Cloud data repositories typically run in your organization's VPC in your cloud provider's service. When database users rely on a VPN to get connectivity to the VPC where sidecar runs, their VPN configuration is configured to allow traffic on the database ports they use.
When you deploy a Cyral sidecar, Cyral recommends that you deploy in the same VPC as the repositories that Cyral will protect. When you associate the Cyral sidecar with the repository, you can specify the connection port where users will connect to the repository. This means database users connect using the sidecar's address and the port you specify. Make sure your VPN configuration allows access to this address and port combination.