Tutorial: Set up disaster recovery for Azure VMs

This tutorial shows you how to set up disaster recovery for Azure VMs using Azure Site Recovery. In this article, you learn how to:

  • Verify Azure settings and permissions
  • Prepare VMs you want to replicate
  • Create a Recovery Services vault
  • Enable VM replication

When you enable replication for a VM to set up disaster recovery, the Site Recovery Mobility service extension installs on the VM, and registers it with Azure Site Recovery. During replication, VM disk writes are sent to a cache storage account in the source region. Data is sent from there to the target region, and recovery points are generated from the data. When you fail over a VM during disaster recovery, a recovery point is used to restore the VM in the target region. Learn more about the architecture.

Note

Tutorials provide instructions with the simplest default settings. If you want to set up Azure VM disaster recovery with customized settings, review this article.

If you don't have an Azure subscription, create a trial subscription before you begin.

Prerequisites

Before you start this tutorial:

Check Azure settings

Check permissions and settings in the target region.

Check permissions

Your Azure account needs permissions to create a Recovery Services vault, and to create VMs in the target region.

  • If you just created a Azure subscription, you're the account admin, and no further action is needed.
  • If you aren't the admin, work with the admin to get the permissions you need.
    • Microsoft Entra ID: Application owner and application developer roles to enable replication.
    • Create a vault: Admin or owner permissions on the subscription.
    • Manage Site Recovery operations in the vault: The Site Recovery Contributor built-in Azure role.
    • Create Azure VMs in the target region: Either the built-in Virtual Machine Contributor role, or specific permissions to:
      • Create a VM in the selected virtual network.
      • Write to an Azure storage account.
      • Write to an Azure-managed disk.

Verify target settings

During disaster recovery, when you fail over from the source region, VMs are created in the target region.

Check that your subscription has enough resources in the target region. You need to be able to create VMs with sizes that match VMs in the source region. When you set up disaster recovery, Site Recovery picks the same size (or the closest possible size) for the target VM.

Prepare VMs

Make sure VMs have outbound connectivity, and the latest root certificates.

Set up VM connectivity

VMs that you want to replicate need outbound network connectivity.

Note

Site Recovery doesn't support using an authentication proxy to control network connectivity.

Outbound connectivity for URLs

If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these URLs:

Name Azure China 21Vianet Description
Storage *.blob.core.chinacloudapi.cn Allows data to be written from the VM to the cache storage account in the source region.
Microsoft Entra ID login.chinacloudapi.cn Provides authorization and authentication to Site Recovery service URLs.
Replication *.hypervrecoverymanager.windowsazure.cn Allows the VM to communicate with the Site Recovery service.
Service Bus *.servicebus.chinacloudapi.cn Allows the VM to write Site Recovery monitoring and diagnostics data.

Outbound connectivity for IP address ranges

If you're using network security groups (NSGs) to control connectivity, create a service-tag based NSG rules that allow HTTPS outbound to port 443 for these service tags(groups of IP addresses):

Tag Allow
Storage tag Allows data to be written from the VM to the cache storage account.
Microsoft Entra ID tag Allows access to all IP addresses that correspond to Microsoft Entra ID.
EventsHub tag Allows access to Site Recovery monitoring.
AzureSiteRecovery tag Allows access to the Site Recovery service in any region.
GuestAndHybridManagement tag Use if you want to automatically upgrade the Site Recovery Mobility agent that's running on VMs enabled for replication.

Learn more about required tags and tagging examples.

Azure Instance Metadata Service (IMDS) connectivity

Azure Site Recovery mobility agent uses Azure Instance Metadata Service (IMDS) to get virtual machine security type. Communications between VM and IMDS never leaves the host. Ensure that you bypass the IP 169.254.169.254 when using any proxies.

Verify VM certificates

Check that the VMs have the latest root certificates. Otherwise, the VM can't be registered with Site Recovery because of security constraints.

  • Windows VMs: Install all the latest Windows updates on the VM, so that all the trusted root certificates are on the machine. In a disconnected environment, follow your standard processes for Windows Update, and certificate updates.
  • Linux VMs: Follow the guidance provided by your Linux distributor, to get the latest trusted root certificates and certificate revocation list (CRL).

Create a Recovery Services vault

Create a Recovery Services vault in any region, except in the source region from which you want to replicate VMs.

  1. Sign in to the Azure portal.

  2. In the search box, type recovery. Under Services, select Recovery Services vaults.

    Search for Recovery Services vaults

  3. In Recovery Services vaults, select Add.

  4. In Create Recovery Services vault > Basics, select the subscription in which to create the vault.

  5. In Resource group, select an existing resource group for the vault, or create a new one.

  6. In Vault name, specify a friendly name to identify the vault.

  7. In Region, select the Azure region in which to place the vault. Check supported regions.

  8. Select Review + create.

    Vault settings on page for creating a new vault

  9. In Review + create, select Create.

  10. Vault deployment begins. Follow progress in the notifications.

  11. After the vault is deployed, select Pin to dashboard to save it for quick reference. Select Go to resource to open the new vault.

    Buttons for opening the vault after deployment, and pinning to dashboard

Enable Site Recovery

In the vault settings, select Enable Site Recovery.

Selection to enable Site Recovery in the vault

Enable replication

Select the source settings and enable VM replication.

Select source settings

  1. In the vault > Site Recovery page, under Azure virtual machines, select Enable replication.

    Screenshot showing selection to enable replication for Azure VMs.

  2. In the Enable replication page, under Source tab, do the following:

    • Region: Select the source Azure region in which VMs are currently running.

    • Subscription: Select the subscription in which VMs are running. You can select any subscription that's in the same Microsoft Entra tenant as the vault.

    • Resource group: Select the desired resource group from the drop-down.

    • Virtual machine deployment model: Retain the default Resource Manager setting.

    • Disaster recovery between availability zones: Retain the default No setting.

      Screenshot showing how to set up source.

  3. Select Next.

Select the VMs

Site Recovery retrieves the VMs associated with the selected subscription/resource group.

  1. In Virtual machines, select the VMs you want to enable for disaster recovery. You can select up to 10 VMs.

    Screenshot that highlights where you select virtual machines.

  2. Select Next.

Review replication settings

  1. In Replication settings, review the settings. Site Recovery creates default settings/policy for the target region. For the purposes of this tutorial, we use the default settings.

  2. Select Next.

    Screenshot to customize settings and enable replication.

Manage

  1. In Manage, do the following:

    1. Under Replication policy,
      • Replication policy: Select the replication policy. Defines the settings for recovery point retention history and app-consistent snapshot frequency. By default, Site Recovery creates a new replication policy with default settings of 24 hours for recovery point retention.
      • Replication group: Create replication group to replicate VMs together to generate Multi-VM consistent recovery points. Note that enabling multi-VM consistency can impact workload performance and should only be used if machines are running the same workload and you need consistency across multiple machines.
    2. Under Extension settings,
      • Select Update settings and Automation account. Screenshot showing manage tab.
  2. Select Next.

Review

In Review, review the VM settings and select Enable replication.

Screenshot showing vm settings.

The VMs you enable appear on the vault > Replicated items page.

Screenshot of VM on the Replicated Items page

Next steps

In this tutorial, you enabled disaster recovery for an Azure VM. Now, run a disaster recovery drill to check that failover works as expected.