Prepare on-premises VMware servers for disaster recovery to Azure
This article describes how to prepare on-premises VMware servers for disaster recovery to Azure using the Azure Site Recovery services.
This is the second tutorial in a series that shows you how to set up disaster recovery to Azure for on-premises VMware VMs. In the first tutorial, we set up the Azure components needed for VMware disaster recovery.
In this article, you learn how to:
- Prepare an account on the vCenter server or vSphere ESXi host, to automate VM discovery.
- Prepare an account for automatic installation of the Mobility service on VMware VMs.
- Review VMware server and VM requirements and support.
- Prepare to connect to Azure VMs after failover.
Note
Tutorials show you the simplest deployment path for a scenario. They use default options where possible, and don't show all possible settings and paths. For detailed instructions, review the article in the How To section of the Site Recovery Table of Contents.
Before you start
Make sure you've prepared Azure as described in the first tutorial in this series.
Prepare an account for automatic discovery
Site Recovery needs access to VMware servers to:
- Automatically discover VMs. At least a read-only account is required.
- Orchestrate replication, failover, and failback. You need an account that can run operations such as creating and removing disks, and powering on VMs.
Create the account as follows:
- To use a dedicated account, create a role at the vCenter level. Give the role a name such as Azure_Site_Recovery.
- Assign the role the permissions summarized in the table below.
- Create a user on the vCenter server or vSphere host. Assign the role to the user.
VMware account permissions
Task | Role/Permissions | Details |
---|---|---|
VM discovery | At least a read-only user Data Center object �> Propagate to Child Object, role=Read-only |
User assigned at datacenter level, and has access to all the objects in the datacenter. To restrict access, assign the No access role with the Propagate to child object, to the child objects (vSphere hosts, datastores, VMs and networks). |
Full replication, failover, failback | Create a role (Azure_Site_Recovery) with the required permissions, and then assign the role to a VMware user or group Data Center object �> Propagate to Child Object, role=Azure_Site_Recovery Datastore -> Allocate space, browse datastore, low-level file operations, remove file, update virtual machine files Network -> Network assign Resource -> Assign VM to resource pool, migrate powered off VM, migrate powered on VM Tasks -> Create task, update task Virtual machine -> Configuration Virtual machine -> Interact -> answer question, device connection, configure CD media, configure floppy media, power off, power on, VMware tools install Virtual machine -> Inventory -> Create, register, unregister Virtual machine -> Provisioning -> Allow virtual machine download, allow virtual machine files upload Virtual machine -> Snapshots -> Remove snapshots, Create snapshots |
User assigned at datacenter level, and has access to all the objects in the datacenter. To restrict access, assign the No access role with the Propagate to child object, to the child objects (vSphere hosts, datastores, VMs and networks). |
Prepare an account for Mobility service installation
The Mobility service must be installed on machines you want to replicate. Site Recovery can do a push installation of this service when you enable replication for a machine, or you can install it manually, or using installation tools.
- In this tutorial, we're going to install the Mobility service with the push installation.
- For this push installation, you need to prepare an account that Site Recovery can use to access the VM. You specify this account when you set up disaster recovery in the Azure console.
Prepare the account as follows:
Prepare a domain or local account with permissions to install on the VM.
- Windows VMs: To install on Windows VMs if you're not using a domain account, disable UAC remote restrictions on the local machine. After disabling, Azure Site Recovery can access the local machine remotely without UAC restriction. To do this, in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, add the DWORD entry LocalAccountTokenFilterPolicy, with a value of 1.
- Linux VMs: To install on Linux VMs, prepare a root account on the source Linux server.
Check VMware requirements
Make sure VMware servers and VMs comply with requirements.
- Verify VMware server requirements.
- For Linux VMs, check file system and storage requirements.
- Check on-premises network and storage support.
- Check what's supported for Azure networking, storage, and compute, after failover.
- Your on-premises VMs you replicate to Azure must comply with Azure VM requirements.
- In Linux virtual machines, device name or mount point name should be unique. Ensure that no two devices/mount points have the same names. Note that name aren't case-sensitive. For example, naming two devices for the same VM as device1 and Device1 isn't allowed.
Prepare to connect to Azure VMs after failover
After failover, you might want to connect to the Azure VMs from your on-premises network.
To connect to Windows VMs using RDP after failover, do the following:
- Internet access. Before failover, enable RDP on the on-premises VM before failover. Make sure that TCP, and UDP rules are added for the Public profile, and that RDP is allowed in Windows Firewall > Allowed Apps, for all profiles.
- Site-to-site VPN access:
- Before failover, enable RDP on the on-premises machine.
- RDP should be allowed in the Windows Firewall -> Allowed apps and features for Domain and Private networks.
- Check that the operating system's SAN policy is set to OnlineAll. Learn more.
- There should be no Windows updates pending on the VM when you trigger a failover. If there are, you won't be able to sign in to the virtual machine until the update completes.
- On the Azure VM after failover, check Boot diagnostics to view a screenshot of the VM. If you can't connect, check that the VM is running and review these troubleshooting tips.
To connect to Linux VMs using SSH after failover, do the following:
- On the on-premises machine before failover, check that the Secure Shell service is set to start automatically on system boot.
- Check that firewall rules allow an SSH connection.
- On the Azure VM after failover, allow incoming connections to the SSH port for the network security group rules on the failed over VM, and for the Azure subnet to which it's connected.
- Add a public IP address for the VM.
- You can check Boot diagnostics to view a screenshot of the VM.
Failback requirements
If you plan to fail back to your on-premises site, there are a number of prerequisites for failback. You can prepare these now, but you don't need to. You can prepare after you fail over to Azure.
Next steps
Set up disaster recovery. If you're replicating multiple VMs, plan capacity.