Port Usage

The architecture diagrams in the following sections show the port usage within an enterprise, with port number references in the relevant tables.

Firewall Considerations in VMware vSphere Environments

Firewall Considerations in Microsoft Hyper-V Environments

Firewall Considerations in Microsoft Azure Environments

Firewall Considerations in AWS Environments

Firewall Considerations in VMware vSphere Environments

CSP Environments

Firewall Considerations in VMware vSphere Environments

The following architecture diagram shows the ports that must be opened in the firewalls on all sites.

Zerto can be installed at multiple sites and each of these sites can be paired to any of the other sites.

Zerto supports both the protected and recovery sites being managed by a single vCenter Server or System Center Virtual Machine Manager. For example, in the following scenario:

From a branch office, to the main office, both managed by the same System Center Virtual Machine Manager.
From one host to a second host, both managed by the same System Center Virtual Machine Manager.
To the same host but using different storage for recovery.

It is recommended to install Zerto in the main office site where protected machines will be recovered.

The following table provides basic information about the ports shown in the above diagram by Zerto.

Consider firewall rules if the services are not installed on the same network.

Note: UDP ports in the 444xx range for DHCP are not required and can therefore be blocked.
Port Purpose
22 Required between an ESXi host and the ZVM during installation of a VRA.
443 Required between the ZVM and the vCenter Server.
443 Required between an ESXi host and the ZVM during installation of a VRA.
445 Required between LTR service and a network shared repository on top of SMB protocol.
2049 Required between LTR service and a network shared repository on top of NFS protocol.
4005 Log collection between the ZVM and site VRAs.
4006 Communication between the ZVM and local site VRAs and the site VBA.
4007 Control communication between protecting and peer VRAs.
4008 Communication between VRAs to pass data from protected virtual machines to a VRA on a recovery site.
4009 Communication between the ZVM and local site VRAs to handle checkpoints.
5672 TCP communication between the ZVM and vCloud Director for access to AMQP messaging.
7073

Internal port, used only on the ZVM VM. Used for communication with the service in charge of collecting data for the Zerto Resource Planner.

Note: Unless you select the checkbox ‘Enable Support notification and product improvement feedback’, data is not transmitted to Zerto Analytics.
9080* Communication between the ZVM, Zerto Powershell Cmdlets, and Zerto Diagnostic tool.
9081* Communication between paired ZVMs**
9180* Communication between the ZVM and the VBA.
9669* Communication between ZVM and ZVM GUI and ZVM REST APIs, and the ZCM.
9989 Communication between ZCM, and ZCM GUI and ZCM REST APIs.

*The default port provided during the ZVR installation which can be changed during the installation.

**When the same vCenter Server is used for both the protected and recovery sites, ZVR is installed on one site only and this port can be ignored.

Firewall Considerations in Microsoft Hyper-V Environments

The following architecture diagram shows the ports that must be opened in the firewalls on all sites.

Zerto can be installed at multiple sites and each of these sites can be paired to any of the other sites.

Zerto supports both the protected and recovery sites being managed by a single vCenter Server or System Center Virtual Machine Manager. For example, in the following scenario:

From a branch office, to the main office, both managed by the same System Center Virtual Machine Manager.
From one host to a second host, both managed by the same System Center Virtual Machine Manager.
To the same host but using different storage for recovery.

It is recommended to install Zerto in the main office site where protected machines will be recovered.

The following table provides basic information about the ports shown in the above diagram by Zerto.

Consider firewall rules if the services are not installed on the same network.

The following table provides basic information about the ports shown in the above diagram by Zerto.

Note: UDP ports in the 444xx range for DHCP are not required, and can therefore be blocked.
Port Purpose
445 Required between LTR service and a network shared repository on top of SMB protocol.
2049 Required between LTR service and a network shared repository on top of NFS protocol.
4005 Log collection between the ZVM and site VRAs.
4006 Communication between the ZVM and local site VRAs and the site VBA.
4007 Control communication between protecting and peer VRAs.
4008 Communication between VRAs to pass data from protected virtual machines to a VRA on a recovery site.
4009 Communication between the ZVM and local site VRAs to handle checkpoints.
7073

Internal port, used only on the ZVM VM. Used for communication with the service in charge of collecting data for the Zerto Resource Planner.

Note: Unless you select the checkbox ‘Enable Support notification and product improvement feedback’, data is not transmitted to Zerto Analytics.
8100 Communication between the ZVM and the SCVMM (System Center Virtual Machine Manager).
9080* Communication between the ZVM, Zerto Powershell Cmdlets, and Zerto Diagnostic tool.
9081*

Communication between paired ZVMs**

Note:  
When a single SCVMM is used for both protection and recovery, only one ZVM is installed and port 9081 is not used.
Recovery to a different SCVMM uses port 9081 between the ZVMs in each site.

9180*

Communication between the ZVM and the VBA.

9669*

Communication between ZVM and ZVM GUI and ZVM REST APIs, and the ZCM.

Communication between every Hyper-V host and the Zerto Virtual Manager.
9779 Communication between ZVM and ZSSP (Zerto Self Service Portal).
9989 Communication between ZCM, and ZCM GUI and ZCM REST APIs.

*The default port provided during the ZVR installation which can be changed during the installation.

Firewall Considerations in Microsoft Azure Environments

The following architecture diagram shows the ports that must be opened in the firewalls on all sites.

The following table provides basic information about the ports shown in the above diagram by Zerto.

Zerto Cloud Appliance (ZCA) requires the following ports to be open in the Azure site firewall, set in the Azure network security group:

Port Description
443
Required between the ZVM and the Azure Cloud environment.
Required between the Azure REST Service and the ZVM during installation of a VRA.
Required for communication between the ZVM and Azure Scale Set and Queues services.
4005 Log collection between the ZVM and site VRAs.
4006 Communication between the ZVM and local site VRAs and the site VBA.
4007 Control communication between protecting and peer VRAs.
4008 Communication between VRAs to pass data from protected virtual machines to a VRA on a recovery site.
4009 Communication between the ZVM and local site VRAs to handle checkpoints.
7072 Communication between the VRA and ZVM. Required for metadata promotion.
7073

Internal port, used only on the ZVM VM. Used for communication with the service in charge of collecting data for the Zerto Resource Planner.

Note: Unless you select the checkbox ‘Enable Support notification and product improvement feedback’, data is not transmitted to Zerto Analytics.
9080* Communication between the ZVM, Zerto Powershell Cmdlets, and Zerto Diagnostic tool.
9081* Communication between paired ZVMs**
9180* Communication between the ZVM and the VBA.
9669* Communication between ZVM and ZVM GUI and ZVM REST APIs, and the ZCM.
9779 Communication between ZVM and ZSSP (Zerto Self Service Portal).
9989 Communication between ZCM, and ZCM GUI and ZCM REST APIs.

*The default port provided during the ZVR installation which can be changed during the installation.

 

Firewall Considerations in AWS Environments

The following diagram shows Zerto components deployed on one site and the ports and communication protocols used between the components.

Zerto Cloud Appliance requires the following ports to be open in the AWS site firewall, set in the Amazon security group:

Port Description
443 Required between the ZVM and the AWS Cloud environment.
443 Required between ZVM Service and ZASA.
4005 Log collection between the ZVM and site VRAs.
4006 Communication between the ZVM and local site VRAs and the site VBA.
4007 Control communication between protecting and peer VRAs.
4008 Communication between VRAs to pass data from protected virtual machines to a VRA on a recovery site.
4009 Communication between the ZVM and local site VRAs to handle checkpoints.
7073

Internal port, used only on the ZVM VM. Used for communication with the service in charge of collecting data for the Zerto Resource Planner.

Note: Unless you select the checkbox ‘Enable Support notification and product improvement feedback’, data is not transmitted to Zerto Analytics.
9080* Communication between the ZVM, Zerto Powershell Cmdlets, and Zerto Diagnostic tool.
9081* Communication between paired ZVMs**
9180* Communication between the ZVM and the VBA.
9669* Communication between ZVM and ZVM GUI and ZVM REST APIs, and the ZCM.
9779 Communication between ZVM and ZSSP (Zerto Self Service Portal).
9989 Communication between ZCM, and ZCM GUI and ZCM REST APIs.

*The default port provided during the ZVR installation which can be changed during the installation.

**When the same vCenter Server is used for both the protected and recovery sites, ZVR is installed on one site only and this port can be ignored.

Environments with Zerto Cloud Manager

When Zerto is installed on multiple sites, a Zerto Cloud Manager can be used to manage all the sites from one pane of glass for management, orchestration, reporting, and monitoring of recovery operations.

CSP Environments

The following architecture diagram shows the port usage when a cloud service provider is involved, providing DRaaS to a customer using vSphere, with port number references to the following table.

Port Description
22 During Virtual Replication Appliance installation on ESXi hosts 5.1 and higher for communication between the Zerto Virtual Manager and the ESXi hosts IPs and for ongoing communication between the Zerto Virtual Manager and a Zerto Cloud Connector.
443 During Virtual Replication Appliance installation on ESX/ESXi hosts 5.1 and higher for communication between the Zerto Virtual Manager and the ESX/ESXi hosts IPs and for ongoing communication between the Zerto Virtual Manager and vCenter Server and vCloud Director.
8100 TCP communication between the Zerto Virtual Manager and Microsoft SCVMM.
4005 Log collection between the Zerto Virtual Manager and Virtual Replication Appliances on the same site.
4006 TCP communication between the Zerto Virtual Manager and Virtual Replication Appliances on the same site.
4007 TCP control communication between protecting and recovering Virtual Replication Appliances and between a Zerto Cloud Connector and Virtual Replication Appliances.
4008 TCP communication between Virtual Replication Appliances to pass data from protected virtual machines to a Virtual Replication Appliance on a recovery site and between a Zerto Cloud Connector and Virtual Replication Appliances.
4009 TCP communication between the Zerto Virtual Manager and site Virtual Replication Appliances to handle checkpoints.
5672 TCP communication between the Zerto Virtual Manager and vCloud Director for access to AMQP messaging.
7073

Internal port, used only on the ZVM VM. Used for communication with the service in charge of collecting data for the Zerto Resource Planner.

Note: Unless you select the checkbox ‘Enable Support notification and product improvement feedback’, data is not transmitted to Zerto Analytics.
9080 HTTP communication between the Zerto Virtual Manager and Zerto internal APIs, a Zerto Cloud Manager (ZCM), cmdlets, which should only be available to a customer using DRaaS and not ICDR.
9081 TCP communication between Zerto Virtual Managers and between a customer Zerto Virtual Manager and a Zerto Cloud Connector. This port must not be changed when providing DRaaS.
9082 and up

Two ports for each Virtual Replication Appliance (one for port 4007 and one for port 4008) accessed via the Zerto Cloud Connector installed by the cloud service provider. There is directionality to these ports. It is recommended to use a port range starting with port 9082.

For example, Customer A network has 3 VRAs and customer B network has 2 VRAs and the cloud service provider management network has 4 VRAs, then the following ports must be open in the firewall for each cloud: The cloud service provider's VRAs need to use 6 ports to reach customer A's VRAs, while customer A's VRAs need 8 ports to reach the cloud's VRAs. The cloud service provider's VRAs need to use 4 ports to reach customer B's VRAs, while customer B's VRAs need 8 ports to reach the cloud's VRAs.
9180 Communication between the VBA and Virtual Replication Appliance.
9669 HTTPS communication between:
Machines running Zerto User Interface and Zerto Virtual Manager.
Zerto Virtual Manager and Zerto REST APIs.
Hyper-V hosts and the Zerto Virtual Manager.
9779 HTTPS communication between the Zerto Self-Service Portal for in-cloud (ICDR) customers and a Zerto Virtual Manager.
9989 HTTPS communication between the browser and the Zerto Cloud Manager.

The following architecture diagram shows the port usage when a cloud service provider is involved, providing in-cloud disaster recovery, with # references to the above table: