Before we dive straight into VRA encryption optimisation, I thought it would be good to share the platform security enhancements Zerto has made during the last few releases.
Zerto’s Commitment to Security
In 8.0 Zerto started to encrypt the traffic between the ZVM to VRA’s and also the ZVM/ZCA to the target ZVM/ZCA over a secured channel using port 9071. This added additional security to the secure site pairing which requires the users to generate a token on the target ZVM/ZCA before pairing sites.
In 8.5 VRA to VRA encryption was released however the datapath was single threaded which meant it could be a potential bottleneck for Zerto’s always on continuous data replication.
What’s Changed in 9.0
In the 9.0 release Zerto enabled the capability to use multiple threads which can scale for extra performance by adding more cores for sending and receiving data. By default the VRA uses the number of cores of the VRA machine as the number of threads that handles send and receive actions. For example if the VRA is deployed with 2 vCPU, then we use 2 threads.
When adding additional vCPU’s to an existing VRA it detects that a socket is ready to send or receive data and adds a send/receive action to a new datapath network send and receive queue. The requests on the queue are handled by dedicated threads. When you enable encryption the VRA’s utilises ports 9007 and 9008 instead of ports 4007 and 4008. Port 9007 is used for the control network which manages the ZVM to VRA and VRA to VRA commands. Port 9008 is used for the encrypted traffic.
Each VRA can be configured with 1 – 4 vCPUs.
• Enabling encryption might also affect your VRAs compression ratio.
• To reduce the encryption impact on performance, Zerto recommends you add a second vCPU to each VRA.
• Increasing the number of vCPUs to two is recommended if the VRA is used for Long-term Retention, or for high loads.
• Increasing the number of vCPUs to more than two should only be per Zerto Support recommendation.
How to Enable Encryption
To enable VRA to VRA encryption log into the ZVM and navigate to Site Settings and Policies. You can enable encryption by selecting the ‘Enable data encryption in flight for VRA to VRA communications’ dialog box. This will need to be enabled on each site.
Before you apply the change you will be prompted with a Warning explaining the port requirements and other support information (please read it).
You can check that the VRA’s are communicating over the new ports by logging into the VRA’s and running the netstat command. If you haven’t logged into the VRA’s before please follow the steps on this KB.