP address must be valid in case of pod failure or upgrades scenarios as well.

        In case user wants to use public load balancer, add type: Public in networkLoadBalancer section in primary and media server section in environment CR.

        • Example: In primary CR,

          networkLoadBalancer:
            type: Public
            annotations:
            - service.beta.kubernetes.io/azure-load-balancer-
          resource-group:<name of network resource-group>
            ipList:
            - fqdn: primary.eastus.cloudapp.azure.com
              ipAddr: 40.123.45.123

  • (EKS-specific)

    • NetBackup supports the network load balancer with AWS Load Balancer scheme as internet-facing.

    • FQDN must be created before being used. Refer below sections for different allowed annotations to be used in CR spec.

    • User must add the following annotations:

      service.beta.kubernetes.io/aws-load-balancer-subnets: <subnet1 name>

      In addition to the above annotations, if required user can add more annotations supported by AWS. For more information, see AWS Load Balancer Controller Annotations.

      For example:

      CR spec in primary server,

      networkLoadBalancer: 
      type: Private
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-subnets: <subnet1 name> 
        ipList: 
        "10.244.33.27: abc.vxindia.cohesity.com"

      The IP address, the subnet provided in ipList and annotations in networkLoadBalancer section in CR spec must belong to same availability zone that of the node group.

      Note:

      The subnet provided here should be same as the one given in node pool used for primary server and media server.

If NetBackup client is outside VPC or to access Web UI from outside VPC, then client CIDR must be added with all NetBackup ports in security group rule of cluster. Run the following command, to obtain the cluster security group:

aws eks describe-cluster --name <my-cluster> --query cluster.resourcesVpcConfig.clusterSecurityGroupId

For more information on cluster security group, see Amazon EKS security group requirements and considerations.

Add inbound rule to security group. For more information, see Add rules to a security group.

(AKS-specific) Preferred annotations

Table: Preferred annotations

Annotations

Value

Description

service.beta.kubernetes.io/ azure-load-balancer- internal

true or false

Specify whether the load balancer should be internal.

Added by default when type is selected as Private in load balancer service annotations.

service.beta.kubernetes.io/ azure-load-balancer- internal-subnet

Name of the subnet

Specify which subnet the internal load balancer should be bound to.

service.beta.kubernetes.io/ azure-load-balancer -resource-group

Name of the resource group

Specify the resource group of load balancer public IPs that are not in the same resource group as the cluster infrastructure (node resource group).

Default ports used in the Load Balancer service
  • Primary server:

    • 8443

      Used to access NetBackup Web UI from a machine which is not deployed in the same VPC as your EKS cluster.

      In this case, open the Primary Load Balancer's Inbound security group to the machine's IP/CIDR with TCP port 443 and 8443.

      For more information, refer to the "Update the security groups for your Network Load Balancer" section in the AWS documentation.

    • 1556

      Used as bidirectional port. Primary server to/from media servers and primary server to/from client require this TCP port for communication.

    • 443

      Used to inbound to vnet proxy tunnel on the primary server. Also, this is used Nutanix workload, communication from primary server to the deduplication media server.

    • 13781

      The MQBroker is listening on TCP port 13781. NetBackup client hosts - typically located behind a NAT gateway - be able to connect to the message queue broker (MQBroker) on the primary server.

    • 13724

      This port is required as a fall-back option when a legacy service cannot be reached through PBX and is required when using the Resilient Network feature.

  • Snapshot Manager server:

    • 443

      The Snapshot Manager user interface uses this port as the default HTTPS port.

    • 5671

      The Snapshot Manager RabbitMQ server uses this port for internal service communications. This port must be open to support multiple agents, extensions, backup from snapshot, and restore from backup jobs.

    • (EKS-specific) 2049

      It is used for Amazon EFS access.

      For more information, see Source ports for working with EFS.

      Note:

      Add the NFS rule that allows traffic on port 2049 directly to the cluster security group. The security group attached to EFS must also allow traffic from port 2049.

Feedback

Was this page helpful?
Previous

Managing the Load Balancer service

Next

Notes for Load Balancer service

Feedback

Was this page helpful?