Firewall Considerations in AWS Environments

The following diagram shows Zerto components deployed on one site and the ports and communication protocols used between the components.

Zerto Cloud Appliance requires the following ports to be open in the AWS site firewall, set in the Amazon security group:

Port

Description

443

Required between the ZVM and the AWS Cloud environment.

443

Required between ZVM Service and ZASA.

4005

Log collection between the ZVM and site VRAs , using TLS over TCP communication.

4006

TLS over TCP communication between the ZVM and local site VRAs and the site VBA.

4007

Control communication between protecting and peer VRAs.

4008

Communication between VRAs to pass data from protected virtual machines to a VRA on a recovery site.

4009

TLS over TCP communication between the ZVM and local site VRAs to handle checkpoints.

7073

Internal port, used only on the ZVM VM. Used for communication with the service in charge of collecting data for the Zerto Resource Planner.

Note:

Unless you select the checkbox ‘Enable Support notification and product improvement feedback’, data is not transmitted to Zerto Analytics.

9071*

HTTPS communication between paired ZVMs, when both Zerto versions are 8.0 and above.

9080*

Communication between the ZVM, Zerto Powershell Cmdlets, and Zerto Diagnostic tool.

9081*

Communication between paired ZVMs**, maintained for backward compatibility purposes.

9180*

Communication between the ZVM and the VBA.

9669*

Communication between ZVM and ZVM GUI and ZVM REST APIs, and the ZCM.

9779

Communication between ZVM and ZSSP (Zerto Self Service Portal).

9989

Communication between ZCM, and ZCM GUI and ZCM REST APIs.

*The default port provided during the ZVR installation which can be changed during the installation.

**When the same vCenter Server is used for both the protected and recovery sites, ZVR is installed on one site only and this port can be ignored.