Powered by Zoomin Software. For more details please contactZoomin

Zerto Cloud Manager Installation Guide

Platform
Product Type
Version
Content Type
Source
This publication

Firewall Considerations in Zerto Cloud Manager

Firewall Considerations in Zerto Cloud Manager

When Zerto is installed on multiple sites, a Zerto Cloud Manager can be used to manage all the sites from one pane of glass for management, orchestration, reporting, and monitoring of recovery operations.

To ensure that all components communicate together successfully, both within a site and across sites, certain ports must be open. The required ports differ depending on which of the two types of architecture are used.

DRaaS Architecture

The following architecture diagram shows the basic Data Recovery as a Service (DRaaS) architecture for a VMware environment, with the required ports. DRaaS organizations can manage their disaster recovery via the Zerto User Interface.

ICDR Architecture

The following diagram shows the basic Intra Cloud Disaster Recovery (ICDR) architecture for a VMware environment, with the required ports. ICDR organizations can manage their disaster recovery via the Zerto Self-service Portal.

Required Open Firewall Ports

The following table lists the ports that must be opened in the firewalls in both the organization and Managed Service Provider (MSP) sites.

  • The Port column is the port number.

  • The Diagram Reference # column is the number that appears in the architecture diagrams to indicate which components use the port.

  • The Description explains what the port is used for.

Port Diagram Reference # Description
22 9, 24 During Virtual Replication Appliance (VRA) installation on ESXi 5.1 and higher for communication between the Zerto Virtual Manager (ZVM) and the ESXi hosts IPs and for ongoing communication between the ZVM in the cloud site – but not the customer site – and a Zerto Cloud Connector.
443 2, 6, 8, 18, 19, 20
During VRA installation on ESX/ESXi hosts for communication between the Zerto Virtual Manager and the ESX/ESXi hosts IPs and for ongoing communication between the Zerto Virtual Manager and vCenter Server and vCloud Director.
MQTT communication between the Zerto Virtual Manager and vCloud Director.
Zerto Cloud Manager and Zerto Virtual Manager. The communication from the ZCM to the ZVM is via this port.
4005 10 Log collection between the Zerto Virtual Manager and Virtual Replication Appliances on the same site , using TLS over TCP communication.
4006 11 TLS over TCP communication between the Zerto Virtual Manager and Virtual Replication Appliances on the same site.
4007 16, 21

Unencrypted TCP communication between protecting and recovering VRAs and between a Zerto Cloud Connector and VRAs.

4008 17, 25 Unencrypted TCP communication between VRAs to pass data of protected virtual machines to a VRA on a recovery site and between a Zerto Cloud Connector and VRAs.
4009 12 TLS over TCP communication between the Zerto Virtual Manager and site Virtual Replication Appliances to handle checkpoints.
7073  

Internal port, used only on the Zerto Virtual Manager VM. Used for communication with the service in charge of collecting data for the Zerto Resource Planner.

Admonition

Note: Unless you select the checkbox ‘Enable Support notification and product improvement feedback’, data is not transmitted to Zerto Analytics.

8100 - Communication between the Zerto Virtual Manager and the System Center Virtual Machine Manager in a customer site running Zerto Virtual Replication with Hyper-V.
9007 16, 21 Encrypted TCP communication between protecting and recovering VRAs and between a Zerto Cloud Connector and VRAs.
9008 17, 25 Unencrypted TCP communication between VRAs to pass data of protected virtual machines to a VRA on a recovery site and between a Zerto Cloud Connector and VRAs.
9071*   HTTPS communication between paired ZVMs.
9080 1, 13, 15

HTTP communication between the Zerto Virtual Manager and Zerto internal APIs which should only be available to a customer using DRaaS and not ICDR.

9081 7, 23, 27

TCP communication between Zerto Virtual Managers, and between a customer Zerto Virtual Manager and a Zerto Cloud Connector, maintained for backward compatibility purposes.

This port must not be changed when providing DRaaS.

9072 to 9079, 9082 and up 22, 26, 28, 29

Four ports for each VRA (one each for ports 4007, 4008, 9007 and 9008) accessed via the Zerto Cloud Connector installed by the Managed Service Provider.

There is directionality to these ports.
From client site to Zerto Cloud Connector, the ports are 9082 and up.
From cloud site toZerto Cloud Connector, the ports are 9072 and up.

For example:

If Customer A network has 3 VRAs and customer B network has 2 VRAs and the Managed Service Provider management network has 4 VRAs, then the following ports must be open in the firewall for each cloud:

The Managed Service Provider's VRAs need to use 12 ports to reach customer A's VRAs, while customer A's VRAs need 16 ports to reach the cloud's VRAs.

The Managed Service Provider's VRAs need to use 8 ports to reach customer B's VRAs, while customer B's VRAs need 16 ports to reach the cloud's VRAs.

9180 32 Communication between the VBA and VRA.
9669 3, 4, 5, 1 HTTPS communication between:
Machines running Zerto User Interface and Zerto Virtual Manager
Zerto Virtual Manager and Zerto REST APIs, cmdlets.
9989 31 HTTPS communication between the browser and the Zerto Cloud Manager.
TitleResults for “How to create a CRG?”Also Available inAlert
Feedback Feedback