Zerto VRA in a multi-zone network and ports

Hello,

Q1. In a multi-tenant cloud based DR infrastructure environment, where we use ZCC for customer A and customer B, do we need to use different firewall ports for each VRA in the Cloud DR recovery site ? Example: If we have 4 ESXi host cluster in the cloud recovery site and have installed 4 VRAs, and configured  VRA to VRA encryption with v8.5, can all the 4 VRAs have 9007 and 9008 port , or each VRA should have unique ports .

Q2.  How does Zerto works in a multi security zone layer? If the customer have three network zone, example: public, private and secure. Does it really matter for ZVM and VRA on production site ? Is there a best practise guide that says that ZVM should be on management layer and VRA on a different layer.

My understanding is that  ZVM maintains communication with VCenter and VRA, whereas, VRA communicates with ESXi host and the datastore to replicate the data. Kindly correct me if i am wrong.