复制具有专用终结点的计算机Replicate machines with private endpoints

Azure Site Recovery 支持使用 Azure 专用链接专用终结点从隔离的虚拟网络中复制计算机。Azure Site Recovery allows you to use Azure Private Link private endpoints for replicating your machines from inside an isolated virtual network. 所有 Azure 中国区域都支持专用终结点访问恢复保管库。Private endpoint access to a recovery vault is supported in all Azure China regions.

本文提供如何执行以下步骤的说明:This article provides instructions for you to perform the following steps:

  • 创建 Azure 备份恢复服务保管库来保护计算机。Create an Azure Backup Recovery Services vault to protect your machines.
  • 为保管库启用托管标识,并授予访问客户存储帐户所需的权限,以便将流量从源位置复制到目标位置。Enable a managed identity for the vault and grant the required permissions to access customer storage accounts to replicate traffic from source to target locations. 设置针对保管库的专用链接访问权限时,针对存储的托管标识访问权限是必需的。Managed identity access for storage is necessary when you're setting up Private Link access to the vault.
  • 进行专用终结点所需的 DNS 更改Make DNS changes required for private endpoints
  • 为虚拟网络中的保管库创建和批准专用终结点Create and approve private endpoints for a vault inside a virtual network
  • 为存储帐户创建专用终结点。Create private endpoints for the storage accounts. 你可以根据需要继续允许对存储的公共或防火墙访问。You can continue to allow public or firewalled access for storage as needed. 对于 Azure Site Recovery 而言,创建用于访问存储的专用终结点不是必需的。Creation of a private endpoint for accessing storage isn't mandatory for Azure Site Recovery.

下面是一个参考体系结构,它展示了复制工作流如何随专用终结点而变化。Below is a reference architecture on how the replication workflow changes with private endpoints.

具有专用终结点的 Site Recovery 的参考体系结构。

先决条件和注意事项Prerequisites and caveats

  • 仅可为新的恢复服务保管库(还没有任何项注册到其中)创建专用终结点。Private endpoints can be created only for new Recovery Services vaults that don't have any items registered to the vault. 因此,必须在将任何项添加到保管库之前创建专用终结点。As such, private endpoints must be created before any items are added to the vault.

  • 为保管库创建专用终结点后,保管库会被锁定,不能从没有专用终结点的网络访问它。When a private endpoint is created for a vault, the vault is locked down and isn't accessible from networks other than those networks that have private endpoints.

  • Azure Active Directory 当前不支持专用终结点。Azure Active Directory currently doesn't support private endpoints. 因此,需要允许使 Azure Active Directory 在某个区域中正常工作所需的 IP 和完全限定的域名从受保护的网络进行出站访问。As such, IPs and fully qualified domain names required for Azure Active Directory to work in a region need to be allowed outbound access from the secured network. 如果适用,还可以使用网络安全组标记“Azure Active Directory”和 Azure 防火墙标记来允许访问 Azure Active Directory。You can also use network security group tag "Azure Active Directory" and Azure Firewall tags for allowing access to Azure Active Directory, as applicable.

  • 源计算机和恢复计算机的子网中至少需要 7 个 IP 地址。At least seven IP addresses are required in the subnets of both your source machines and your recovery machines. 为保管库创建专用终结点时,Site Recovery 会创建五个用于访问其微服务的专用链接。When you create a private endpoint for the vault, Site Recovery creates five private links for access to its microservices. 此外,在你启用复制时,它会另外添加两个专用链接,以便进行源区域和目标区域的配对。Further, when you enable the replication, it adds two additional private links for the source and target region pairing.

  • 源子网和恢复子网中都需要一个额外的 IP 地址。One additional IP address is required in both the source and recovery subnets. 仅当你需要使用连接到缓存存储帐户的专用终结点时,才需要此 IP 地址。This IP address is needed only when you need to use private endpoints connecting to cache storage accounts. 只能在常规用途 v2 类型上为存储创建专用终结点。Private endpoints for storage can only be created on General Purpose v2 type. 查看 GPv2 上的数据传输的定价结构。Review the pricing structure for data transfer on GPv2.

为 Site Recovery 创建和使用专用终结点Creating and using private endpoints for Site Recovery

本部分介绍在虚拟网络中为 Azure Site Recovery 创建和使用专用终结点时涉及的步骤。This section talks about the steps involved in creating and using private endpoints for Azure Site Recovery inside your virtual networks.

备注

强烈建议按照提供的顺序执行这些步骤。It's highly recommended that you follow these steps in the same sequence as provided. 如果未按照顺序操作,可能导致保管库呈现为无法使用专用终结点,并要求你使用新保管库重启此过程。Failure to do so may lead to the vault being rendered unable to use private endpoints and requiring you to restart the process with a new vault.

创建恢复服务保管库Create a Recovery Services vault

恢复服务保管库是一个实体,它包含计算机的复制信息,可用于触发 Site Recovery 操作。A recovery services vault is an entity that contains the replication information of machines and is used to trigger Site Recovery operations. 有关详细信息,请参阅创建恢复服务保管库For more information, see Create a Recovery Services vault.

为保管库启用托管标识。Enable the managed identity for the vault.

托管标识允许保管库访问客户的存储帐户。A managed identity allow the vault to gain access to the customer's storage accounts. Site Recovery 需要访问源存储、目标存储和缓存/日志存储帐户,具体取决于方案要求。Site Recovery needs to access the source storage, target storage, and cache/log storage accounts depending on the scenario requirement. 对保管库使用专用链接服务时,需要托管标识访问权限。Managed identity access is essential when you're using private links service for the vault.

  1. 转到恢复服务保管库。Go to your Recovery Services vault. 在“设置”下选择“标识”。Select Identity under Settings.

    显示 Azure 门户和“恢复服务”页。

  2. 将“状态”更改为“开”,然后选择“保存” 。Change the Status to On and select Save.

  3. 将会生成一个对象 ID,指示现已向 Azure Active Directory 注册保管库。An Object ID is generated indicating that the vault is now registered with Azure Active Directory.

为恢复服务保管库创建专用终结点Create private endpoints for the Recovery Services vault

若要为 Azure 虚拟机启用故障转移和故障回复,你需要保管库有两个专用终结点。To enable both failover and failback for Azure virtual machines, you'll need two private endpoints for the vault. 一个专用终结点用于保护源网络中的计算机,另一个专用终结点用于重新保护已故障转移到恢复网络中的计算机。One private endpoint for the protection of machines in the source network and another for the reprotection of failed over machines in the recovery network.

在此设置过程中,请确保也在目标区域中创建恢复虚拟网络。Ensure that you create a recovery virtual network in your target region as well during this setup process.

使用门户中的专用链接中心,在源虚拟网络内为你的保管库创建第一个专用终结点。Create the first private endpoint for your vault inside your source virtual network using the Private Link Center in the portal. 为恢复网络中的保管库创建第二个专用终结点。Create the second private endpoint for the vault inside your recovery network. 下面是在源网络中创建专用终结点的步骤。Following are the steps to create the private endpoint in source network. 按同一指南重复操作,创建第二个专用终结点。Repeat the same guidance to create the second private endpoint.

  1. 在 Azure 门户的“搜索”栏中,搜索并选择“专用链接”。In the Azure portal search bar, search for and select "Private Link". 此操作会将你转到专用链接中心。This action takes you to the Private Link Center.

    显示如何在 Azure 门户中搜索专用链接中心。

  2. 选择左侧导航栏中的“专用终结点”。On the left navigation bar, select Private Endpoints. 处于“专用终结点”页上以后,请选择“+添加”,开始为保管库创建专用终结点。Once on the Private Endpoints page, select +Add to start creating a private endpoint for your vault.

    显示如何在专用链接中心创建专用终结点。

  3. 处于“创建专用终结点”体验中之后,需要指定用于创建专用终结点连接的详细信息。Once in the "Create Private Endpoint" experience, you're required to specify details for creating your private endpoint connection.

    1. 基本信息:填写专用终结点的基本详细信息。Basics: Fill in the basic details for your private endpoints. 该区域应与源计算机相同。The region should be the same as the source machines.

      显示“基本信息”选项卡、“项目详细信息”、“订阅”,以及用于在 Azure 门户中创建专用终结点的其他相关字段。

    2. 资源:此选项卡要求你提及要为其创建连接的平台即服务资源。Resource: This tab requires you to mention the platform-as-a-service resource for which you want to create your connection. 从所选订阅的“资源类型”中选择“Microsoft.RecoveryServices/vaults”。Select Microsoft.RecoveryServices/vaults from the Resource type for your selected subscription. 然后,选择恢复服务保管库的名称作为“资源”,并将“Azure Site Recovery”设置为“目标子资源”。Then, choose the name of your Recovery Services vault for Resource and set Azure Site Recovery as the Target sub-resource.

      显示用于在 Azure 门户中链接到专用终结点的“资源”选项卡、“资源类型”、“资源”,以及“目标子资源”字段。

    3. 配置:从配置中,指定要在其中创建专用终结点的虚拟网络和子网。Configuration: In configuration, specify the virtual network and subnet where you want the private endpoint to be created. 此虚拟网络是虚拟机所在的网络。This virtual network is the network where the virtual machine is present. 通过选择“是”启用与专用 DNS 区域的集成。Enable integration with private DNS zone by selecting Yes. 选择一个已创建的 DNS 区域或创建一个新区域。Choose an already created DNS zone or create a new one. 选择“是”会自动将区域链接到源虚拟网络,并添加对新 IP 进行 DNS 解析所需的 DNS 记录,以及为专用终结点创建的完全限定的域名。Selecting Yes automatically links the zone to the source virtual network and adds the DNS records that are required for DNS resolution of new IPs and fully qualified domain names created for the private endpoint.

      确保选择为连接到同一保管库的每个新专用终结点创建新的 DNS 区域。Ensure that you choose to create a new DNS zone for every new private endpoint connecting to the same vault. 如果选择现有的专用 DNS 区域,将覆盖以前的 CNAME 记录。If you choose an existing private DNS zone, the previous CNAME records are overwritten.

      如果你的环境具有中心辐射模型,则整个设置过程只需要一个专用终结点和一个专用 DNS 区域,因为你的所有虚拟网络都已在它们之间启用了对等互连。If your environment has a hub and spoke model, you need only one private endpoint and only one private DNS zone for the entire setup since all your virtual networks already have peering enabled between them.

      要手动创建专用 DNS 区域,请按照创建专用 DNS 区域并手动添加 DNS 记录中的步骤操作。To manually create the private DNS zone, follow the steps in Create private DNS zones and add DNS records manually.

      显示“配置”选项卡,其中包含网络和 DNS 集成字段,用于在 Azure 门户中配置专用终结点。

    4. 标记:(可选)可以为专用终结点添加标记。Tags: Optionally, you can add tags for your private endpoint.

    5. 查看 + 创建:完成验证后,选择“创建”以创建专用终结点。Review + create: When the validation completes, select Create to create the private endpoint.

创建专用终结点后,有五个完全限定的域名会添加到专用终结点。Once the private endpoint is created, five fully qualified domain names are added to the private endpoint. 这些链接使虚拟网络中的计算机能够访问保管库上下文中所有必需的 Site Recovery 微服务。These links enable the machines in the virtual network to get access to all the required Site Recovery microservices in the context of the vault. 稍后,当你启用复制时,两个额外的完全限定的域名就会添加到同一个专用终结点。Later, when you enable the replication, two additional fully qualified domain names are added to the same private endpoint.

五个域名的格式如下:The five domain names are formatted with the following pattern:

{Vault-ID}-asr-pod01-{type}-.{target-geo-code}.siterecovery.windowsazure.cn

批准 Site Recovery 的专用终结点Approve private endpoints for Site Recovery

如果创建专用终结点的用户也是恢复服务保管库的所有者,系统会在数分钟内自动批准上面创建的专用终结点。If the user creating the private endpoint is also the owner of the Recovery Services vault, the private endpoint created above is auto approved within a few minutes. 否则,保管库的所有者必须先批准专用终结点,然后你才能使用该终结点。Otherwise, the owner of the vault must approve the private endpoint before you to use it. 若要批准或拒绝请求的专用终结点连接,请转到恢复保管库页中“设置”下的“专用终结点连接”。To approve or reject a requested private endpoint connection, go to Private endpoint connections under "Settings" on the recovery vault page.

在继续操作之前,可以先转到专用终结点资源,查看连接的状态。You can go to the private endpoint resource to review the status of the connection before proceeding.

显示 Azure 门户中保管库的专用终结点连接页和连接列表。

(可选)为缓存存储帐户创建专用终结点(Optional) Create private endpoints for the cache storage account

可以使用 Azure 存储的专用终结点。A private endpoint to Azure Storage may be used. 对于 Azure Site Recovery 复制,为存储访问创建专用终结点是可选操作。Creating private endpoints for storage access is optional for Azure Site Recovery replication. 为存储创建专用终结点时,需要满足以下要求:When creating a private endpoint for storage, the following requirements apply:

  • 需要为源虚拟网络中的缓存/日志存储帐户提供专用终结点。You need a private endpoint for the cache/log storage account in your source virtual network.
  • 重新保护恢复网络中进行了故障转移的计算机时,需要第二个专用终结点。You need a second private endpoint at the time of reprotection of the failed-over machines in the recovery network. 此专用终结点用于在目标区域中创建的新存储帐户。This private endpoint is for the new storage account created in the target region.

备注

如果未在存储帐户上启用专用终结点,保护仍会成功。If private endpoints are not enabled on storage account, protection would still be successful. 但是,复制流量会传输到 Azure Site Recovery 的公共终结点。However, replication traffic would transit to Azure Site Recovery public endpoints.

备注

只能在“常规用途 v2”存储帐户上为存储创建专用终结点。Private endpoint for storage can only be created on a General Purpose v2 storage accounts. 有关定价信息,请参阅标准页 Blob 价格For pricing information, see Standard page blob prices.

创建采用专用终结点的存储帐户。Create a storage account with private endpoint. 请确保选择“是”,以便与专用 DNS 区域集成。Ensure to select Yes to integration with private DNS zone. 选择一个已创建的 DNS 区域或创建一个新区域。Select an already created DNS zone or create a new one.

向保管库授予所需的权限Grant required permissions to the vault

如果你的虚拟机使用托管磁盘,则需将托管标识权限仅授予缓存存储帐户。If your virtual machines are using managed disks, you need to grant the managed identity permissions only to the cache storage accounts. 如果虚拟机使用非托管磁盘,则需为源存储帐户、缓存存储帐户和目标存储帐户授予托管标识权限。In case the virtual machines are using unmanaged disks, you need to grant the managed identity permissions for source, cache, and target storage accounts. 在这种情况下,需提前创建目标存储帐户。In this case, you need to create the target storage account in advance.

在启用虚拟机复制之前,保管库的托管标识必须具有以下角色权限,具体取决于存储帐户的类型:Before enabling replication of virtual machines, the managed identity of the vault must have the following role permissions depending on the type of storage account:

以下步骤介绍如何向存储帐户添加角色分配,一次添加一个:The following steps describe how to add a role-assignment to your storage accounts, one at a time:

  1. 转到存储帐户,导航到页面左侧的“访问控制(IAM)”。Go to the storage account and navigate to Access control (IAM) on the left side of the page.

  2. 到了“访问控制(IAM)”以后,请在“添加角色分配”框中选择“添加”。Once on Access control (IAM), in the "Add a role assignment" box select Add.

    显示 Azure 门户中存储帐户上的“访问控制(IAM)”页以及“添加角色分配”按钮。

  3. 在“添加角色分配”侧页的“角色”下拉列表中选择上述列表中的角色。In the "Add a role assignment" side page, choose the role from the list above in the Role drop-down. 输入保管库的名称,然后选择“保存” 。Enter the name of the vault and select Save.

    显示 Azure 门户中存储帐户上的“访问控制(IAM)”页以及相关选项,这些选项用于选择角色以及选择需向其授予该角色的主体。

除了这些权限之外,还需要允许 MS 可信服务进行访问。In addition to these permissions, MS trusted services need to be allowed access as well. 转到“防火墙和虚拟网络”,在“例外”中选择“允许受信任的 Azure 服务访问此存储帐户”复选框。Go to "Firewalls and virtual networks" and select "Allow trusted Azure services to access this storage account" checkbox in Exceptions.

保护虚拟机Protect your virtual machines

完成上述所有配置后,请继续操作,为虚拟机启用复制。Once all the above configurations are completed, continue with enabling replication for your virtual machines. 如果在保管库中创建专用终结点时使用了 DNS 集成,则所有 Site Recovery 操作都不需要执行任何其他步骤。All of the Site Recovery operations work without any additional steps if DNS integration was used while creating private endpoints on the vault. 但是,如果手动创建和配置 DNS 区域,则需在启用复制后执行额外的步骤,以便在源和目标 DNS 区域中添加特定的 DNS 记录。However, if the DNS zones are manually created and configured, you need additional steps to add specific DNS records in both source and target DNS zones after enabling the replication. 有关详细信息和步骤,请参阅创建专用 DNS 区域并手动添加 DNS 记录For details and steps, see Create private DNS zones and add DNS records manually.

创建专用 DNS 区域并手动添加 DNS 记录Create private DNS zones and add DNS records manually

如果在为保管库创建专用终结点时未选择与专用 DNS 区域集成的选项,请按此部分中的步骤操作。If you didn't select the option to integrate with private DNS zone at the time of creating private endpoint for the vault, follow the steps in this section.

创建一个专用 DNS 区域,以便移动代理将专用链接的完全限定的域名解析为专用 IP。Create one private DNS zone to allow the mobility agent to resolve private link fully qualified domain names to private IPs.

  1. 创建专用 DNS 区域Create a private DNS zone

    1. 在“所有服务”搜索栏中搜索“专用 DNS 区域”,然后从下拉列表中选择“专用 DNS 区域”。Search for "Private DNS zone" in the All services search bar and select "Private DNS zones" from the drop-down.

      显示在 Azure 门户的新建资源页上搜索“专用 DNS 区域”。

    2. 位于“专用 DNS 区域”页上以后,请选择“+添加”按钮以开始创建新区域。Once on the "Private DNS zones" page, select the +Add button to start creating a new zone.

    3. 在“创建专用 DNS 区域”页上,填充所需的详细信息。On the "Create private DNS zone" page, fill in the required details. 输入 privatelink.siterecovery.windowsazure.cn 作为专用 DNS 区域的名称。Enter the name of the private DNS zone as privatelink.siterecovery.windowsazure.cn. 若要创建它,你可以选择任何资源组和任何订阅。You can choose any resource group and any subscription to create it.

      显示 Azure 门户中的“创建专用 DNS 区域”页的“基本信息”选项卡和相关的项目详细信息。

    4. 继续选择“查看 + 创建”选项卡,查看并创建 DNS 区域。Continue to the Review + create tab to review and create the DNS zone.

  2. 将专用 DNS 区域链接到虚拟网络Link private DNS zone to your virtual network

    上面创建的专用 DNS 区域现在必须链接到服务器当前所在的虚拟网络。The private DNS zones created above must now be linked to the virtual network where your servers currently are. 还需提前将专用 DNS 区域链接到目标虚拟网络。You also need to link the private DNS zone to the target virtual network in advance.

    1. 转到在上一步创建的专用 DNS 区域,导航到页面左侧的“虚拟网络链接”。Go to the private DNS zone that you created in the previous step and navigate to Virtual network links on the left side of the page. 操作完成后,选择“+添加”按钮。Once there, select the +Add button.

    2. 填写必需的详细信息。Fill in the required details. 必须使用服务器所在的虚拟网络的相应详细信息填写“订阅”和“虚拟网络”字段 。The Subscription and Virtual network fields must be filled with the corresponding details of the virtual network where your servers exist. 其他字段必须保留不动。The other fields must be left as is.

      显示用于在 Azure 门户中添加具有链接名称、订阅和相关虚拟网络的虚拟网络链接的页面。

  3. 添加 DNS 记录Add DNS records

    创建所需的专用 DNS 区域和专用终结点以后,接下来需要将 DNS 记录添加到 DNS 区域。Once you've created the required private DNS zones and the private endpoints, you need to add DNS records to your DNS zones.

    备注

    如果使用的是自定义专用 DNS 区域,请确保创建类似的条目,如下所述。In case you are using a custom private DNS zone, make sure that similar entries are made as discussed below.

    此步骤要求你将专用终结点中每个完全限定的域名的条目创建到专用 DNS 区域中。This step requires you to make entries for each fully qualified domain name in your private endpoint into your private DNS zone.

    1. 转到你的专用 DNS 区域,导航到页面左侧的“概览”部分。Go to your private DNS zone and navigate to the Overview section on the left side of the page. 完成操作后,选择“+记录集”以开始添加记录。Once there, select +Record set to start adding records.

    2. 在打开的“添加记录集”页中,为每个完全限定的域名和专用 IP 添加一个条目,作为“A”类型的记录。In the "Add record set" page that opens, add an entry for each fully qualified domain name and private IP as an A type record. 可以从“概览”中的“专用终结点”页获得完全限定的域名和 IP 的列表。The list of fully qualified domain names and IPs can be obtained from the "Private Endpoint" page in Overview. 如以下示例所示,专用终结点中的第一个完全限定的域名添加到专用 DNS 区域中的记录集。As shown in the example below, the first fully qualified domain name from the private endpoint is added to the record set in the private DNS zone.

      这些完全限定的域名采用 {Vault-ID}-asr-pod01-{type}-.{target-geo-code}.siterecovery.windowsazure.cn 格式These fully qualified domain names match the pattern: {Vault-ID}-asr-pod01-{type}-.{target-geo-code}.siterecovery.windowsazure.cn

      显示的页面用于将完全限定的域名的 DNS A 类型记录添加到 Azure 门户中的专用终结点。

      备注

      启用复制后,会在两个区域的专用终结点上再创建两个完全限定的域名。After you enable replication, two more fully qualified domain names are created on the private endpoints in both regions. 请确保也为这些新创建的完全限定的域名添加 DNS 记录。Ensure that you add the DNS records for these newly created fully qualified domain names as well.

后续步骤Next steps

现在,你已为虚拟机复制启用了专用终结点,请查看下面的其他页面,了解其他相关信息:Now that you've enabled private endpoints for your virtual machine replication, see these other pages for additional and related information: