If you are using or looking at using vSphere Replication you may have concerns about managing and/or isolating your replication traffic. This post will walk through the available options and provide instructions for how to take advantage of them. Note that this configuration requires vSphere Replication version 6.0 or later.
To understand how to isolate vSphere Replication network traffic it is important to first understand how traffic flows when using vSphere Replication. At a high level here are the steps it takes, follow along in the graphic above:
- A VM is running on a vSphere host and is configured for vSphere Replication. The initial replication has already completed.
- As the VM writes to its disks the writes pass through the vSCSI filter on the host where the VM is running
- The vSCSI filter monitors all I/O to the VMs disks and tracks those changes
- The vSCSI filter periodically replicates the changed data to the vSphere Replication Appliance at the target site
- The vSphere Replication Appliance sends the replicated data to the vSphere host with access to the target datastore over NFC
If you have additional questions about the normal flow of traffic or function of vSphere Replication take a look at the vSphere Replication Technical Overview or the vSphere Replication FAQ. For a deepdive on vSphere Replication functionality watch this vSphere Replication Technical walkthrough with Engineering session from VMworld.
To isolate traffic a few things need to happen:
- Each host needs an additional portgroup and vmkernal interface on the desired isolated network (instructions here and here).
- The vSphere Replication Appliance(s) (the VRMS and any additional VRSs) need to have an additional vNIC added and placed on the isolated network portgroup (instructions here)
- Within the vSphere Replication Appliance management interface, the additional NIC needs an IP address and to be configured for incoming storage traffic (instructions here)
- Static routes need to be defined on each host at the source site with how to communicate with the target site and vice versa (instructions here). If replications will ever flow in the opposite direction, reverse routes should also be configured on what are currently the target site hosts.
With these steps in place traffic can be isolated on a completely separate network allowing for improved security, manageability and quality of service.