ZVR Versions Affected:
8.5 and onward
Description
Starting in the 8.5 release of Zerto Virtual Replication, VRA to VRA Encryption is supported across all platforms and establishes a secure channel for VRAs to communicate on via TLS over TCP. Prior to enabling VRA to VRA encryption within "Site Settings" of the Zerto Virtual Manager, new TCP ports "9007" and "9008" must be open on the firewall.
Please note, if the new firewall TCP ports “9007” and “9008” are not open prior to enabling VRA to VRA Encryption, replication RPOs can be impacted due to VRA network disconnections.
Please note that enabling VRA to VRA Encryption may result in additional CPU consumption and longer completion times for large initial syncs.
Background
VRA to VRA Encryption is disabled by default and upon enabling this feature within “Site Settings > Policies”, VRA communications are secured and encrypted via TLS over TCP. After enabling encryption, all subsequent VRA to VRA communications are conducted over two new VRA TCP ports, “9007” and “9008”. To avoid site disconnections, please ensure that firewall TCP ports “9007” and “9008” are open prior to enabling VRA to VRA Encryption. After enabling VRA to VRA Encryption, the unencrypted VRA TCP ports “4007” and “4008” can be disabled on the firewall. Please note that both the ZVM server and VRAs must be fully upgraded to 8.5 before enabling VRA to VRA Encryption. VRAs that are not upgraded to 8.5 will use the unencrypted VRA TCP ports “4007” and “4008”.
For Zerto Managed Service Providers, please ensure that, that new firewall TCP ports “9007” and “9008” are open on both the Cloud and Tenant firewalls before enabling encryption. Please note that no changes to the ZCC virtual machine are required prior to enabling VRA to VRA Encryption.
The VRA to VRA Encryption port requirements also apply for AWS and Azure ZCA environments where ports “9007” and “9008” must be open within the Azure and AWS firewalls/network security groups before enabling VRA to VRA Encryption.
To enable VRA to VRA Encryption bi-directionally, pleasure ensure that encryption is enabled on both the local and peer Zerto sites within “Site Settings > Policies”. Please note if encryption is not enabled on paired ZVM sites, encryption will remain disabled.
If you would like to disable VRA to VRA Encryption for Zerto Sites enabled with encryption, the original VRA TCP ports “4007” and “4008” must be open on the firewall prior to disabling encryption so that replication can continue. After disabling VRA to VRA Encryption, the new VRA ports “9007” and “9008” can be disabled on the firewall as Zerto replication continues on the original VRA replication ports “4007” and “4008”, across all Zerto 8.5 sites.
Zerto recommends that if you are uncertain whether ports “9007” and “9008” are open prior to enabling encryption, you can follow KB Connecting to a VRA via SSH which provides steps on how to connect to VRAs via SSH. Connecting to VRAs via SSH allows users to run basic network connectivity tests to validate VRA connectivity.
After following KB Connecting to a VRA via SSH to access local and peer VRAs via SSH, you can use the Linux ‘ping’, 'telnet', and ‘netcat’ commands to test whether bi-directional connectivity is possible across the new VRA TCP ports “9007” and “9008”.
Note the example below testing bi-directional connectivity between peer VRAs 'VRA1' and 'VRA2':
[VRA1.hostname.com]~: #ping <vra2_ip_address>
[VRA2.hostname.com]~: #netcat -l -p 9007 [VRA1.hostname.com]~: #telnet <vra2_ip_address> 9007
[VRA2.hostname.com]~: #netcat -l -p 9008 [VRA1.hostname.com]~: #telnet <vra2_ip_address> 9008
The process can be reversed when running connectivity tests from VRA2 to VRA1 and helps verify bi-directional VRA connectivity across the encrypted VRA TCP ports. Upon successful telnet connection, press Ctrl-] and then type quit to return to a user prompt. The 'netcat' tool will stop listening once the telnet connection is terminated.
To create a temporary listener on these ports on a ZCA, run the following command from a PowerShell prompt:
First test:
PS C:> powershell.exe -Command {$x = [System.Net.Sockets.TcpListener]9007; $x.Start(); Start-Sleep -Seconds 120}Second test:
PS C:> powershell.exe -Command {$x = [System.Net.Sockets.TcpListener]9008; $x.Start(); Start-Sleep -Seconds 120}The port will close after 120 seconds or by pressing Ctrl-C.
If the pings and telnets noted above are successful, you may proceed with enabling VRA to VRA Encryption within "Site Settings > Policies". If pings or telnets fail, then the network and firewall configuration should be checked to ensure ports “9007” and “9008” are open.
If you have questions regarding the Zerto upgrade process or require additional information for upgrade planning, please contact Support for assistance.
Regarding “VRA to VRA Encryption Compute Considerations”, additional CPU consumption may be observed after enabling encryption which can result in longer initial sync completion times for larger virtual machine disks. Zerto therefore recommends that a second CPU be added to all VRAs to help with processing encrypted VRA data.
VRA to VRA Encryption requires that hosts’ CPU support Intel Advanced Encryption Standard (AES-NI).
Recommendations
Zerto recommends that users open firewall TCP ports “9007” and “9008” before enabling VRA to VRA Encryption from “Site Settings > Policies” within the Zerto Virtual Replication user interface. If these ports are not open prior to enabling VRA to VRA Encryption, then replication can be impacted. Please follow the steps noted in the “Background” section to confirm that new port connectivity is present before enabling VRA to VRA Encryption.
Zerto recommends that VRA to VRA Encryption be enabled for peer ZVM sites within “Site Settings > Policies” for bi-directional encryption of VRA data.
Zerto recommends adding a second CPU to installed VRAs to help reduce overhead when encryption is enabled.
VRA to VRA Encryption requires that hosts’ CPU support Intel Advanced Encryption Standard (AES-NI).
If VRA to VRA Encryption needs to be disabled, please ensure that the original VRA TCP ports “4007” and “4008” are open on the firewall prior to disabling encryption.