You can isolate the network traffic of vSphere Replication from all other traffic in a data center's network.

Isolating the replication traffic helps you ensure that sensitive information is not routed to the wrong destination. It also helps you enhance the network performance in the data center, because the traffic that vSphere Replication generates does not impact other types of traffic. Traffic isolation also facilitates monitoring and troubleshooting. You isolate the network traffic to the vSphere Replication Server by dedicating a VMkernel NIC on each ESXi host on the primary site that sends data to the vSphere Replication Server. See Set Up a VMkernel Adapter for vSphere Replication Traffic on a Source Host.

If you are using a distributed network switch, you can take advantage of the vSphere Network I/O Control feature to set limits or shares for incoming and outgoing replication traffic on each ESXi host. The feature allows you to manage the network resources that vSphere Replication uses.

By default, the vSphere Replication appliance has one VM network adapter that is used for various traffic types.
  • Management traffic between vSphere Replication Management Server and vSphere Replication Server.
  • Replication traffic from the source ESXi hosts to the vSphere Replication Server.
  • Traffic between vCenter Server and vSphere Replication Management Server.
  • NFC (Network File Copy) traffic, which is the traffic from the vSphere Replication Server appliance at the target site to the destination datastores.
You can add network adapters to the vSphere Replication appliance and use the VRMS Appliance Management Interface to configure a separate IP address to use for each traffic type.

You can isolate the vSphere Replication NFC traffic from the vSphere Replication Server to the target datastore. By default, the NFC traffic is sent to the target ESXi host from the vSphere Replication Server through the management network. You can isolate the NFC traffic from the management traffic by sending it through the replication network. In this case, the vSphere Replication server handles the replication and NFC traffic together, by using the same interface. To isolate the replication and NFC traffic from the management traffic, you must add a second vNIC to separate them. Alternatively, you can add a third vNIC for the NFC traffic only. This option provides security isolation with a dedicated vSphere Replication VLAN for the replication traffic and another one for the NFC traffic, depending on the security requirements in your environment.

Figure 1. vSphere Replication Traffic Isolation
vSphere Replication Traffic Isolation

In the vSphere Replication appliance, the IP address that is used for management traffic between the vSphere Replication Management Server and vSphere Replication Server is localhost 127.0.0.1. Therefore, you do not need to add network adapters for this type of traffic.

When the vSphere Replication Management Server and the vSphere Replication Server run on separate appliances, you can specify a non-localhost IP address to be used by the vSphere Replication Management Server.

Note: After the IP address of the vSphere Replication server on the target site changes, you must manually reconfigure replications on the source site to point to the new IP address.

In addition, you must configure the relevant static routes on each ESXi host at the source site to communicate with the target site. For replications to flow in the opposite direction, you must configure reverse routes on the ESXi hosts on the target site. See https://kb.vmware.com/kb/2001426. Depending on the complexity of your environment, if you want to isolate the NFC traffic, you must configure the relevant vSphere Replication and NFC vSphere Replication static routes after you configure the VMkernel adapters for vSphere Replication and NFC traffic.