Segmenting the CDE

Segmenting the CDE requires understanding the network architecture and being able to isolate the CDE from other networks. Segmenting the CDE is achieved either by Port Group Isolation (PGI) or VLAN isolation.

Port Group Isolation

Zerto Virtual Manager requires the following ports to be open in the protected and recovery site firewalls:

Port	Descriptions
221If the hosts are given names, make sure that the Zerto Virtual Manager can resolve these names.	During Virtual Replication Appliance (VRA) installation on VMware ESXi 5.x hosts and higher for communication between the Zerto Virtual Manager (ZVM) and the hosts IPs and for ongoing communication between the ZVM in the cloud site – but not the customer site – and a Zerto Cloud Connector.
443	During VRA installation on VMware ESX/ESXi hosts for communication between the ZVM and the hosts IPs. Also, for ongoing communication between the ZVM and VMware vCenter Server.
4005	Log collection between the ZVM and VRAs on the same site.
4006	TCP communication between the ZVM and VRAs and the VBA on the same site.
4007	TCP control communication between protecting and recovering VRAs and between a Zerto Cloud Connector and VRAs.
4008	TCP communication between VRAs to pass data from protected virtual machines to a VRA on a recovery site and between a Zerto Cloud Connector and VRAs.
4009	TCP communication between the ZVM and site VRAs to handle checkpoints.
5672	TCP communication between the ZVM and vCloud Director for access to AMQP messaging.
8100	Communication between the Zerto Virtual Manager and the Microsoft System Center Virtual Machine Manager (SCVMM).
9080	HTTP communication between the ZVM and Zerto internal APIs, a Zerto Cloud Manager, and cmdlets
90812The default port set during the Zerto installation. When pairing the ZVM to a Zerto Cloud Connector, this value must not be changed.	TCP communication between the ZVMs3When the same hypervisor management tool, such as VMware vCenter Server or Microsoft SCVMM is used for protection and recovery, Zerto is installed on one site only and this port is ignored. and between a ZVM and a Zerto Cloud Connector.
9082 and up	A Managed Service Provider supplies DRaaS: Two TCP ports for each VRA (for ports 4007 and 4008) accessed via the Zerto Cloud Connector installed by the Managed Service Provider. There is directionality to these ports. Zerto recommends using a port range starting with port 9082. For example, Customer A network has 3 VRAs and customer B network has 2 VRAs and the Managed Service Provider network has 4 VRAs, then the following ports must be open in the firewall for each cloud: The Managed Service Provider's VRAs need to use 6 ports to reach customer A's VRAs, while customer A's VRAs need 8 ports to reach the cloud's VRAs. The Managed Service Provider's VRAs need to use 4 ports to reach customer B's VRAs, while customer B's VRAs need 8 ports to reach the cloud's VRAs.
9180	Communication between the VBA and VRA.
9669	HTTPS communication between: • Machines running Zerto User Interface and Zerto Virtual Manager. • Zerto Virtual Manager and Zerto REST APIs. • Hyper-V hosts and the Zerto Virtual Manager.
9779	HTTPS communication between the Zerto Self-Service Portal for in-cloud (ICDR) customers and a ZVM.
9989	HTTPS communication between a browser and the Zerto Cloud Manager.

These ports must be included in port groups in the segmentation that is implemented.

VLAN Isolation

The ports in the above table, described in Port Group Isolation, can be mapped to specific VLANs.