S3 Synchronous Replication

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 7 minute(s) read
Prev Next

Configuring Synchronous Replication

Follow these steps on the primary cluster. This configures synchronous replication to a single secondary cluster.  

Configuring Synchronous Replication on the Primary (Source) Cluster

  1. Create a virtual IP pool to be used for this replication, with role Replication.

  2. Optionally, configure mTLS encryption for the replication.

  3. Designate a replication peer. This is the cluster on which data from the protected path is replicated. For Sync Replication, data is replicated to a single replication peer.

  4. Create a protected path. This is the the path on the primary cluster which is replicated to the replication peer. It must be an existing S3 bucket. It becomes a protected path when it is part of a replication scheme.

    Note

    There is no need to create a protection policy for synchronous replication.

Configuring Synchronous Replication on the Secondary Cluster

  • Create a virtual IP pool to be used for this replication.

    Note

    This step, on the secondary cluster, should be performed before the Replication Peer is configured on the primary cluster (step 3, in the previous procedure).

Configuring Replication Virtual IP Pools

A replication VIP pool must be configured on each cluster that will participate in async replication.

A replication VIP pool is used exclusively for routing replication traffic between the peers and not for serving data to clients. The CNodes that are assigned VIPs from the replication VIP pool are used to communicate directly with the remote peer, while other CNodes can communicate only indirectly with the remote peer.

When you configure a replication VIP pool, you can optionally restrict it to specific CNodes.

Creating a Replication VIP Pool

On each replication peer, create a virtual IP pool dedicated to replication as follows:

  • Set the VIP pool's role to Replication.

  • You can configure multiple non-consecutive VIP ranges in a replication VIP pool.

  • Do not specify a domain name.

  • You can dedicate one or more CNodes to the replication VIP pool.

  • You can tag the replication VIP pool with a VLAN.

Encrypting Replication with mTLS

VAST Cluster supports securing of the replication connection with mutual TLS (mTLS) encryption, in which each replication peer cluster authenticates the other side. mTLS encryption requires certificates installed on each of the peer clusters and is used for replication peer configurations that have secure mode enabled.    

To configure mTLS encryption, do the following:

  1. Obtain Certificates for mTLS encryption

  2. Install mTLS Certificates on each Participating VAST Cluster

  3. When you create a replication peer, set the secure mode setting to Secure.

Obtain Certificates for mTLS encryption

Obtain an RSA type TLS certificate from a Certification Authority (CA) for each of the peers in the replication peer configuration. This will consist of a certificate file and a private key file.  Obtain the files in PEM format.

Obtain a copy of the CA's root certificate, which will be used to make sure each peer can trust certificates presented by other peers. This should be the same root certificate for each peer.

Install mTLS Certificates on each Participating VAST Cluster

Installing mTLS Certificates from the VAST Web UI

  1. From the left navigation menu, select Settings and then Certificates to open the Certificates tab. 

  2. From the Certificate for dropdown, select replication.

  3. Either paste the certificate file contents into the Certificate field or use the Upload button to upload the file, and paste or upload the key file content into the Key field and the root Certificate file contents in the Root Certificate field.

    When pasting the file content, include the BEGIN CERTIFICATE / BEGIN PRIVATE KEY and END CERTIFICATE / END PRIVATE KEY lines, like this:

    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

  4. Click Update.

Installing mTLS Certificates from the VAST CLI

To install the certificates using the VAST CLI, use the cluster modify command with the following parameters: --cluster-certificate, --cluster-private-key --root-certificate.

Creating a Replication Peer

This step involves establishing a connection to a remote cluster that will be the destination peer. The replication peer configuration is mirrored on the remote cluster as well.

Creating a Replication Peer via the VAST Web UI

  1. From the left navigation menu, select Data Protection and then Replication Peers.

  2. Click Create Peer.

  3. Complete the fields:

    Field

    Description

    Peer Name

    Enter a name for the peer configuration. The peer configuration will be mirrored on the remote cluster and have the same name on both clusters.

    For example: VASTmain-VASTbackup

    Remote VIP

    Enter any one of the virtual IPs belonging to the replication VIP pool to use as the leading remote virtual IP.

    The remote virtual IP is used to establish an initial connection between the peers. Once the connection is established, the peers share their external network topology and form multiple connections between the VIPs.

    If the remote peer's replication virtual IP pool is changed after the initial peer configuration, the new virtual IPs are learned automatically if the new range of IPs in the modified virtual IP pool intersects with the previous IP range. However, if the new IP range does not intersect with the old range, the remote virtual IP must be modified on the local peer.

    Local VIP Pool

    From the drop-down, select the replication VIP pool configured on the local cluster.

    For example: vippool_rep

    Secure Mode

    Select a secure mode for the peer:

    • Secure. Replication to this peer will be encrypted over the wire with mTLS.

      Secure mode requires a certificate, key and root certificate to be uploaded to VMS for mTLS encryption. Encrypting Replication with mTLS

    • None. Replication to this peer will not be encrypted over the wire.

    Caution

    This setting cannot be changed after creating the replication peer.

  4. Click Create.

    The replication peer is created and mirrored to the remote cluster. The details are displayed in the Replication Peers page on both the local cluster and the remote cluster.

Creating a Replication Peer via the VAST CLI

To create a replication peer via the VAST CLI, run replicationpeer create.

For example:

vcli: admin> replicationpeer create --name vastnativebackup --remote-leading-vip 198.51.100.200 --local-vip-pool-id 3

Configuring a Protected Path for Sync Replication

Creating a Protected Path for Sync Replication using the VAST Web UI

  1. In the left navigation menu, select Data Protection and then Protected Paths.

  2. On the Protected Paths tab, click Create Protected Path.

  3. Select New Remote Protected Path from the dropdown list.

  4. In the Add Source/Primary dialog, complete these fields:

    Name

    Enter a name for the protected path.

    Tenant

    Select the tenant in which the source path resides.

    Note

    Paths on different tenants can share identical names.

    Path

    The path to replicate.  This must be an S3 bucket

    Note

    • If you specify '/' (the root directory), this includes data written via S3.

    • To specify a path to a specific S3 bucket with name bucket, enter /bucket.

  5. Click Next.

  6. In the Add Destination dialog, complete these fields:

    Mode

    Select Sync Replication.

    Cluster

    Select the secondary (destination) cluster. This is the  replication peer, created above, and on which the data is replicated.

    Path

    Specify the directory on the remote peer on which the data is replicated. This must be a directory that does not yet exist on the remote peer.

    Tip

    You cannot use "/" as remote path because that always exists already. Therefore if you would like to replicate all data under the root directory, you will need to replicate this to a subdirectory. e.g. path on peer = "mirror/"

    Tenant

    This field appears only if the remote peer has more than one tenant. Select the tenant on the remote peer where you want to create the remote path.  

    The selection of tenant on the remote peer is subject to the restriction in Creating Protected Paths between Tenants

  7. Click Next.

  8. Set the Connection Timeout. If this period of time elapses with no communication between the peered clusters, they will be in a disconnected state.

  9. Click Add. The protected path is created and appears in the Protected Paths tab. It shows Sync Replication as the Role.

Creating a Protected Path for Sync Replication  using the VAST CLI

Use the protectedpath VCLI commands as follows:

protectedpath create --name sync --source-dir /mydir --local-tenant-id 1 --capabilities SYNC_REPLICATION --sync-disconnect-time 360 --target-exported-dir /mydir

You can change a protected path from Async to Sync Replication using this VCLI command:

protectedpath modify --name sync --source-dir /mydir --local-tenant-id 1 --capabilities SYNC_REPLICATION --sync-disconnect-time 360 --target-exported-dir /mydir

or this command, to change the stream capability to Sync replication:

protectedpath modify-member --id  1  --stream-id 1 --capabilities  SYNC_REPLICATION

Creating Protected Paths between Tenants

You can configure protected paths between tenants on different clusters, subject to the following restriction:

If Tenant A replicates a protected path to Tenant B on a remote cluster, it cannot then replicate another path to Tenant C on the same remote cluster (that is, Tenant A cannot have replicated protected paths to more than one tenant on the same remote cluster). It can, however, replicate protected paths to Tenant C (or any other tenant) on a different remote cluster. Similarly, Tenant A can replicate additional protected paths to Tenant B on the same remote cluster.

Related articles