Set up protection between an on-premises datacenter and Azure
Applies To: Windows Azure Pack
Set up protection as follows:
Prerequisites for on-premises to Azure protection—Check that everything’s in place.
Create a vault—Create a vault in the Azure Site Recovery portal.
Install and configure the Azure Site Recovery Provider—Download the Provider from the Azure Site Recovery portal. You install and configure the Provider on the VMM server in the datacenter. The Provider connects the server to the Azure Site Recovery portal.
Add an Azure storage account—If you don’t already have an Azure storage account you can set one up from the Azure Site Recovery portal.
Install the Azure Recovery Services agent—Download the agent. You install and configure it on each Hyper-V host server you want to protect.
Configure cloud settings—Configure protection settings for VMM clouds.
Set up the runbooks—Configure and schedule a single master runbook to set up Azure Site Recovery protection. This master runbook in turn invokes a number of other runbooks.
Configure plans—On on-premises site you enable Azure Site Recovery protection on a public plan or add-on.
Tenant steps—To set up virtual machine protection tenants will use the self-service Azure Pack portal to:
Subscribe to the plan or add-on—Tenants subscribe to a plan or add-on the on-premises site that has virtual machine protection enabled.
Create a virtual machine—Tenants create a virtual machine or virtual machine role on the on-premises site, under the plan subscription.
Create VM networks—Tenants can create virtual networks on on-premises site to specify how replica virtual machines will be connected to networks after failover. When a tenant creates a virtual network a VM network with the same settings is configured on the VMM server.
Set up network mapping —If the tenant has created virtual networks you can set up network mapping between VM networks on the primary and target Azure networks. Network mapping:
Ensures that virtual machines are connected to appropriate VM networks after failover. Replica virtual machines will connect to an Azure network that’s mapped to the primary network.
If you don’t configure network mapping replicated virtual machines won’t be connected to any VM networks after failover.
Read about Network mapping.
Detecting and replicating virtual machines —The runbooks automatically detect plans or add-on subscriptions that have protection enabled. The runbook automatically enables protection for virtual machines in the subscriptions, and initiates the initial replication.
Run a failover —After the initial replication finishes you can run a test, planned, or unplanned failover whenever you need to.
Create a vault
Sign into the Azure Management Portal. Expand Data Services >Recovery Services > Site Recovery Vault. Click Create New >Quick Create.
Type in a name for the vault and select the geographic region. For more information see Geographic Availability (https://go.microsoft.com/fwlink/?LinkID=389880).
Click Create vault. Check the status bar to confirm it was successfully created. It’ll be listed as Active on the main Recovery Services page.
Install and configure the Azure Site Recovery Provider
In the Azure Site Recovery portal open the Quick Start page > Generate registration key file.
The key file is automatically generated. Download it to a safe and accessible location. For example to a share that can be accessed by the VMM servers. After the download you’ll need to copy the file to the VMM server on each site. You’ll need this key when you configure the Provider settings on the VMM server. Note that:
After you generate the key it’s valid for 5 days.
You can regenerate this key at any time. Regenerating overrides older versions of the file and you’ll need to reconfigure the Provider on each VMM server with the new key.
On the Quick Start page click Download Microsoft Azure Site Recovery Provider to download the latest version of the Provider installation file.
Run the file on the VMM server in the on-premises site. You’ll need to stop the VMM service before the installation. It will restart automatically afterwards. If a VMM cluster is deployed, install the Provider on an active node in the cluster and register the VMM server in the Azure Site Recovery vault. Then install it on other nodes in the cluster.
In Microsoft Update you can opt in for updates. With this setting enabled Provider updates will be installed according to your Microsoft Update policy.
After the Provider is installed continue setup to register the server in the vault.
In Internet Connection, specify how the Provider running on the VMM server connects to Azure Site Recovery over the Internet. You can select not to use a proxy, to use the default proxy configured on the VMM server if the VMM server shows as connected, or to use a custom proxy server. Note the following:
If the default proxy server on the VMM server requires authentication then you should select to use a custom proxy server. Type in the default proxy details and specify credentials.
If you want to use a custom proxy server set it up before you install the Provider.
Exempt the following addresses from routing through the proxy:
The URL for connecting to the Azure Site Recovery: *.hypervrecoverymanager.windowsazure.com
*.accesscontrol.windows.net
*.backup.windowsazure.com
*.blob.core.windows.net
*.store.core.windows.net
Note that if you need to allow outbound connections to an Azure domain controller, allow the IP addresses described in Azure Datacenter IP Ranges, and allow the HTTP (80) and HTTPS (443) protocols.
If you choose to use a custom proxy a VMM RunAs account (DRAProxyAccount) will be created automatically using the specified proxy credentials. Configure the proxy server so that this account can authenticate successfully.
In Registration Key, select that you downloaded from Azure Site Recovery and copied to the VMM server.
In Vault name, verify the vault in which the server will be registered.
In Server name, specify a friendly name to identify the VMM server in the vault. In a cluster configuration, specify the VMM cluster role name.
In Initial cloud metadata sync select whether you want to synchronize metadata for all clouds on the VMM server with the vault. This action only needs to happen once on each server. If you don't want to synchronize all clouds, you can leave this setting unchecked and synchronize each cloud individually in the cloud properties in the VMM console.
In Data Encryption specify certificate settings for data encryption for virtual machines that replicate to Azure. This option isn’t relevant if you’re replicating from one on-premises site to another.
After registration, metadata from the VMM server is retrieved by Azure Site Recovery. After registration, you can change the Provider settings in the VMM console, or from the command line. For more information, see Modify Provider settings.
Install the Azure Recovery Services agent
On the Quick Start page, click Download Azure Site Recovery Services Agent and install on hosts, to obtain the latest version of the agent installation file.
Run the installation file on each Hyper-V host server in the VMM clouds, and follow the wizard.
On the Prerequisites Check page, click Next. Any missing prerequisites will be automatically installed.
On the Installation Settings page, specify where you want to install the agent and select the cache location in which backup metadata will be stored. Then click Install.
Configure cloud settings
In the Azure Site Recovery portal open the Protected Items tab in the vault.
The clouds that were synchronized with Azure Site Recovery appear in the list.
Select the cloud that you want to protect and click Configure.
In Target, select Microsoft Azure.
In Subscription, select the subscription associated with the Azure storage you want to use to store Azure virtual machines.
In Storage Account, select the storage account you want to use.
In Copy frequency, specify how frequently data should be synchronized between source and target locations. The default is five minutes.
In Retain recovery points specify whether you want to create additional recovery points (from 0-15). Additional recovery points contain one or more snapshots, and they enable you to recover a snapshot of a virtual machine from an earlier point in time. With a setting of zero, only the latest recovery point for a primary virtual machine is stored as a replica. If you configure a setting greater than zero, the number of recovery points will be created in accordance with this value. Note that enabling multiple recovery points requires additional storage for the snapshots that are stored at each recovery point. By default, recovery points are created every hour, so that each recovery point contains an hour’s worth of data.
In Frequency of application-consistent snapshots, specify how often to create application-consistent snapshots. These snapshots use Volume Shadow Copy Service (VSS) to ensure that applications are in a consistent state when the snapshot is taken. Note that if you enable application-consistent snapshots, it will affect the performance of applications running on source virtual machines.
In Encrypt Storage Data, specify whether replicated data that is transferred should be stored as encrypted. You can specify that the copy should start immediately, or select a time. We recommend that you schedule network replication during off-peak hours.
Set up the runbooks
A number of runbooks help you to set up virtual machine protection. On the on-premises site you schedule and configure the master runbook. It in turn automatically invokes the other runbooks in accordance with the specified schedule.
Download the runbooks
Configure and schedule the master runbook
The runbooks are summarized in the following table.
Runbook |
Details |
Parameters |
---|---|---|
InvokeAzureSiteRecoveryProtectionJob.ps1 |
The master runbook. It invokes the other runbooks in this order.
After you run the registration runbook this is the only runbook you need to run. |
LeaderVMMConnection—Not required for protection to Azure Nonleader/SecondaryVMMConnection—Not required for protection to Azure PrimarySiteAdminConnection—Asset type: Connection; Connection type: MgmntSvcAdmin;. PrimaryVmmAdminConnection—Asset type: Connection. Connection type: VMM connection; RecoverySiteAdminConnection—Not required for protection to Azure RecoverySitePlanSuffix—Not required for protection to Azure |
Add-AzureSiteRecoverySubscription.ps1 |
Automatically adds all subscriptions for plans in the primary stamp that have Azure Site Recovery enabled to the plans in the secondary stamp. |
Parameters are set in the master runbook |
Add-AzureSiteRecoverySecretTransferKey.ps1 |
Synchronizes the encryption key between the primary and secondary VMM servers. This encryption key is generated automatically the first time that Azure Site Recovery is started. When a tenant’s virtual machines are replicated to the secondary datacenter they have tenant information that’s associated with them so that a tenant can access the replicated virtual machines when failover occurs. This key is used to encrypt that metadata. |
Parameters are set in the master runbook |
InvokeAzureSiteRecoveryManageVmProtectionJob.ps1 |
Queries all subscriptions and checks whether protection is enabled. Then for each subscription it queries all virtual machines and enables protection if the matching subscription has protection enabled. |
Parameters are set in the master runbook |
Get-WindowsToken.ps1 |
This runbook is used by the other runbooks to run cmdlets. |
None |
This table summarizes the runbooks.
Download the runbooks
Download the runbooks from the Microsoft Script Center.
Import and publish them in the following order:
Get-WindowsToken.ps1
Add-AzureSiteRecoverySubscription.ps1
Add-AzureSiteRecoverySecretTransferKey.ps1
Invoke-AzureSiteRecoveryManageVmProtectionJob.ps1
Invoke-AzureSiteRecoveryProtectionJob.ps1 (the master runbook)
Configure and schedule the master runbook
In Automation > Runbooks click to open InvokeAzureSiteRecoveryProtectionJob.ps1.
Click Schedule to specify when the runbook should run. On the Configure Schedule page specify a schedule name and description.
In Time select Daily and select a start time.
In Specify the runbook parameter values specify the parameters that are used across the runbooks that are invoked by the master runbook:
LeaderVMMConnection—Not required for protection to Azure.
NonLeaderVMMConnection—Not required for protection to Azure
PrimarySiteAdminConnection—FQDN of the computer in the primary datacenter running the Azure Pack administrator portal, and the administrator credentials. This parameter is needed for logon to the primary portal. Specify the name of the asset variable you created.
PrimaryVmmAdminConnection —FQDN of the primary VMM server, and the computer administrator credentials.
RecoverySiteAdminConnection— FQDN of computer in the secondary datacenter that’s running the Azure Pack administrator portal, and the administrator credentials. Not required for protection to Azure.
RecoverySitePlanSuffix—If the name of a plan in the primary datacenter doesn’t have the suffix –Recovery then you’ll need to provide a text suffix so that the subscriptions can be synchronized successfully on the secondary datacenter plans. Not required for protection to Azure.
Configure plans
After you’ve configured cloud settings and set up the runbooks, in the on-premises primary datacenter enable protection for an existing plan or add-on. Alternatively you can create a new plan with protection enabled.
Enable protection on a plan or add-on
To add the capability to a published plan in the Azure Pack portal, click Plans. On the Plans tab open the relevant plan or open the add-on on the Add-Ons tab.
In Plan Services or Add-On Services click Virtual Machine Clouds. In Custom Settings select Enable protection for all virtual machines.
Tenant steps
To deploy virtual machine protection tenants will need to:
Sign up for a plan or add-on—After discussing their virtual machine protection requirements with you, tenants will subscribe to the plan or add-on on the on-premises site that using the self-service Azure Pack portal.
Create a virtual machine—A tenant creates a virtual machine or virtual machine role under the subscription associated with the plan or add-on. The virtual machine is created on the associated VMM cloud. The virtual machine owner is the name of the user that created the virtual machine.
Create VM networks— In the self-service Azure Pack portal the tenants can optionally create virtual networks based on VMM logical networks. Tenants should create virtual networks if they want to be sure that after failover their replica virtual machines will be connected to appropriate networks.
. When a tenant creates a virtual network a VM network with the same settings is automatically created on the associated VMM cloud.
Set up network mapping
After tenants create VM networks, in the Azure Site Recovery portal you can set up network mapping to map VM networks on the primary site to Azure networks. These mappings indicate how replica virtual machines are connected after failover.
In Azure create an Azure network with the same settings as the VM network that was created automatically on the on-premises primary VMM server. Then configure network mapping.
In the Azure Site Recovery portal open the Resources page > Network > Map.
Select the VMM server from which you want to map networks, and then Azure. The list of source networks and their associated target networks are displayed. A blank value is shown for networks that aren’t currently mapped. To view the subnets for each network click the information icon next to the network names.
Select a network in Network on source, and then click Map. The service detects the Azure networks and displays them.
Select an Azure network.
Click the check mark to complete the mapping process. A job starts to track the mapping progress. View it on the Jobs tab.
Detecting and replicating virtual machines
The runbook Invoke-AzureSiteRecoveryManageVmProtectionJob.ps1 detects subscriptions for plans or add-ons that have protection enabled, and then enables protection for virtual machines in those subscriptions. This happens automatically in accordance with runbook scheduling. No administrator action is required.
Run a failover
After the initial replication you’ll run failovers as follows:
Test failover—Run to verify the environment without impacting the production infrastructure. You can run a test failover if the tenant requests it. For instructions see Run a test failover.
Planned failover—Run for planned maintenance or if an unexpected outage occurs. See Run a failover.
Unplanned failover—Run for disaster recovery due to unplanned and downtimes. See Run a failover.
Access replicated virtual machines
Failover with Azure Site Recovery creates the replica virtual machine in Azure. After failover the service administrator can log onto the Azure portal using his or her credentials, and access the replica virtual machines from the portal. The adminstrator can then configure application and RDP ports on the virtual machines to provide tenant access. Note that if tenants access virtual machines in the datacenter over a VPN connection you’ll need to set up VPN connectivity between the tenant location and the Azure so they can also access the replicated virtual machines over VPN.