Article number
Affected Versions
Source Hypervisor
Target Hypervisor

How to Configure AWS Worker Instances without Public IP Addresses

Viewed 589 times


An administrator who does not have external internet access from their AWS environment due to security limitations may want to ensure the Zerto Workers within AWS do not have public IPs.

Starting in 7.5, AWS/Zerto environments can be configured to no longer require Public IP Addresses on the AWS Worker Instances (ZASA, ZSAT, ZImporter). However, the use of Public IPs is still supported.


In order to support AWS Workers without the use of Public IPs, connections must be established between these instances with IAM, S3, and EC2 AWS Services. See the steps below to accomplish this:

  1. IAM - it is recommended to set up a NAT Gateway for these instances. Should there be an underlying network that allows connection to all 3 services, then the NAT Gateway is not required. See this AWS Documentation for a How To.

  2. S3 can be connected to via setting up an S3 VPC Endpoint. See this AWS News Blog for a How To.

  3. EC2 can be connected to via setting up an EC2 VPC Endpoint. See this AWS Documentation for a How To.

  4. Lastly, ensure the ZCA instance does not utilize a Public IP address. By default, the ZCA Public IP definition is determined and then distributed down to each AWS Worker instance as well. (i.e. if the ZCA has a Public IP address, all Workers will have Public IPs).

NOTE: There is no IAM VPC Endpoint in AWS as of today, hence the need for NAT Gateway.