VMware Fault Tolerance (FT) captures inputs and events that occur on a primary virtual machine and sends them to the secondary virtual machine, which is running on another host.

This logging traffic between the primary and secondary virtual machines is unencrypted and contains guest network and storage I/O data, as well as the memory contents of the guest operating system. This traffic might include sensitive data such as passwords in plain text. To avoid such data being divulged, ensure that this network is secured, especially to avoid man-in-the-middle attacks. For example, use a private network for FT logging traffic. You can also encrypt the FT logging traffic.

Activate Fault Tolerance Encryption

You can encrypt Fault Tolerance log traffic.

vSphere Fault Tolerance performs frequent checks between a primary VM and secondary VM so that the secondary VM can quickly resume from the last successful checkpoint. The checkpoint contains the VM state that has been modified since the previous checkpoint. You can encrypt Fault Tolerance log traffic.

When you turn on Fault Tolerance, FT encryption is set to Opportunistic by default, which means it activates encryption only if both the primary and secondary host are capable of encryption. Follow this procedure if you need to change the FT encryption mode manually.

Note: Fault Tolerance supports vSphere Virtual Machine Encryption with vSphere 7.0 Update 2 and later. In-guest and array-based encryption do not depend on or interfere with VM encryption. Having multiple encryption layers uses additional compute resources, which might impact virtual machine performance. The impact varies with hardware as well as the amount and type of I/O, but overall performance impact is negligible for most workloads. The effectiveness and compatibility of back-end storage features such as deduplication, compression, and replication might also be affected by VM encryption.

Prerequisites

FT encryption requires SMP-FT. Encryption on Legacy FT (Record-Replay FT) is not supported.

Procedure

  1. Select the VM and choose Edit Settings.
  2. Under VM Options select the Encrypted FT drop-down menu.
  3. Choose one of the following options:
    Option Description
    Disabled Do not turn on encrypted Fault Tolerance logging.
    Opportunistic Turn on encryption only if both sides are capable. A Fault Tolerance VM is allowed to move to an ESXi host which does not support encrypted Fault Tolerance logging.
    Required Choose hosts for Fault Tolerance primary and secondary that both support encrypted FT logging.
    Note: While VM encryption is activated, FT encryption mode is set to Required by default and cannot be modified.

    When FT encryption mode is set to Required:

    • When you turn on FT, only FT encryption supported hosts are listed for the placement of FT secondary.
    • FT failover can only happen on the FT encryption supported hosts.
  4. Click OK.