Virtual Replication Appliance
Virtual Replication Appliances are custom, very thin, Linux-based virtual machines with a small footprint and disk – memory and CPU – that have been hardened to limit the number of running services to the bare minimum. By default they run only the Zerto protocols and SSH. All other protocols and services, such as the Cron services and ICMP redirects, are either not installed or are turned off.
Zerto uses different types of network services and was designed to work in conjunction with existing network security elements.
| • | Firewall |
Zerto components can be deployed behind standard firewalls. Zerto relies on the Virtual Replication Appliance's IPtables firewall to block ports that are not required by Zerto.
| Note: | Zerto does not support NAT (Network Address Translation) firewalls. |
| • | SSH |
The Zerto components do not require SSH for remote access and access can be closed via the firewall software, only allowing SSH access from authorized clients. Zerto support can supply a hardened Virtual Replication Appliance that can limit SSH access to the console only.
The Zerto Virtual Manager communicates, as a client, with ESX/ESXi hosts securely via SSH when running Zerto with VMware vSphere 5.x or later.
Managing VRA Authentication
Access to the VRA is possible via SSH. It is also possible to access the VRA via the hypervisor console, after setting a root password.
To set the root password, follow the instructions in KB1594 to connect to the VRA, and use the passwd command.
It is also possible to add trusted SSH keys using standard OpenSSH commands.
Important: Following any changes to the user accounts and SSH settings, wait 10 minutes before restarting or shutting down the VRA, to ensure that these settings are maintained across upgrades.
VRA to VRA Encryption
Users can enable TLS-based VRA encryption to protect sensitive replication data in-flight.
By enabling VRA encryption, the VRA to VRA communication channel will be made secure and encrypted (TLS over TCP), and will be carried out over two new ports: 9007 and 9008.
| Note: | VRA to VRA Encryption is not intended to replace a VPN or any private connection. |
Considerations:
| • | To avoid site disconnections, make sure ports 9007 and 9008 are open for communication between your peer VRAs. |
| • | For encryption between cross site peer VRAs, enable VRA encryption on both sites. |
| • | VRA encryption requires that your Hosts' CPU supports AES_NI. |
| • | After enabling encryption, you may experience some degradation in replication performance due to CPU consumption. |
This is only likely to be noticed:
| • | During a large Initial Sync between the sites. |
| • | In environments where the Network and Storage support large throughputs, where the CPU might become a bottleneck. |
| • | Enabling encryption might also affect your VRAs compression ratio. |
| • | To reduce the encryption impact on performance, Zerto recommends you add a second vCPU to each VRA. |
Important:
| • | Increasing the number of vCPUs to two is recommended if the VRA is used for Long-term Retention, or for high loads. |
| • | Increasing the number of vCPUs to more than two should only be per Zerto Support recommendation. |