Article number
Affected Versions
Source Hypervisor
Target Hypervisor

How To Configure AWS Worker Instances Without Public IP Addresses

Viewed 140 times


Starting in 7.5, AWS/Zerto environments can be configured to no longer require Public IP Addresses on the AWS Worker Instances (ZASA, ZSAT, ZImporter).

This is intended for customers who do not have free internet access from their AWS environment due to security limitations. However, the use of Public IPs is still supported.


In order to support AWS Workers without the use of Public IPs, connections must be established between these instances with IAM, S3, and EC2 AWS Services:

1) IAM - it is recommended to set up a NAT Gateway for these instances. Should there be an underlying network that allows connection to all 3 services, then the NAT Gateway is not required. See this AWS Documentation for a How To.

NOTE: There is no IAM VPC Endpoint in AWS as of today, hence the need for NAT Gateway.

2) S3 can be connected to via setting up an S3 VPC Endpoint. See this AWS News Blog for a How To.

3) EC2 can be connected to via setting up an EC2 VPC Endpoint. See this AWS Documentation for a How To.

4) Lastly, ensure the ZCA instance does not utilize a Public IP address. By default, the ZCA Public IP definition is determined and then distributed down to each AWS Worker instance as well. (i.e. if the ZCA has a Public IP address, all Workers will have Public IPs). Should you wish to have differing Public IP definitions, i.e. the ZCA having a Public IP but the Workers do not, kindly contact Zerto Support by opening a case and citing this KB Article.