Azure endpoint access required for a ZCA running Zerto for Azure

KB Number:
000001922

Symptoms:
A Zerto for Azure customer may restrict the access provided to the ZCA either before or after Zerto installation.

Cause:
The Azure endpoints listed in this article are required for installation and for ongoing replication. The access is required for access to the Azure API and other Azure resources that Zerto uses to orchestrate replication, protection, and failover.

Solution:

If a proxy exception is not allowed by the customer's internal security policy for all the Internet traffic generated by the ZCA, then access to the following specific Azure endpoints are required.

Authentication and management of access to Azure resources
management.azure.com
*.management.azure-api.net
login.microsoftonline.com

Azure internal use
https://blogs.msdn.microsoft.com/mast/2015/05/18/what-is-the-ip-address-168-63-129-16/
168.63.129.16:32526

Note: This special public IP address is owned by Microsoft and will not change. We recommend that you allow this IP address in any local (in the VM) firewall policies (outbound direction). The communication between this special IP address and the resources is safe because only the internal Azure platform can source a message from this IP address. If this address is blocked, unexpected behavior can occur in a variety of scenarios. 168.63.129.16 is a virtual IP of the host node and as such it is not subject to user defined routes.

ZCA deployment from Azure template
blob.*.store.core.windows.net
*.store.core.windows.net

Azure internal use
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
169.254.169.254

*.blob.core.windows.net

Azure Analytics
secure.*.microsoftonline-p.com

Azure authentication
portal.azure.com 
graph.windows.net

 


Affected Versions:
Zerto 6.5, 7.0

Hypervisor:
Azure

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...