Azure Site Recovery support for Azure trusted launch virtual machines

Trusted launch protects against advanced and persistent attack techniques. It is composed of several coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats. To deploy an Azure trusted launch VM, follow these steps.

Support matrix

Find the support matrix for Azure trusted launch virtual machines with Azure Site Recovery:

  • Region: Available in all Azure Site Recovery supported regions.
  • Operating system: Support available only for Windows OS. Linux OS is currently not supported.
  • Private endpoints: Azure trusted virtual machines can be protected using private endpoint configured recovery services vault with the following conditions:
    • You can create a new recovery services vault and configure private endpoints on it. Then you can start protecting Azure Trusted VMs using it.
    • You can't protect Azure Trusted VMs using recovery services vault which were created before the public preview and have private endpoints configured.
  • Migration: Migration of Azure Site Recovery protected existing Generation 1 Azure VMs to trusted VMs and Generation 2 Azure virtual machines to trusted VMs isn't supported. Learn more about migration of Generation 2 Azure VMs.
  • Disk Network Access: Azure Site Recovery creates disks (replica and target disks) with public access enabled by default. To disable public access for these disks follow these steps.
  • Boot integrity monitoring: Replication of Boot integrity monitoring state isn't supported. If you want to use it, enable it explicitly on the failed over virtual machine.
  • Shared disks: Trusted virtual machines with attached shared disks are currently supported.
  • Scenario: Available only for Azure-to-Azure scenario.
  • Create a new VM flow: Enabling Management > Site Recovery option in Create a new Virtual machine flow is currently not supported.

Azure Site Recovery for trusted VMs

You can follow the same steps for Azure Site Recovery with trusted virtual machines as for Azure Site Recovery with standard Azure virtual machines.

Migrate Azure Site Recovery protected Azure Generation 2 VM to trusted VM

Azure Generation 2 VMs protected by Azure Site Recovery cannot be migrated to trusted launch. While the portal blocks this migration, other channels like PowerShell and CLI do not. Before proceeding, review the migration prerequisites and plan accordingly. If you still wish to migrate your Generation 2 Azure VM protected by Azure Site Recovery to Trusted Launch, follow these steps:

  1. Disable Azure Site Recovery replication.
  2. Uninstall Azure Site Recovery agent from the VM. To do this, follow these steps:
    1. On the Azure portal, go to the virtual machine.
    2. Select Settings > Extensions.
    3. Select Site Recovery extension.
    4. Select Uninstall.
    5. Uninstall Azure Site Recovery mobility service using these commands.
  3. Trigger the migration of Generation 2 VM to trusted launch VM.

Note

After migrating the virtual machine, the existing protection is disabled, deleting the existing recovery points. The migrated virtual machine is no longer protected by Azure Site Recovery. You must re-enable Azure Site Recovery protection on the trusted virtual machine, if needed.

Next steps

To learn more about trusted virtual machines, see trusted launch for Azure virtual machines.