When you create a connection to the cloud, the vCloud Tunneling Agent in the vSphere Replication appliance creates a tunnel to secure the transfer of replication data to your cloud Organization.

When a tunnel is created, the vCloud Tunneling Agent opens a port on the vSphere Replication appliance. ESXi hosts connect to that port to send replication data to a cloud organization. The port is picked randomly from a configurable range. The default port range is 10000-10010 TCP.

By default, ports 10000-10010 are not open on ESXi hosts. When you power on the vSphere Replication appliance, a vSphere Installation Bundle (VIB) is installed on all supported ESXi hosts in the vCenter Server inventory where the appliance is deployed. The VIB creates a firewall rule, Replication-to-Cloud Traffic, that opens TCP ports 10000 to 10010 for outgoing traffic. The rule is enabled automatically and takes effect immediately when you power on the vSphere Replication appliance, or when a host is registered or connected in the vCenter Server. If an administrator removes the VIB from a host, for example by using the esxcli utility, the vSphere Replication appliance reinstalls the VIB the next time you restart the appliance or when a host is restarted or reconnected to the inventory. If you do not want ports 10000 to 10010 to be open on an ESXi host, and if you do not plan to use this host as a replication source, you can disable the Replication-to-Cloud Traffic rule. See Allow or Deny Access to an ESXi Service or Management Agent with the vSphere Web Client.

To reduce the number of open ports or to change the ports that are used for communication between ESXi hosts and the vCloud Tunneling Agent, you can create a custom firewall rule and reconfigure the agent.