How do I make my Vault accessible over the internet?

You may have a requirement to make your on-premise Vault accessible to your users who are not in the office. This article will explain the requirements and the steps to take to ensure your users can backup from outside the organization.

Requirements for single Vault tenant


Each end-user device must be able to resolve the registered hostname/IP of the Vault.  If you have registered your Vault with a public FQDN, please ensure that your external DNS records are updated to reflect this.  It may be administered by your IT department or external DNS service provider.


For each Backup and Restore session, a websocket connection is made from the user device to the Vault on the default port 9000.  The required inbound port access must be allowed on your perimeter firewall.  The source will be the user device (public) IP and the target must be the private IP of the Vault server.  This is typically referred to as a Port forward rule.

Requirements for a multi Vault tenant

Elaborating on the requirements above, additional considerations need be made as follows:

Are all the Vaults behind a single public firewall breakout/single public IP address?

In this scenario, a unique public FQDN needs to be registered for each Vault; and a unique port needs to be configured for each Vault.

Are the Vaults behind separate public firewall breakouts/multiple public IP addresses?

In this scenario, a unique public FQDN needs to be registered for each Vault; and the same port can be used (or left on default) for each Vault.


If you need to change the name of the registered Vault then please contact Cibecs Support.  Do not DETACH an existing vault if it has backup data stored.