Firewall Considerations in Zerto Cloud Manager
-
- Last UpdatedDec 16, 2024
When Zerto is installed on multiple sites, a Zerto Cloud Manager can be used to manage all the sites from one pane of glass for management, orchestration, reporting, and monitoring of recovery operations.
To ensure that all components communicate together successfully, both within a site and across sites, certain ports must be open. The required ports differ depending on which of the two types of architecture are used.
DRaaS Architecture
The following architecture diagram shows the basic Data Recovery as a Service (DRaaS) architecture for a VMware environment, with the required ports. DRaaS organizations can manage their disaster recovery via the Zerto User Interface.
ICDR Architecture
The following diagram shows the basic Intra Cloud Disaster Recovery (ICDR) architecture for a VMware environment, with the required ports. ICDR organizations can manage their disaster recovery via the Zerto Self-service Portal.
Required Open Firewall Ports
The following table lists the ports that must be opened in the firewalls in both the organization and Managed Service Provider (MSP) sites.
-
The Port column is the port number.
-
The Diagram Reference # column is the number that appears in the architecture diagrams to indicate which components use the port.
-
The Description explains what the port is used for.
Port | Diagram Reference # | Description | |||||||||
22 | 9, 24 | During Virtual Replication Appliance (VRA) installation on ESXi 5.1 and higher for communication between the Zerto Virtual Manager (ZVM) and the ESXi hosts IPs and for ongoing communication between the ZVM in the cloud site – but not the customer site – and a Zerto Cloud Connector. | |||||||||
443 | 2, 6, 8, 18, 19, 20 |
|
|||||||||
4005 | 10 | Log collection between the Zerto Virtual Manager and Virtual Replication Appliances on the same site , using TLS over TCP communication. | |||||||||
4006 | 11 | TLS over TCP communication between the Zerto Virtual Manager and Virtual Replication Appliances on the same site. | |||||||||
4007 | 16, 21 |
Unencrypted TCP communication between protecting and recovering VRAs and between a Zerto Cloud Connector and VRAs. |
|||||||||
4008 | 17, 25 | Unencrypted TCP communication between VRAs to pass data of protected virtual machines to a VRA on a recovery site and between a Zerto Cloud Connector and VRAs. | |||||||||
4009 | 12 | TLS over TCP communication between the Zerto Virtual Manager and site Virtual Replication Appliances to handle checkpoints. | |||||||||
7073 |
Internal port, used only on the Zerto Virtual Manager VM. Used for communication with the service in charge of collecting data for the Zerto Resource Planner. Note: Unless you select the checkbox ‘Enable Support notification and product improvement feedback’, data is not transmitted to Zerto Analytics. |
||||||||||
8100 | - | Communication between the Zerto Virtual Manager and the System Center Virtual Machine Manager in a customer site running Zerto Virtual Replication with Hyper-V. | |||||||||
9007 | 16, 21 | Encrypted TCP communication between protecting and recovering VRAs and between a Zerto Cloud Connector and VRAs. | |||||||||
9008 | 17, 25 | Unencrypted TCP communication between VRAs to pass data of protected virtual machines to a VRA on a recovery site and between a Zerto Cloud Connector and VRAs. | |||||||||
9071* | HTTPS communication between paired ZVMs. | ||||||||||
9080 | 1, 13, 15 |
HTTP communication between the Zerto Virtual Manager and Zerto internal APIs which should only be available to a customer using DRaaS and not ICDR. |
|||||||||
9081 | 7, 23, 27 |
TCP communication between Zerto Virtual Managers, and between a customer Zerto Virtual Manager and a Zerto Cloud Connector, maintained for backward compatibility purposes. This port must not be changed when providing DRaaS. |
|||||||||
9072 to 9079, 9082 and up | 22, 26, 28, 29 |
Four ports for each VRA (one each for ports 4007, 4008, 9007 and 9008) accessed via the Zerto Cloud Connector installed by the Managed Service Provider.
For example: If Customer A network has 3 VRAs and customer B network has 2 VRAs and the Managed Service Provider management network has 4 VRAs, then the following ports must be open in the firewall for each cloud: The Managed Service Provider's VRAs need to use 12 ports to reach customer A's VRAs, while customer A's VRAs need 16 ports to reach the cloud's VRAs. The Managed Service Provider's VRAs need to use 8 ports to reach customer B's VRAs, while customer B's VRAs need 16 ports to reach the cloud's VRAs. |
|||||||||
9180 | 32 | Communication between the VBA and VRA. | |||||||||
9669 | 3, 4, 5, 1 |
HTTPS communication between:
|
|||||||||
9989 | 31 | HTTPS communication between the browser and the Zerto Cloud Manager. |