#Intercluster traffic on VPN or not?

The IC traffic is encrypted in it self. So in a hosting like environment where you wanted to host SM-backup destinations, does it even make sense to introduce a VPN between the source/destination? Doesn't it just add an overhead? How about just "exposing" the required ports on the destination, and setup the IC? I think that's what happens if you want to SM to one of the cloud-providers? Are there any benefits of adding the VPN (or MPLS) beside the obvious (more secure, and controlled bandwidth) And are we talking ports: 10000, 11104 & 11105

If I’m not mistaken, the ONTAP encryption for ic traffic may use certificates. Be sure that what you use doesn’t rewrite the certificate. I see the cert between ONTAP and auto support get intercepted and updated all the time and this fails if not done correctly. I suspect the same in your case

Your FAS shouldn’t be on the internet imo. So site to site VPN would be my suggestion too, yes.

I agree that exposting the ports directly isn't optimal, but isn't this how it's done when you setup a snapmirror relationship using BlueXP ? Or am I missing something? (I know it's the cloud ports that are exposed in this case, but still? I can also see that there is an option for cloud volume backup (SnapMirror Cloud API) ? I have not played with this yet, in the GUI it just accepts an API key, not sure if this API key will include the destination?