Article number
000002872
Affected Versions
All
Source Hypervisor
Azure

Azure endpoint access required for a ZCA running Zerto for Azure

Viewed 89 times

Root Cause

The Azure endpoints listed in this article are required for installation and for ongoing replication. The access is required for access to the Azure API and other Azure resources that Zerto uses to orchestrate replication, protection, and failover.

Symptoms

A Zerto for Azure customer may restrict the access provided to the ZCA either before or after Zerto installation.

Solution

If a proxy exception is not allowed by the customer's internal security policy for all the Internet traffic generated by the ZCA, then access to the following specific Azure endpoints are required.

Authentication and management of access to Azure resources
management.azure.com
*.management.azure-api.net
login.microsoftonline.com

Azure internal use
https://blogs.msdn.microsoft.com/mast/2015/05/18/what-is-the-ip-address-168-63-129-16/
168.63.129.16:32526

Note: This special public IP address is owned by Microsoft and will not change. We recommend that you allow this IP address in any local (in the VM) firewall policies (outbound direction). The communication between this special IP address and the resources is safe because only the internal Azure platform can source a message from this IP address. If this address is blocked, unexpected behavior can occur in a variety of scenarios. 168.63.129.16 is a virtual IP of the host node and as such it is not subject to user defined routes.

ZCA deployment from Azure template
blob.*.store.core.windows.net
*.store.core.windows.net

Azure internal use
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
169.254.169.254

*.blob.core.windows.net

Azure Analytics
secure.*.microsoftonline-p.com

Azure authentication
portal.azure.com 
graph.windows.net