将启用了 Azure 磁盘加密的虚拟机复制到另一个 Azure 区域Replicate Azure Disk Encryption-enabled virtual machines to another Azure region

本文介绍如何将启用了 Azure 磁盘加密 (ADE) 的 Azure VM 从一个 Azure 区域复制到另一个 Azure 区域。This article describes how to replicate Azure VMs with Azure Disk Encryption (ADE) enabled, from one Azure region to another.

备注

对于运行 Windows 操作系统的 VM,Site Recovery 当前支持 ADE(无论是否使用 Azure Active Directory (AAD))。Site Recovery currently supports ADE, with and without Azure Active Directory (AAD) for VMs running Windows operating systems. 对于 Linux 操作系统,我们仅支持不使用 AAD 的 ADE。For Linux operating systems, we only support ADE without AAD. 此外,对于运行 ADE 1.1 (不使用 AAD)的计算机,VM 必须使用托管磁盘。Moreover, for machines running ADE 1.1 (without AAD), the VMs must be using managed disks. 不支持包含非托管磁盘的 VM。VMs with unmanaged disks aren't supported. 如果从 ADE 0.1(使用 AAD)切换到 1.1,则需要先为 VM 禁用复制并在启用 1.1 后启用复制。If you switch from ADE 0.1 (with AAD) to 1.1 , you need to disable replication and enable replication for a VM after enabling 1.1.

所需的用户权限Required user permissions

Site Recovery 要求用户具有在目标区域中创建密钥保管库以及将源区域密钥保管库中的密钥复制到目标区域密钥保管库的权限。Site Recovery requires the user to have permissions to create the key vault in the target region and copy keys from source region key vault to the target region key vault.

若要从 Azure 门户为支持磁盘加密的 VM 启用复制,用户需要对源区域和目标区域密钥保管库具有以下权限。To enable replication of Disk Encryption-enabled VMs from the Azure portal, the user needs the following permissions on both the source region and target region key vaults.

  • 密钥保管库权限Key vault permissions

    • 列出、创建和获取List, Create and Get
  • 密钥保管库机密权限Key vault secret permissions

    • 机密管理操作Secret Management Operations
      • 获取、列出和设置Get, List and Set
  • Key Vault 密钥权限(只有当 VM 使用“密钥加密密钥”来加密磁盘加密密钥时才需要)Key vault key permissions (required only if the VMs use key encryption key to encrypt disk encryption keys)

    • 密钥管理操作Key Management Operations
      • 获取、列出和创建Get, List and Create
    • 加密操作Cryptographic Operations
      • 解密和加密Decrypt and Encrypt

若要管理权限,请在门户中转到 Key Vault 资源。To manage permissions, go to the key vault resource in the portal. 添加用户所需的权限。Add the required permissions for the user. 以下示例演示如何启用对源区域中 Key Vault ContosoWeb2Keyvault 的权限。The following example shows how to enable permissions to the key vault ContosoWeb2Keyvault, which is in the source region.

  1. 转到“主页” > “Keyvaults” > “ContosoWeb2KeyVault”>“访问策略”。 Go to Home > Keyvaults > ContosoWeb2KeyVault > Access policies.

    “Key Vault 权限”窗口

  2. 可以发现目前没有任何用户权限。You can see that there are no user permissions. 选择“添加新订阅”。Select Add new. 输入用户和权限信息。Enter the user and permissions information.

    keyvault 权限

如果启用灾难恢复 (DR) 的用户无权复制密钥,则拥有相应权限的安全管理员可使用以下脚本将加密机密和密钥复制到目标区域。If the user who's enabling disaster recovery (DR) doesn't have permissions to copy the keys, a security administrator who has appropriate permissions can use the following script to copy the encryption secrets and keys to the target region.

若要排查权限问题,请参阅本文稍后所述的 Key Vault 权限问题To troubleshoot permissions, refer to key vault permission issues later in this article.

备注

若要通过门户对启用了磁盘加密的 VM 启用复制,至少需要对 Key Vault、机密和密钥拥有“列出”权限。To enable replication of Disk Encryption-enabled VMs from the portal, you need at least "List" permissions on the key vaults, secrets, and keys.

使用 PowerShell 脚本将磁盘加密密钥复制到 DR 区域Copy Disk Encryption keys to the DR region by using the PowerShell script

  1. 打开“CopyKeys”原始脚本代码Open the "CopyKeys" raw script code.

  2. 将该脚本复制到一个文件并将其命名为 Copy-keys.ps1Copy the script to a file, and name it Copy-keys.ps1.

    备注

    执行此脚本之前,请替换以下项,使之与 Azure 中国云环境匹配。Replace the following item to match the Azure China Cloud environment before your execute this script.

    1. Get-Authentication 函数Get-Authentication function
      • https://vault.azure.net 替换为 https://vault.azure.cnReplace https://vault.azure.net with https://vault.azure.cn.
      • https://login.windows.net 替换为 https://login.chinacloudapi.cnReplace https://login.windows.net with https://login.chinacloudapi.cn.
    2. Start-CopyKeys 函数Start-CopyKeys function
      • Login-AzAccount 替换为 Login-AzAccount -Environment AzureChinaCloudRepalace Login-AzAccount with Login-AzAccount -Environment AzureChinaCloud.
      • vault.azure.net 替换为 vault.azure.cnRepalace vault.azure.net with vault.azure.cn.
  3. 打开 Windows PowerShell 应用程序,并转到该文件所保存到的文件夹。Open the Windows PowerShell application, and go to the folder where you saved the file.

  4. 执行 Copy-keys.ps1。Execute Copy-keys.ps1.

  5. 提供用于登录的 Azure 凭据。Provide Azure credentials to sign in.

  6. 选择你的 VM 的 Azure 订阅Select the Azure subscription of your VMs.

  7. 等待资源组加载,然后选择 VM 的资源组Wait for the resource groups to load, and then select the Resource group of your VMs.

  8. 从显示的列表中选择 VM。Select the VMs from the list that's displayed. 该列表只显示启用了磁盘加密的 VM。Only VMs that are enabled for disk encryption are on the list.

  9. 选择目标位置Select the Target location.

    • 磁盘加密 Key VaultDisk encryption key vaults
    • 密钥加密 Key VaultKey encryption key vaults

    默认情况下,Site Recovery 会在目标区域中创建新的 Key Vault,By default, Site Recovery creates a new key vault in the target region. 保管库的名称包含基于源 VM 磁盘加密密钥的“asr”后缀。The vault's name has an "asr" suffix that's based on the source VM disk encryption keys. 如果已存在 Site Recovery 创建的 Key Vault,则会重复使用它。If a key vault already exists that was created by Site Recovery, it's reused. 根据需要从列表中选择不同的 Key Vault。Select a different key vault from the list if necessary.

启用复制Enable replication

对于本示例,主要 Azure 区域是“中国东部”,次要区域是“中国北部”。For this example, the primary Azure region is China East, and the secondary region is China North.

  1. 在保管库中选择“+复制”。In the vault, select +Replicate.

  2. 注意以下字段。Note the following fields.

    • :VM 的起始点,在本例中为 AzureSource: The point of origin of the VMs, which in this case is Azure.
    • 源位置:要在其中保护虚拟机的 Azure 区域。Source location: The Azure region where you want to protect your virtual machines. 对于本示例中,源位置是“中国东部”。For this example, the source location is "China East."
    • 部署模型:源计算机的 Azure 部署模型。Deployment model: The Azure deployment model of the source machines.
    • 源订阅:源虚拟机所属的订阅。Source subscription: The subscription to which your source virtual machines belong. 它可以是恢复服务保管库所在的同一 Azure Active Directory 租户中的任一订阅。It can be any subscription that's in the same Azure Active Directory tenant as your recovery services vault.
    • 资源组:源虚拟机所属的资源组。Resource Group: The resource group to which your source virtual machines belong. 所选资源组中要保护的所有 VM 会在下一步骤中列出。All the VMs in the selected resource group are listed for protection in the next step.
  3. 在“虚拟机” > “选择虚拟机”中,选择要复制的每个 VM 。In Virtual Machines > Select virtual machines, select each VM that you want to replicate. 只能选择可以启用复制的计算机。You can only select machines for which replication can be enabled. 选择“确定”。Then, select OK.

  4. 在“设置”中,可以配置以下目标站点设置。In Settings, you can configure the following target-site settings.

    • 目标位置:要在其中复制源虚拟机数据的位置。Target location: The location where your source virtual machine data will be replicated. Site Recovery 根据所选计算机的位置提供合适的目标区域列表。Site Recovery provides a list of suitable target regions based on the selected machine's location. 我们建议使用与恢复服务保管库位置相同的位置。We recommend that you use the same location as the Recovery Services vault's location.
    • 目标订阅:用于灾难恢复的目标订阅。Target subscription: The target subscription that's used for disaster recovery. 默认情况下,目标订阅与源订阅相同。By default, the target subscription is the same as the source subscription.
    • 目标资源组:复制的虚拟机所属的资源组。Target resource group: The resource group to which all your replicated virtual machines belong. 默认情况下,Site Recovery 会在目标区域中创建一个新的资源组,By default, Site Recovery creates a new resource group in the target region. 其名称带有“asr”后缀。The name gets the "asr" suffix. 如果已存在 Azure Site Recovery 创建的资源组,将会重复使用它。If a resource group already exists that was created by Azure Site Recovery, it's reused. 此外,可按以下部分所述,选择对资源组进行自定义。You can also choose to customize it, as shown in the following section. 目标资源组的位置可以是除托管源虚拟机区域以外的任何 Azure 区域。The location of the target resource group can be any Azure region except the region where the source virtual machines are hosted.
    • 目标虚拟网络:默认情况下,Site Recovery 会在目标区域中创建一个新的虚拟网络,Target virtual network: By default, Site Recovery creates a new virtual network in the target region. 其名称带有“asr”后缀。The name gets the "asr" suffix. 此虚拟网络会映射到源网络并用于任何将来的保护。It's mapped to your source network and used for any future protection. 详细了解网络映射。Learn more about network mapping.
    • 目标存储帐户(如果源 VM 不使用托管磁盘) :默认情况下,Site Recovery 会创建模拟源 VM 存储配置的新目标存储帐户。Target storage accounts (if your source VM doesn't use managed disks): By default, Site Recovery creates a new target storage account by mimicking your source VM storage configuration. 如果已存在一个存储帐户,将重复使用它。If a storage account already exists, it's reused.
    • 副本托管磁盘(如果源 VM 使用托管磁盘) :Site Recovery 在目标区域新建托管磁盘副本,以生成和源 VM 的托管磁盘存储类型一致(标准或高级)的镜像磁盘。Replica managed disks (if your source VM uses managed disks): Site Recovery creates new replica managed disks in the target region to mirror the source VM's managed disks of the same storage type (standard or premium) as the source VM's managed disks.
    • 缓存存储帐户:Site Recovery 需要源区域中称为“缓存存储”的额外存储帐户。Cache storage accounts: Site Recovery needs an extra storage account called cache storage in the source region. 源 VM 上的所有更改将受到跟踪并发送到缓存存储帐户。All the changes on the source VMs are tracked and sent to the cache storage account. 它们随后会复制到目标位置。They're then replicated to the target location.
    • 可用性集:默认情况下,Site Recovery 会在目标区域中创建一个新的可用性集,Availability set: By default, Site Recovery creates a new availability set in the target region. 其名称带有“asr”后缀。The name has the "asr" suffix. 如果已存在 Site Recovery 创建的可用性集,将会重复使用它。If an availability set that was created by Site Recovery already exists, it's reused.
    • 磁盘加密 Key Vault:默认情况下,Site Recovery 会在目标区域中创建新的 Key Vault,Disk encryption key vaults: By default, Site Recovery creates a new key vault in the target region. 其名称包含基于源 VM 磁盘加密密钥的“asr”后缀。It has an "asr" suffix that's based on the source VM disk encryption keys. 如果已存在 Azure Site Recovery 创建的 Key Vault,将会重复使用它。If a key vault that was created by Azure Site Recovery already exists, it's reused.
    • 密钥加密 Key Vault:默认情况下,Site Recovery 会在目标区域中创建新的 Key Vault,Key encryption key vaults: By default, Site Recovery creates a new key vault in the target region. 其名称包含基于源 VM 密钥加密密钥的“asr”后缀。The name has an "asr" suffix that's based on the source VM key encryption keys. 如果已存在 Azure Site Recovery 创建的 Key Vault,将会重复使用它。If a key vault created by Azure Site Recovery already exists, it's reused.
    • 复制策略:定义恢复点保留期历史记录和应用一致性快照频率的设置。Replication policy: Defines the settings for recovery point retention history and app-consistent snapshot frequency. 默认情况下,Site Recovery 会使用恢复点保留期为 24 小时、应用一致性快照频率为 60 分钟的默认设置创建新的复制策略 。By default, Site Recovery creates a new replication policy with default settings of 24 hours for recovery point retention and 60 minutes for app-consistent snapshot frequency.

自定义目标资源Customize target resources

遵循以下步骤修改 Site Recovery 默认目标设置。Follow these steps to modify the Site Recovery default target settings.

  1. 选择“目标订阅”旁边的“自定义”以修改默认目标订阅。Select Customize next to "Target subscription" to modify the default target subscription. 从 Azure AD 租户中可用的订阅列表中选择订阅。Select the subscription from the list of subscriptions that are available in the Azure AD tenant.

  2. 选择“资源组、网络、存储和可用性集”旁边的“自定义”,以修改以下默认设置:Select Customize next to "Resource group, Network, Storage, and Availability sets" to modify the following default settings:

    • 对于“目标资源组”,请从订阅目标位置中的资源组列表中选择资源组。For Target resource group, select the resource group from the list of resource groups in the target location of the subscription.
    • 对于“目标虚拟网络”,请从目标位置中的虚拟网络列表中选择网络。For Target virtual network, select the network from a list of virtual networks in the target location.
    • 对于“可用性集”,可将可用性集设置添加到 VM(如果它们是源区域中可用性集的一部分)。For Availability set, you can add availability set settings to the VM, if they're part of an availability set in the source region.
    • 对于“目标存储帐户”,请选择要使用的帐户。For Target Storage accounts, select the account to use.
  3. 选择“加密设置”旁边的“自定义”,以修改以下默认设置:Select Customize next to "Encryption settings" to modify the following default settings:

    • 对于“目标磁盘加密 Key Vault”,请从订阅的目标位置中的 Key Vault 列表中选择目标磁盘加密 Key Vault。For Target disk encryption key vault, select the target disk encryption key vault from the list of key vaults in the target location of the subscription.
    • 对于“目标加密加密 Key Vault”,请从订阅的目标位置中的 Key Vault 列表中选择目标密钥加密 Key Vault。For Target key encryption key vault, select the target key encryption key vault from the list of key vaults in the target location of the subscription.
  4. 选择“创建目标资源” > “启用复制”。 Select Create target resource > Enable Replication.

  5. 为 VM 启用复制后,可以在“复制的项”下检查 VM 的运行状况。After the VMs are enabled for replication, you can check the VMs' health status under Replicated items.

备注

在初始复制期间,VM 状态刷新可能需要一段时间,但不显示确切的进度。During initial replication, the status might take some time to refresh, without apparent progress. 单击“刷新”可查看最新状态。Click Refresh to get the latest status.

更新目标 VM 加密设置Update target VM encryption settings

在以下情况下,需要更新目标 VM 的加密设置:In the following scenarios, you'll be required to update the target VM encryption settings:

  • 你已在 VM 上启用 Site Recovery 复制。You enabled Site Recovery replication on the VM. 后来,你在源 VM 上启用了磁盘加密。Later, you enabled disk encryption on the source VM.
  • 你已在 VM 上启用 Site Recovery 复制。You enabled Site Recovery replication on the VM. 后来,你在源 VM 上更改了磁盘加密密钥或密钥加密密钥。Later, you changed the disk encryption key or key encryption key on the source VM.

可以使用一个脚本将加密密钥复制到目标区域,然后在“恢复服务保管库” > “复制的项” > “属性” > “计算和网络”中更新目标加密设置 。You can use a script to copy the encryption keys to the target region and then update the target encryption settings in Recovery services vault > replicated item > Properties > Compute and Network.

“更新 ADE 设置”对话框窗口

排查执行 Azure 到 Azure 的 VM 复制期间出现的 Key Vault 权限问题Troubleshoot key vault permission issues during Azure-to-Azure VM replication

Azure Site Recovery 至少需要源区域密钥保管库的读取权限和目标区域密钥保管库的写入权限,才能读取机密并将其复制到目标区域密钥保管库。Azure Site Recovery requires at least read permission on the Source region Key vault and write permission on the target region key vault to read the secret and copy it to the target region key vault.

原因 1: 你没有源区域密钥保管库的“GET”权限,无法读取密钥。Cause 1: You don't have "GET" permission on the source region Key vault to read the keys.
如何修复: 无论你是否是订阅管理员,都必须具有密钥保管库的 get 权限,这一点很重要。How to fix: Regardless of whether you are a subscription admin or not, it is important that you have get permission on the key vault.

  1. 转到源区域密钥保管库,本例中为“ContososourceKeyvault”>“访问策略”Go to source region Key vault which in this example is "ContososourceKeyvault" > Access policies
  2. 在“选择主体”下添加你的用户名,例如:“dradmin@contoso.com”Under Select Principal add your user name for example: "dradmin@contoso.com"
  3. 在“密钥权限”下,选择 GETUnder Key permissions select GET
  4. 在“机密权限”下,选择 GETUnder Secret Permission select GET
  5. 保存访问策略Save the access policy

原因 2: 你对目标区域密钥保管库没有写入密钥所需的权限。Cause 2: You don't have required permission on the Target region Key vault to write the keys.

例如:你尝试复制源区域中包含 Key Vault ContososourceKeyvault 的 VM。For example: You try to replicate a VM that has key vault ContososourceKeyvault on a source region. 你对源区域中的 Key Vault 拥有所有权限。You have all the permissions on the source region key vault. 但在保护期间,你选择了已创建的、但没有权限的 Key Vault ContosotargetKeyvault。But during protection, you select the already-created key vault ContosotargetKeyvault, which doesn't have permissions. 发生错误。An error occurs.

目标密钥保管库所需的权限Permission required on target Key vault

如何修复: 转到“主页” > “Keyvaults” > “ContosotargetKeyvault” > “访问策略”并添加相应的权限。 How to fix: Go to Home > Keyvaults > ContosotargetKeyvault > Access policies and add the appropriate permissions.

后续步骤Next steps

详细了解如何运行测试故障转移。Learn more about running a test failover.