Set up protection between two on-premises datacenters

  • Article

 

Applies To: Windows Azure Pack

You set up protection as follows:

  1. Prerequisites for on-premises to on-premises protection—Check that everything’s in place.

  2. Create a vault —Create a vault in the Azure Site Recovery portal.

  3. Install and configure the Azure Site Recovery Provider —Install and configure the Azure Site Recovery Provider on the VMM server in each site. The Provider connects the server to the Azure Site Recovery portal.

  4. Configure cloud settings —Configure protection settings for VMM clouds. The cloud that contains the virtual machines you want to protect is known as the primary cloud. The cloud that contains the Hyper-V host server to which the virtual machines will replicate is known as the secondary cloud. Each cloud can act as a primary cloud protecting a secondary cloud, or as a secondary cloud that’s protected. A cloud can’t be both primary and secondary.

  5. Set up the runbooks —You configure and schedule a single master runbook to set up Azure Site Recovery protection. This master runbook in turn invokes a number of other runbooks.

  6. Configure plans —On the primary site you enable Azure Site Recovery protection on a public plan or add-on, and create a private plan with the same settings on the secondary site.

  7. Tenant steps —In order to set up virtual machine protection tenants will use the self-service Azure Pack portal to:

    1. Subscribe to the plan or add-on—Tenants subscribe to a plan or add-on the primary datacenter that has virtual machine protection enabled.

    2. Create a virtual machine—Tenants create a virtual machine or virtual machine role on the primary site, under the plan subscription.

    3. Create VM networks—Tenants can create virtual networks on the primary site to specify how replica virtual machines will be connected to networks after failover. When a tenant creates a virtual network a VM network with the same settings is configured on the primary VMM server.

  8. Set up network mapping —If the tenant has created virtual networks you can set up network mapping between VM networks on the primary and secondary VMM servers. Network mapping:

    • Ensures that virtual machines are connected to appropriate VM networks after failover. Replica virtual machines will connect to a secondary network that’s mapped to the primary network. 

    • Optimally places replica virtual machines on Hyper-V host servers. Replica virtual machines will be placed on hosts that can access mapped VM networks.

    If you don’t configure network mapping replicated virtual machines won’t be connected to any VM networks after failover. Read about Network mapping.

  9. Verify user accounts —Before you can replicate virtual machines you’ll need to verify that user credentials associated with the plan or add-on subscription are valid on the primary and secondary sites.

  10. Detecting and replicating virtual machines —The runbooks automatically detect plans or add-on subscriptions that have protection enabled. The runbook automatically enables protection for virtual machines in the subscriptions, and initiates the initial replication.

  11. Run a failover —After the initial replication finishes you can run a test, planned, or unplanned failover whenever you need to.

Create a vault

  1. Sign into the Azure Management Portal. Expand Data Services >Recovery Services > Site Recovery Vault. Click Create New >Quick Create.

  2. Type in a name for the vault and select the geographic region. For more information see Geographic Availability (https://go.microsoft.com/fwlink/?LinkID=389880).

  3. Click Create vault. Check the status bar to confirm it was successfully created. It’ll be listed as Active on the main Recovery Services page.

Install and configure the Azure Site Recovery Provider

  1. In the Azure Site Recovery portal open the Quick Start page > Generate registration key file.

  2. The key file is automatically generated. Download it to a safe and accessible location. For example to a share that can be accessed by the VMM servers. After the download you’ll need to copy the file to the VMM server on each site. You’ll need this key when you configure the Provider settings on the VMM server. Note that:

    • After you generate the key it’s valid for 5 days.

    • You can regenerate this key at any time. Regenerating overrides older versions of the file and you’ll need to reconfigure the Provider on each VMM server with the new key.

  3. On the Quick Start page click Download Microsoft Azure Site Recovery Provider to download the latest version of the Provider installation file.

  4. Run the file on the VMM servers in the primary and secondary datacenters. You’ll need to stop the VMM service before the installation. It will restart automatically afterwards. If a VMM cluster is deployed, install the Provider on an active node in the cluster and register the VMM server in the Azure Site Recovery vault. Then install it on other nodes in the cluster.

  5. In Microsoft Update you can opt in for updates. With this setting enabled Provider updates will be installed according to your Microsoft Update policy.

  6. After the Provider is installed continue setup to register the server in the vault. 

  7. In Internet Connection, specify how the Provider running on the VMM server connects to Azure Site Recovery over the Internet. You can select not to use a proxy, to use the default proxy configured on the VMM server if the VMM server shows as connected, or to use a custom proxy server. Note the following:

    • If the default proxy server on the VMM server requires authentication then you should select to use a custom proxy server. Type in the default proxy details and specify credentials.

    • If you want to use a custom proxy server set it up before you install the Provider.

    • Exempt the following addresses from routing through the proxy:

      • The URL for connecting to the Azure Site Recovery: *.hypervrecoverymanager.windowsazure.com

      • *.accesscontrol.windows.net

      • *.backup.windowsazure.com

      • *.blob.core.windows.net 

      • *.store.core.windows.net 

    • Note that if you need to allow outbound connections to an Azure domain controller, allow the IP addresses described in Azure Datacenter IP Ranges, and allow the HTTP (80) and HTTPS (443) protocols. 

    • If you choose to use a custom proxy a VMM RunAs account (DRAProxyAccount) will be created automatically using the specified proxy credentials. Configure the proxy server so that this account can authenticate successfully.

  8. In Registration Key, select that you downloaded from Azure Site Recovery and copied to the VMM server.

  9. In Vault name, verify the vault in which the server will be registered.

  10. In Server name, specify a friendly name to identify the VMM server in the vault. In a cluster configuration, specify the VMM cluster role name. 

  11. In Initial cloud metadata sync select whether you want to synchronize metadata for all clouds on the VMM server with the vault. This action only needs to happen once on each server. If you don't want to synchronize all clouds, you can leave this setting unchecked and synchronize each cloud individually in the cloud properties in the VMM console.

  12. In Data Encryption specify certificate settings for data encryption for virtual machines that replicate to Azure. This option isn’t relevant if you’re replicating from one on-premises site to another.

After registration, metadata from the VMM server is retrieved by Azure Site Recovery. After registration, you can change the Provider settings in the VMM console, or from the command line. For more information, see Modify Provider settings.

Configure cloud settings

  1. In the Azure Site Recovery portal open the Protected Items tab in the vault.

  2. The clouds that were synchronized with Azure Site Recovery appear in the list.

  3. Select the primary cloud that you want to protect and click Configure.

  4. In Target, select VMM.

  5. In VMM Server, select the VMM server in the secondary site.

  6. In Target cloud, select the secondary cloud that will be used for failover of virtual machines in the source cloud.

  7. In Copy frequency, specify how frequently data should be synchronized between source and target locations. The default is five minutes.

  8. In Additional recovery points, specify whether you want to create additional recovery points (from 0-15). Additional recovery points contain one or more snapshots, and they enable you to recover a snapshot of a virtual machine from an earlier point in time.  With a setting of zero, only the latest recovery point for a primary virtual machine is stored as a replica. If you configure a setting greater than zero, the number of recovery points will be created in accordance with this value. Note that enabling multiple recovery points requires additional storage for the snapshots that are stored at each recovery point. By default, recovery points are created every hour, so that each recovery point contains an hour’s worth of data.

  9. In Frequency of application-consistent snapshots, specify how often to create application-consistent snapshots. These snapshots use Volume Shadow Copy Service (VSS) to ensure that applications are in a consistent state when the snapshot is taken. Note that if you enable application-consistent snapshots, it will affect the performance of applications running on source virtual machines.

  10. In Data transfer compression, specify whether replicated data that is transferred should be compressed.

  11. In Authentication, specify how traffic is authenticated between the primary and recovery Hyper-V host servers. If you select HTTPS, the host servers will authenticate each other using a server certificate, and traffic is encrypted over HTTPS. If you select Kerberos, a Kerberos ticket will be used for mutual authentication of the host servers. By default, port 8083 and 8084 (for certificates) will be opened in the Windows Firewall on the Hyper-V host servers. Note that traffic will be sent over HTTP. This setting is relevant only for VMM servers running on Windows Server 2012 R2.

  12. In Port, modify the port number on which you want the source and target host computers to listen for replication traffic. For example, you might modify the setting if you want to apply Quality of Service (QoS) network bandwidth throttling for replication traffic. Check that the port isn’t used by any other application and that it’s open in the firewall settings.

  13. In Replication method, specify how the initial replication of data from source to target locations will be handled, before regular replication of delta data starts:

    • Select Over the network to copy initial replication data over your network. You can specify that the copy should start immediately, or select a time. We recommend that you schedule network replication during off-peak hours.

    • Select Offline to perform the initial replication using external media. You specify the export location on the source cloud, and the import location on the target cloud. When you enable protection for a virtual machine, the virtual hard disk is copied to the specified export location. You send it to the target site, and copy it to the import location. The system copies the imported information to the replica virtual machines.

  14. Select Delete replica virtual machine to specify that the replica virtual machine should be deleted if you stop protecting the virtual machine by selecting the Disable protection for the virtual machine option on the Virtual Machines tab of the cloud properties. With this setting enabled, when you disable protection the virtual machine is removed from Azure Site Recovery, the Site Recovery settings for the virtual machine are removed in the VMM console, and the replica is deleted.

Set up the runbooks

A number of runbooks help you to set up virtual machine protection. On the primary site you schedule and configure the master runbook. It in turn automatically invokes the other runbooks in accordance with the specified schedule.

  1. Download the runbooks

  2. Configure and schedule the master runbook

The runbooks are summarized in the following table.

Runbook

Details

Parameters

InvokeAzureSiteRecoveryProtectionJob.ps1

The master runbook. It invokes the other runbooks in this order.

  1. Add-AzureSiteRecoveryRecoverySubscription.ps1

  2. Add-AzureSiteRecoverySecretTransferKey

  3. AzureSiteRecoveryManageVMProtectionJob.ps1

  4. Get-WindowsToken.ps1

After you run the registration runbook this is the only runbook you need to run.

LeaderVMMConnection—Asset type: Connection; Connection Type: VMM connection;

Nonleader/SecondaryVMMConnection—Asset type: Connection; Connection type: VMM connection;

PrimarySiteAdminConnection—Asset type: Connection; Connection type: MgmntSvcAdmin;.

PrimaryVmmAdminConnection—Asset type: Connection. Connection type: VMM connection;

RecoverySiteAdminConnection—Asset type: Connection; Connection type: MgmntSvcAdmin;

RecoverySitePlanSuffix—Optional. Asset type: Connection; Connection type: MgmntSvcAdmin;

Add-AzureSiteRecoverySubscription.ps1

Automatically adds all subscriptions for plans in the primary stamp that have Azure Site Recovery enabled to the plans in the secondary stamp.

Parameters are set in the master runbook

Add-AzureSiteRecoverySecretTransferKey.ps1 

Synchronizes the encryption key between the primary and secondary VMM servers. This encryption key is generated automatically the first time that Azure Site Recovery is started. When a tenant’s virtual machines are replicated to the secondary datacenter they have tenant information that’s associated with them so that a tenant can access the replicated virtual machines when failover occurs. This key is used to encrypt that metadata.

Parameters are set in the master runbook

InvokeAzureSiteRecoveryManageVmProtectionJob.ps1

Queries all subscriptions and checks whether protection is enabled. Then for each subscription it queries all virtual machines and enables protection if the matching subscription has protection enabled.

Parameters are set in the master runbook

Get-WindowsToken.ps1

This runbook is used by the other runbooks to run cmdlets.

None

Download the runbooks

  1. Download the runbooks from the Microsoft Script Center.

  2. Import and publish them in the following order:

    1. Get-WindowsToken.ps1

    2. Add-AzureSiteRecoverySubscription.ps1

    3. Add-AzureSiteRecoverySecretTransferKey.ps1

    4. Invoke-AzureSiteRecoveryManageVmProtectionJob.ps1

    5. Invoke-AzureSiteRecoveryProtectionJob.ps1 (the master runbook)

Configure and schedule the master runbook

  1. In Automation > Runbooks click to open InvokeAzureSiteRecoveryProtectionJob.ps1.

  2. Click Schedule to specify when the runbook should run. On the Configure Schedule page specify a schedule name and description.

  3. In Time select Daily and select a start time.

  4. In Specify the runbook parameter values specify the parameters that are used across the runbooks that are invoked by the master runbook:

    1. LeaderVMMConnection—The FQDN of the computer running VMM and the computer administrator credentials. Specify the name of the asset variable you created.

    2. NonLeaderVMMConnection—The FQDN of computer on the secondary site running VMM and the administrator credentials. Specify the name of the asset variable you created.

    3. PrimarySiteAdminConnection—FQDN of the computer in the primary datacenter running the Azure Pack administrator portal, and the administrator credentials. This parameter is needed for logon to the primary portal. Specify the name of the asset variable you created.

    4. PrimaryVmmAdminConnection —FQDN of the primary VMM server, and the computer administrator credentials.

    5. RecoverySiteAdminConnection— FQDN of computer in the secondary datacenter that’s running the Azure Pack administrator portal, and the administrator credentials.

    6. RecoverySitePlanSuffix—If the name of a plan in the primary datacenter doesn’t have the suffix –Recovery then you’ll need to provide a text suffix so that the subscriptions can be synchronized successfully on the secondary datacenter plans.

Configure plans

After you’ve configured cloud settings and set up the runbooks you add the protection option to plans or add-ons.

  1. Enable protection—In the primary datacenter enable protection for an existing plan or add-on. Alternatively you can create a new plan with protection enabled.

  2. Create a private plan in the secondary datacenter—You need to manually create a private plan with the same settings in the secondary datacenter.

Enable protection on a plan or add-on

  1. To add the capability to a published plan in the Azure Pack portal, click Plans. On the Plans tab open the relevant plan or open the add-on on the Add-Ons tab.

  2. In Plan Services or Add-On Services click Virtual Machine Clouds. In Custom Settings select Enable protection for all virtual machines.

Create the plan in the secondary datacenter

You need to manually create a plan with the same settings on the secondary site. With this plan in place subscriptions under the plan on the primary site will be created automatically under the matching plan on the secondary site by the Add-AzureSiteRecoverySubscription.ps1 runbook.

  1. To create a plan in the Azure Pack portal click Plans in the left navigation pane > New > Create Plan. From Let’s Create a Hosting Plan create a plan with settings that match the plan on the primary site.

  2. Note that the plan name should be in the format <PrimaryPlanName>-<text>. <PrimaryPlanName> must be the name of the plan on the primary site. We recommend using –Recovery since this is the default suffix recognized by the Add-AzureSiteRecoverySubscription.ps1 runbook that automatically synchronizes subscriptions for plans on the primary site with the private plans on the secondary site. For example: MyPrimaryPlan–Recovery

Tenant steps

To deploy virtual machine protection tenants will need to:

  • Sign up for a plan or add-on—After discussing their virtual machine protection requirements with you, tenants will subscribe to the plan or add-on on the primary site that has protection enabled using the self-service Azure Pack portal.

    If a plan with the same settings was created on the secondary site the master runbook invokes Add-AzureSiteRecoverySubscription.ps1 to create the tenant subscription under the secondary plan.

  • Create a virtual machine—A tenant creates a virtual machine or virtual machine role under the subscription associated with the plan or add-on. The virtual machine is created on the associated VMM cloud. The virtual machine owner is the name of the user that created the virtual machine.

  • Create VM networks— In the self-service Azure Pack portal the tenants can optionally create virtual networks based on VMM logical networks. Tenants should create virtual networks if they want to be sure that after failover their replica virtual machines will be connected to appropriate networks.

    . When a tenant creates a virtual network a VM network with the same settings is automatically created on the associated VMM cloud.

Set up network mapping

After tenants create VM networks, in the Azure Site Recovery portal you can set up network mapping to map VM networks on the primary site to VM networks on the secondary site. These mappings indicate how replica virtual machines are connected after failover.

  1. On the VMM server of the secondary site, create a VM network with the same settings as the VM network that was created automatically on the primary VMM server. Then configure network mapping.

  2. In the Azure Site Recovery portal open the Resources page > Network > Map.

  3. Select the source VMM server from which you want to map networks, and then the target VMM server to which the networks will be mapped. The list of source networks and their associated target networks are displayed. A blank value is shown for networks that aren’t currently mapped. To view the subnets for each network click the information icon next to the network names.

  4. Select a network in Network on source, and then click Map. The service detects the VM networks on the target server and displays them. 

  5. Select a VM network on the target VMM server. The protected clouds that use the source network are displayed. Available target networks that are associated with the clouds used for protection are also displayed. We recommend that you select a target network that’s available to all the clouds you are using for protection.

  6. Click the check mark to complete the mapping process. A job starts to track the mapping progress. View it on the Jobs tab.

Verify user accounts

In order to replicate virtual machines the user credentials for the subscription must be recognized by the secondary Windows Azure Pack:

  • If tenants authenticate with Active Directory ensure that the user credentials are recognized by the secondary site. Note that the primary and secondary site must be members of the same Active Directory forest.

  • If you’re using another form of authentication ensure that the credentials are available on the secondary site.

Detecting and replicating virtual machines

The runbook Invoke-AzureSiteRecoveryManageVmProtectionJob.ps1 detects subscriptions for plans or add-ons that have protection enabled, and then enables protection for virtual machines in those subscriptions. This happens automatically in accordance with runbook scheduling. No administrator action is required.

Run a failover

After the initial replication you’ll run failovers as follows:

  • Test failover—Run to verify the environment without impacting the production infrastructure. You can run a test failover if the tenant requests it. For instructions see Run a test failover.

  • Planned failover—Run for planned maintenance or if an unexpected outage occurs. See Run a failover.

  • Unplanned failover—Run for disaster recovery due to unplanned and downtimes. See Run a failover.

Access replicated virtual machines

Failover with Azure Site Recovery creates the replica virtual machine in the secondary site, synchronizes the subscription information, and links the replica virtual machine to same customer subscription. After failover the tenant can log onto the Azure portal in the secondary datacenter WAP portal using the same credentials as the primary datacenter, and access the replica virtual machines from the portal.  Note that if tenants access virtual machines in the primary datacenter over a VPN connection you’ll need to set up VPN connectivity between the tenant location and the secondary datacenter so they can also access the replicated virtual machines over VPN.