You are designing a disaster recovery solution to migrate and protect 100 on-premises VMware virtual machines to Azure using Azure Site Recovery (ASR).

The security team dictates that the replication traffic from the on-premises environment to Azure must be encrypted in transit and must travel over a private connection, not the public internet.

Which TWO components are required to achieve this? (Select TWO)

To replicate VMware VMs to Azure without using the public internet, you first need a private connectivity backbone, which is provided by Azure ExpressRoute or a Site-to-Site VPN. Secondly, because Azure Site Recovery uses a Recovery Services vault (which is a PaaS service with a public endpoint by default), you must configure an Azure Private Endpoint for the vault. This assigns the vault a private IP address from your VNet, ensuring all replication traffic stays on the private network.