复制其中磁盘启用了客户托管密钥 (CMK) 的计算机Replicate machines with Customer-Managed Keys (CMK) enabled disks

本文介绍了如何将其中托管磁盘启用了客户托管密钥 (CMK) 的 Azure VM 从一个 Azure 区域复制到另一个区域。This article describes how to replicate Azure VMs with Customer-Managed Keys (CMK) enabled managed disks, from one Azure region to another.

先决条件Prerequisite

在为其中托管磁盘启用了 CMK 的虚拟机启用复制之前,必须在目标订阅的目标区域中创建磁盘加密集。You must create the Disk Encryption set(s) in the target region for the target subscription before enabling replication for your virtual machines that have CMK-enabled managed disks.

启用复制Enable replication

对于本示例,主要 Azure 区域是“中国东部”,次要区域是“中国北部”。For this example, the primary Azure region is China East, and the secondary region is China North.

  1. 在保管库中选择“+复制”。 In the vault, select +Replicate.

  2. 注意以下字段。Note the following fields.

    • :VM 的起始点,在本例中为 AzureSource: The point of origin of the VMs, which in this case is Azure.
    • 源位置:要在其中保护虚拟机的 Azure 区域。Source location: The Azure region where you want to protect your virtual machines. 对于本示例中,源位置是“中国东部”。For this example, the source location is "China East."
    • 部署模型:源计算机的 Azure 部署模型。Deployment model: The Azure deployment model of the source machines.
    • 源订阅:源虚拟机所属的订阅。Source subscription: The subscription to which your source virtual machines belong. 它可以是恢复服务保管库所在的同一 Azure Active Directory 租户中的任一订阅。It can be any subscription that's in the same Azure Active Directory tenant as your recovery services vault.
    • 资源组:源虚拟机所属的资源组。Resource Group: The resource group to which your source virtual machines belong. 所选资源组中要保护的所有 VM 会在下一步骤中列出。All the VMs in the selected resource group are listed for protection in the next step.
  3. 在“虚拟机” > “选择虚拟机”中,选择要复制的每个 VM 。In Virtual Machines > Select virtual machines, select each VM that you want to replicate. 只能选择可以启用复制的计算机。You can only select machines for which replication can be enabled. 选择“确定”。 Then, select OK.

  4. 在“设置”中,可以配置以下目标站点设置。 In Settings, you can configure the following target-site settings.

    • 目标位置:要在其中复制源虚拟机数据的位置。Target location: The location where your source virtual machine data will be replicated. Site Recovery 根据所选计算机的位置提供合适的目标区域列表。Site Recovery provides a list of suitable target regions based on the selected machine's location. 我们建议使用与恢复服务保管库位置相同的位置。We recommend that you use the same location as the Recovery Services vault's location.

    • 目标订阅:用于灾难恢复的目标订阅。Target subscription: The target subscription that's used for disaster recovery. 默认情况下,目标订阅与源订阅相同。By default, the target subscription is the same as the source subscription.

    • 目标资源组:复制的虚拟机所属的资源组。Target resource group: The resource group to which all your replicated virtual machines belong. 默认情况下,Site Recovery 会在目标区域中创建一个新的资源组,By default, Site Recovery creates a new resource group in the target region. 其名称带有 asr 后缀。The name gets the asr suffix. 如果已存在 Azure Site Recovery 创建的资源组,将会重复使用它。If a resource group already exists that was created by Azure Site Recovery, it's reused. 此外,可按以下部分所述,选择对资源组进行自定义。You can also choose to customize it, as shown in the following section. 目标资源组的位置可以是除托管源虚拟机区域以外的任何 Azure 区域。The location of the target resource group can be any Azure region except the region where the source virtual machines are hosted.

    • 目标虚拟网络:默认情况下,Site Recovery 会在目标区域中创建一个新的虚拟网络,Target virtual network: By default, Site Recovery creates a new virtual network in the target region. 其名称带有 asr 后缀。The name gets the asr suffix. 此虚拟网络会映射到源网络并用于任何将来的保护。It's mapped to your source network and used for any future protection. 详细了解网络映射。Learn more about network mapping.

    • 目标存储帐户(如果源 VM 不使用托管磁盘) :默认情况下,Site Recovery 会创建模拟源 VM 存储配置的新目标存储帐户。Target storage accounts (if your source VM doesn't use managed disks): By default, Site Recovery creates a new target storage account by mimicking your source VM storage configuration. 如果已存在一个存储帐户,将重复使用它。If a storage account already exists, it's reused.

    • 副本托管磁盘(如果源 VM 使用托管磁盘) :Site Recovery 在目标区域新建托管磁盘副本,以生成和源 VM 的托管磁盘存储类型一致(标准或高级)的镜像磁盘。Replica managed disks (if your source VM uses managed disks): Site Recovery creates new replica managed disks in the target region to mirror the source VM's managed disks of the same storage type (standard or premium) as the source VM's managed disks.

    • 缓存存储帐户:Site Recovery 需要源区域中称为“缓存存储”的额外存储帐户 。Cache storage accounts: Site Recovery needs an extra storage account called cache storage in the source region. 源 VM 上的所有更改将受到跟踪并发送到缓存存储帐户。All the changes on the source VMs are tracked and sent to the cache storage account. 它们随后会复制到目标位置。They're then replicated to the target location.

    • 可用性集:默认情况下,Site Recovery 会在目标区域中创建一个新的可用性集,Availability set: By default, Site Recovery creates a new availability set in the target region. 其名称带有 asr 后缀。The name has the asr suffix. 如果已存在 Site Recovery 创建的可用性集,将会重复使用它。If an availability set that was created by Site Recovery already exists, it's reused.

    • 磁盘加密集 (DES) :Site Recovery 需要将磁盘加密集用于副本和目标托管磁盘。Disk encryption sets (DES): Site Recovery needs the disk encryption set(s) to be used for replica and target managed disks. 在启用复制之前,必须在目标订阅和目标区域中预先创建 DES。You must pre-create DES in the target subscription and the target region before enabling the replication. 默认情况下不会选择 DES。By default, a DES is not selected. 你必须单击“自定义”为每个源磁盘选择一个 DES。You must click on 'Customize' to choose a DES per source disk.

    • 复制策略:定义恢复点保留期历史记录和应用一致性快照频率的设置。Replication policy: Defines the settings for recovery point retention history and app-consistent snapshot frequency. 默认情况下,Site Recovery 会使用恢复点保留期为 24 小时、应用一致性快照频率为 60 分钟的默认设置创建新的复制策略 。By default, Site Recovery creates a new replication policy with default settings of 24 hours for recovery point retention and 60 minutes for app-consistent snapshot frequency.

      为其磁盘启用了 CMK 的计算机启用复制

自定义目标资源Customize target resources

遵循以下步骤修改 Site Recovery 默认目标设置。Follow these steps to modify the Site Recovery default target settings.

  1. 选择“目标订阅”旁边的“自定义”以修改默认目标订阅 。Select Customize next to "Target subscription" to modify the default target subscription. 从 Azure AD 租户中可用的订阅列表中选择订阅。Select the subscription from the list of subscriptions that are available in the Azure AD tenant.

  2. 选择“资源组、网络、存储和可用性集”旁边的“自定义”,以修改以下默认设置 :Select Customize next to "Resource group, Network, Storage, and Availability sets" to modify the following default settings:

    • 对于“目标资源组”,请从订阅目标位置中的资源组列表中选择资源组。 For Target resource group, select the resource group from the list of resource groups in the target location of the subscription.
    • 对于“目标虚拟网络”,请从目标位置中的虚拟网络列表中选择网络。 For Target virtual network, select the network from a list of virtual networks in the target location.
    • 对于“可用性集”,可将可用性集设置添加到 VM(如果它们是源区域中可用性集的一部分)。 For Availability set, you can add availability set settings to the VM, if they're part of an availability set in the source region.
    • 对于“目标存储帐户”,请选择要使用的帐户。 For Target Storage accounts, select the account to use.
  3. 选择“存储加密设置”旁边的“自定义” ,为每个已启用客户托管密钥 (CMK) 的源托管磁盘选择目标 DES。Select Customize next to "Storage encryption settings" to select the target DES for every customer-managed key (CMK) enabled source managed disk. 在选择时,还能够查看 DES 与哪个目标密钥保管库相关联。At the time of selection, you will also be able to see which target key vault the DES is associated with.

  4. 选择“创建目标资源” > “启用复制”。 Select Create target resource > Enable Replication.

  5. 为 VM 启用复制后,可以在“复制的项”下检查 VM 的运行状况 。After the VMs are enabled for replication, you can check the VMs' health status under Replicated items.

    为其磁盘启用了 CMK 的计算机启用复制

    备注

    在初始复制期间,VM 状态刷新可能需要一段时间,但不显示确切的进度。During initial replication, the status might take some time to refresh, without apparent progress. 单击“刷新” 可查看最新状态。Click Refresh to get the latest status.

常见问题FAQs

  • 我已在现有复制项上启用了 CMK,如何确保也在目标区域中应用 CMK?I have enabled CMK on an existing replicated item, how can I ensure that CMK is applied on the target region as well?

    你可以找到副本托管磁盘的名称(由 Azure Site Recovery 在目标区域中创建),并将 DES 附加到此副本磁盘。You can find out the name of the replica managed disk (created by Azure Site Recovery in the target region) and attach DES to this replica disk. 但是,一旦附加它,你将不能在“磁盘”边栏选项卡中看到 DES 详细信息。However, you will not be able to see the DES details in the Disks blade once you attach it. 另外,你可以选择禁用 VM 复制并重新启用它。Alternatively, you can choose to disable the replication of the VM and enable it again. 这将确保你可以在复制项的“磁盘”边栏选项卡中看到 DES 和密钥保管库的详细信息。It will ensure you see DES and key vault details in the Disks blade for the replicated item.

  • 我将一个新的已启用 CMK 的磁盘添加到了复制项。I have added a new CMK enabled disk to the replicated item. 如何使用 Azure Site Recovery 复制此磁盘?How can I replicate this disk with Azure Site Recovery?

    不支持将新的已启用 CMK 的磁盘添加到现有复制项。Addition of a new CMK enabled disk to an existing replicated item is not supported. 请为虚拟机禁用复制并重新启用复制。Disable the replication and enable the replication again for the virtual machine.

  • 我同时启用了平台管理的密钥和客户管理的密钥,如何保护磁盘?I have enabled both platform and customer managed keys, how can I protect my disks?

    Site Recovery 支持通过平台管理的密钥和客户管理的密钥来启用双重加密。Enabling double encryption with both platform and customer managed keys is supported by Site Recovery. 按照本文中的说明来保护计算机。Follow the instructions in this article to protect your machine. 需要事先在目标区域中创建一个启用了双重加密的 DES。You need to create a double encryption enabled DES in the target region in advance. 为此类 VM 启用复制时,可以向 Site Recovery 提供此 DES。At the time of enabling the replication for such a VM, you can provide this DES to Site Recovery.