HCX 4.10 provides a Service Mesh option to activate or deactivate encryption for Migration and Network Extension Traffic. This article list the steps to enable/disable Tunnel Encryption feature in HCX 4.10

VMware HCX 4.10
VMware Cloud on AWS

NA

By default, HCX migration and network extension traffic is encrypted. This was by default, as migrations to cloud from on-prem would happen over the public internet. However, for envionments where these migrations happen over an already secure envionment, HCX 4.10 provides the Service Mesh option to activate or deactivate encryption for either or both of these services ie Migration and Network Extension Traffic.

Following are steps to disable/enable "Tunnel Encryption"

1. Ensure that Application Path Resiliency must be enabled on the Service Mesh 
2. Uplinks networks must be verified as secure in the Network Profile before HCX will allow deactivation of traffic encryption. Once its confirmed that the environment is already secure, and tunnel encryption could be safely disabled, we need to "check" the option "The underlay is secure" in Network Profile ob both the sites. 

Note:  This setting applies to Uplink networks only.

3. Now, edit the service mesh and under "Configure HCX Traffic Engineering features" uncheck the following options

Encryption for Network Extension Service ----> For Network Extension Traffic
Encryption for Migration Services ---> For Migration Traffic.

Note: The configuration change mentioned above should be implemented after thorough consultations and confirmation that the underlay network is secure by default and does not require default IPsec HCX encryption.

HCX 4.10 release notes - VMware HCX 4.10 Release Notes