Automatic Protection with Zerto 9 and vSphere Tags - Zerto

Automatic Protection with Zerto 9 and vSphere Tags

September 28, 2021
Est. Reading Time: 7 minutes

Among many new features and enhancements in Zerto 9 comes one that many customers have been waiting for: VM automatic protection using vSphere tags. This feature simplifies disaster recovery and data protection for workloads using a pre-defined virtual protection group (VPG) as a template, by either automatically building a new VPG or adding new VMs to existing VPGs—all by simply adding a vSphere tag to the VMs. In this blog post, we’ll take a look at how it all works and demonstrate how to make the most of this new feature.

vSphere Tags

vSphere tags are a native feature of VMware vSphere that enable additional metadata to be attached to objects in the vCenter inventory, making it easier to associate, sort, find, and manage groups of virtual machines that are related. In addition to tags, there are categories, which allow you to group one or more related tags together.

One of the great things about vSphere tags is they can span multiple vCenter instances, allowing you to group similar objects together no matter where they are. For example, if you have multiple on-premises vCenter instances configured with Enhanced Linked Mode, all tags and tag categories are replicated across all those instances, making it easier to manage and report on all related objects.

For more information about vSphere Tags and Attributes, visit: VMware Docs: vSphere Tags and Attributes

How Does This All Work?

Prior to enabling VM automatic protection, it’s helpful to understand how it works, so let’s get an understanding for what you’re going to need to know and pre-configure before we start automating protection.

The vSphere Tag Schema

Zerto uses a combination of template VPGs and vSphere tags to automatically protect your workloads using a schema – which can sound confusing, but I promise it will all make sense!

The vSphere tag schema that Zerto uses is: <TVPG:VPGN>

  • Target Virtual Protection Group (TVPG). This is an existing VPG used as a template for protecting tagged VMs. This refers to the template VPG you create (i.e., Gold, Silver, Bronze, etc.).
  • Virtual Protection Group Name (VPGN). This is the name of the new or existing VPG to be updated with tagged protected VMs (i.e., CRM, Web, Wiki, etc.).

Here’s an example of the tag schema in my lab environment, and I think the best way to understand this is to have more than one tag that has the same TVPG:

From this example, you can see I have two tags where my TVPG is called Bronze. The VPGN part of the schema is different for each. I have a VPGN for my Wiki application, and I have another for my CRM application.

Since the TVPG is associated with an existing VPG I’ve as a template, let’s talk about the VPG template before we tie everything together.

Virtual Protection Group Template

You will need to create at least one VPG template for automatic protection. Creating the VPG template is the same as creating a normal VPG. The point of the template is for Zerto to have a reference configuration to use when automatically creating VPGs once you start tagging VMs.

You can have multiple template VPGs, (i.e., Gold, Silver, or Bronze) to match different SLA tiers or applications based on criticality—just note that you don’t need to follow this example, you can even create VPG templates based on the recovery site or application. Below you’ll see that I currently have two template VPGs—Gold and Bronze.

Pro Tip: The Dummy VM

To create a VPG, you will need to have at least one VM in it. The same goes for template VPGs—the difference is that a template VPG does not need to contain a production VM. The best way to keep your template VPGs, replica disks, and journals small is to create a “dummy VM” from the vSphere client.

A “dummy VM” is one that contains minimal configuration (i.e., 1 vCPU, 16MB RAM, 10MB hard disk). You don’t need to install an operating system on this VM (just be sure to power it on after creation), because you’re only using the VM to create the VPG template.

By not installing an operating system on the VM, you’ll be able to configure your template VPG for the appropriate recovery site, journal history length, size limits, and destination resources—including long-term retention settings) without sacrificing any valuable resources for production recovery.

Enabling VM Automatic Protection

When you install or upgrade to Zerto 9.0 and enable VM auto protection, Zerto will add a tag category to the vCenter named “Zerto — Protection Automation.”

To enable the VM auto-protection feature, you first need to head to the Zerto Site Settings menu from the Zerto user interface and enable it. Zerto recommends that you enable this setting in each protected site.

Go to Site Settings -> Workflow Automation and select the box under VMs protection to enable VMs auto protection using VMware vSphere tags. Please note that the user enabling this feature will need to possess the vCenter permissions to create vSphere tag categories and to create and apply vSphere tags.

Once enabled, the Zerto Virtual Manager in each site will start to query the vSphere environment once every 10 minutes looking for any vSphere tags that belong to the “Zerto — Protection Automation” category that have been applied to any unprotected virtual machines.

  • If the VPGN is found during this scan with a newly tagged VM, Zerto will try to add the tagged VM to the existing VPG.
  • If an existing VPG is not found, Zerto will create a new VPG by copying the settings from the template VPG (TVPG) and will add the tagged VM(s) to the new VPG (VPGN). The result will be a newly-created VPG with the naming convention: TVPG_VPGN.


Putting It All Together

Let’s see how all the concepts and requirements work together. Since I’ve been using Bronze as my example above, let’s use it here.

1. I’ve created my template VPG and configured it with the necessary settings to meet my “Bronze” SLA.

2. I’ve created two tags (Bronze:Wiki, Bronze:CRM) in vSphere and associated them to the Tag Category that Zerto monitors (Zerto — Protection Automation).

3. I’ve tagged my CRM VMs with the “Bronze:CRM” vSphere tags.

4. Zerto then automatically created the “Bronze_CRM” VPG to protect the three VMs I tagged. In the future, if more CRM VMs are built and tagged with the Bronze:CRM vSphere tag, they will automatically be added to the Bronze_CRM VPG.

Here’s a video demonstration that walks through automatic protection using Zerto with vSphere tags:


Automating protection with Zerto and vSphere tags results in having systems protected sooner without additional procedures, therefore greatly improving your resilience to unplanned disruptions or ransomware. The feature also provides an additional layer of security because it doesn’t require Zerto administrator privileges once set up. vSphere administrators, application owners, or even automated workflows can simply tag workloads in vCenter and have them protected without ever having to log onto the Zerto user interface.


To see VM auto-protection in action followed by a ransomware recovery demo, attend our session at VMworld 2021,“No VM (or Container) Left Behind with Zerto 9” (Session ID MCL2858S)!

Chris Rogers

Chris Rogers is a Technology Evangelist at Zerto with 11 years of experience as an IT Professional focusing on data center virtualization and Data Protection. In his previous role, Chris was a Cloud Architect within the MSP Team. He lives in the UK with his wife, Lou, and 2 cats. He has his own technology-focused blog and enjoys most sports, and loves his cars.