Network Encryption of Replication Traffic

You can enable the network encryption of the replication traffic data for new and existing replications to enhance the security of data transfer.

You can enable encryption of replication traffic if your VMware Site Recovery instances are on a VMware Cloud on AWS SDDC version 1.13 or later.

The vSphere Replication appliance automatically installs an encryption agent on the source ESXi hosts. The network encryption uses secure transport protocol TLSv1.2.

The encrypted replication traffic uses mutual certificate-based authentication between the source ESXi host and target site vSphere Replication server.

When configuring or reconfiguring a replication, the vSphere Replication Management Server (VRMS) updates the source virtual machine configuration with a thumbprint of the target vSphere Replication server certificate. VRMS registers each vSphere Replication server at the target site with the certificates of all ESXi hosts from the source site. The registration is done separately for each paired vSphere Replication site.

VRMS exchanges data for the leaf certificates of the endpoints of the encrypted replication traffic, regardless of the certificate authorities for the source ESXi host and the target vSphere Replication server.

You can run the shell command esxcli software vib list on the source ESXi host and look for the vmware-hbr-agent VIB to make sure the agent is available in your system.

When the network encryption feature is switched on, the agent encrypts the replication data on the source ESXi host and sends it to the vSphere Replication appliance on the target site. The vSphere Replication server decrypts the data and sends it to the target datastore.

Unencrypted traffic goes through port 31031 on the source ESXi hosts and the vSphere Replication appliance on the target site.

Encrypted traffic goes through port 32032 on the source ESXi hosts and the vSphere Replication appliance on the target site.

If you configure a replication of an encrypted VM, the network encryption is automatically turned on and cannot be deactivated.

Enabling network encryption has minimal impact on the CPU and memory resource of the host. Enabling network encryption restricts the throughput per host for the replications using encryption. This limit only applies to replications that have encryption enabled, and replications without encryption are not affected.