教程:为 Azure VM 设置灾难恢复Tutorial: Set up disaster recovery for Azure VMs

本教程介绍如何使用 Azure Site Recovery 为 Azure VM 设置灾难恢复。This tutorial shows you how to set up disaster recovery for Azure VMs using Azure Site Recovery. 在本文中,学习如何:In this article, you learn how to:

  • 验证 Azure 设置和权限Verify Azure settings and permissions
  • 准备要复制的 VMPrepare VMs you want to replicate
  • 创建恢复服务保管库Create a Recovery Services vault
  • 启用 VM 复制Enable VM replication

为 VM 启用复制以设置灾难恢复时,将在 VM 上安装 Site Recovery 出行服务扩展并使用 Azure Site Recovery 注册它。When you enable replication for a VM to set up disaster recovery, the Site Recovery Mobility service extension installs on the VM, and registers it with Azure Site Recovery. 在复制过程中,系统会将 VM 磁盘写入发送到源区域中的缓存存储帐户。During replication, VM disk writes are sent to a cache storage account in the source region. 数据从那里发送到目标区域,并根据数据生成恢复点。Data is sent from there to the target region, and recovery points are generated from the data. 在灾难恢复过程中对 VM 进行故障转移时,将使用恢复点来还原目标区域中的 VM。When you fail over a VM during disaster recovery, a recovery point is used to restore the VM in the target region.


教程提供了最简单的默认设置的说明。Tutorials provide instructions with the simplest default settings. 如果要使用自定义的设置来设置 Azure VM 灾难恢复,请查看这篇文章If you want to set up Azure VM disaster recovery with customized settings, review this article.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.


开始本教程前,请执行以下操作:Before you start this tutorial:

  • 查看支持的区域Review supported regions. 可以在同一地理位置的任意两个区域之间为 Azure VM 设置灾难恢复。You can set up disaster recovery for Azure VMs between any two regions in the same geography.
  • 需要一个或多个 Azure VM。You need one or more Azure VMs. 验证 WindowsLinux VM 是否受支持。Verify that Windows or Linux VMs are supported.
  • 查看 VM 计算存储网络要求。Review VM compute, storage, and networking requirements.
  • 本教程假定 VM 未加密。This tutorial presumes that VMs aren't encrypted. 如果要为加密的 VM 设置灾难恢复,请按照本文进行操作。If you want to set up disaster recovery for encrypted VMs, follow this article.

检查 Azure 设置Check Azure settings

检查目标区域中的权限和设置。Check permissions, and settings in the target region.

检查权限Check permissions

Azure 帐户需要某些权限才能创建恢复服务保管以及在目标区域中创建 VM。Your Azure account needs permissions to create a Recovery Services vault, and to create VMs in the target region.

  • 如果你刚刚创建了免费的 Azure 订阅,则你是帐户管理员,无需执行任何其他操作。If you just created a free Azure subscription, you're the account admin, and no further action is needed.
  • 如果你不是管理员,请联系管理员获取所需的权限。If you aren't the admin, work with the admin to get the permissions you need.
    • 创建保管库:针对订阅的管理员或所有者权限。Create a vault: Admin or owner permissions on the subscription.
    • 管理保管库中的 Site Recovery 操作:Site Recovery 参与者内置的 Azure 角色。Manage Site Recovery operations in the vault: The Site Recovery Contributor built-in Azure role.
    • 在目标区域中创建 Azure VM:内置参与者虚拟机角色或特定权限,用于:Create Azure VMs in the target region: Either the built-in Virtual Machine Contributor role, or specific permissions to:
      • 在所选虚拟网络中创建 VM。Create a VM in the selected virtual network.
      • 写入 Azure 存储帐户。Write to an Azure storage account.
      • 写入 Azure 托管磁盘。Write to an Azure-managed disk.

验证目标设置Verify target settings

在灾难恢复过程中,从源区域进行故障转移时,将在目标区域中创建 VM。During disaster recovery, when you fail over from the source region, VMs are created in the target region.

检查订阅在目标区域中是否有足够的资源。Check that your subscription has enough resources in the target region. 需要能够创建大小与源区域中的 VM 匹配的 VM。You need to be able to create VMs with sizes that match VMs in the source region. 设置灾难恢复时,Site Recovery 会为目标 VM 选择相同的大小(或尽可能接近的大小)。When you set up disaster recovery, Site Recovery picks the same size (or the closest possible size) for the target VM.

准备 VMPrepare VMs

确保 VM 具有出站连接和最新的根证书。Make sure VMs have outbound connectivity, and the latest root certificates.

设置 VM 连接Set up VM connectivity

要复制的 VM 需要出站网络连接。VMs that you want to replicate need outbound network connectivity.


Site Recovery 不支持使用身份验证代理来控制网络连接。Site Recovery doesn't support using an authentication proxy to control network connectivity.

URL 的出站连接Outbound connectivity for URLs

如果使用基于 URL 的防火墙代理来控制出站连接,请允许访问以下 URL:If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these URLs:

名称Name Azure 中国世纪互联Azure China 21Vianet 说明Description
存储Storage *.blob.core.chinacloudapi.cn 允许将数据从 VM 写入源区域中的缓存存储帐户。Allows data to be written from the VM to the cache storage account in the source region.
Azure Active DirectoryAzure Active Directory login.chinacloudapi.cn 向 Site Recovery 服务 URL 提供授权和身份验证。Provides authorization and authentication to Site Recovery service URLs.
复制Replication *.hypervrecoverymanager.windowsazure.cn 允许 VM 与 Site Recovery 服务进行通信。Allows the VM to communicate with the Site Recovery service.
服务总线Service Bus *.servicebus.chinacloudapi.cn 允许 VM 写入 Site Recovery 监视和诊断数据。Allows the VM to write Site Recovery monitoring and diagnostics data.

IP 地址范围的出站连接Outbound connectivity for IP address ranges

如果使用网络安全组 (NSG) 来控制连接,请创建基于服务标记的 NSG 规则,这些规则允许这些服务标记(IP 地址组)的 HTTPS 出站连接到端口 443:If you're using network security groups (NSGs) to control connectivity, create service-tag based NSG rules that allow HTTPS outbound to port 443 for these service tags(groups of IP addresses):

标记Tag 允许Allow
存储标记Storage tag 允许将数据从 VM 写入缓存存储帐户。Allows data to be written from the VM to the cache storage account.
Azure AD 标记Azure AD tag 允许访问与 Azure AD 对应的所有 IP 地址。Allows access to all IP addresses that correspond to Azure AD.
EventsHub 标记EventsHub tag 允许访问 Site Recovery 监视。Allows access to Site Recovery monitoring.
AzureSiteRecovery 标记AzureSiteRecovery tag 允许在任何区域访问 Site Recovery 服务。Allows access to the Site Recovery service in any region.
GuestAndHybridManagement 标记GuestAndHybridManagement tag 如果要自动升级在为复制启用的 VM 上运行的 Site Recovery 移动代理,请使用此标记。Use if you want to automatically upgrade the Site Recovery Mobility agent that's running on VMs enabled for replication.

详细了解所需的标记和标记示例。Learn more about required tags and tagging examples.

验证 VM 证书Verify VM certificates

检查 VM 是否具有最新的根证书。Check that the VMs have the latest root certificates. 否则,由于安全限制,无法使用 Site Recovery 注册 VM。Otherwise, the VM can't be registered with Site Recovery because of security constraints.

  • Windows VM:在 VM 上安装所有最新的 Windows 更新,使所有受信任的根证书保留在该计算机上。Windows VMs: Install all the latest Windows updates on the VM, so that all the trusted root certificates are on the machine. 在离线环境中,请遵循 Windows 更新和证书更新的标准过程。In a disconnected environment, follow your standard processes for Windows Update, and certificate updates.
  • Linux VM:按照 Linux 分销商提供的指导,获取最新的受信任的根证书和证书吊销列表 (CRL)。Linux VMs: Follow the guidance provided by your Linux distributor, to get the latest trusted root certificates and certificate revocation list (CRL).

创建恢复服务保管库Create a Recovery Services vault

在任何区域中创建恢复服务保管库,但要从中复制 VM 的源区域除外。Create a Recovery Services vault in any region, except in the source region from which you want to replicate VMs.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在搜索框中,键入“recovery”。In the search box, type recovery. 在“服务”下,选择“恢复服务保管库” 。Under Services, select Recovery Services vaults.


  3. 在“恢复服务保管库”中,选择“添加” 。In Recovery Services vaults, select Add.

  4. 在“创建恢复服务保管库” > “基础”中,选择要在其中创建保管库的订阅 。In Create Recovery Services vault > Basics, select the subscription in which to create the vault.

  5. 在“资源组”中,为保管库选择现有的资源组,或创建新的资源组。In Resource group, select an existing resource group for the vault, or create a new one.

  6. 在“保管库名称”中,指定一个易记名称以标识该保管库。In Vault name, specify a friendly name to identify the vault.

  7. 在“区域”中,选择要在其中放置保管库的 Azure 区域。In Region, select the Azure region in which to place the vault. 检查支持的区域Check supported regions.

  8. 选择“查看 + 创建”。Select Review + create.


  9. 在“查看 + 创建”中,选择“创建” 。In Review + create, select Create.

  10. 开始部署保管库。Vault deployment begins. 在通知中跟踪进度。Follow progress in the notifications.

  11. 部署保管库后,选择“固定到仪表板”以保存该保管库,以供快速参考。After the vault is deployed, select Pin to dashboard to save it for quick reference. 选择“转到资源”,打开新的保管库。Select Go to resource to open the new vault.


启用 Site RecoveryEnable Site Recovery

在保管库设置中,选择“启用 Site Recovery”。In the vault settings, select Enable Site Recovery.

选择在保管库中启用 Site Recovery

启用复制Enable replication

选择源设置,然后启用 VM 复制。Select the source settings, and enable VM replication.

选择源设置Select source settings

  1. 在保管库 >“Site Recovery”页面的“Azure 虚拟机”下,选择“启用复制” 。In the vault > Site Recovery page, under Azure virtual machines, select Enable replication.

    用于为 Azure VM 启用复制的选项

  2. 在“源”> “源位置”中,选择当前正在运行 VM 的源 Azure 区域 。In Source> Source location, select the source Azure region in which VMs are currently running.

  3. 在“Azure 虚拟机部署模型”中,保留默认的“资源管理器”设置 。In Azure virtual machine deployment model, leave the default Resource Manager setting.

  4. 在“源订阅”中,选择 VM 正在运行的订阅。In Source subscription, select the subscription in which VMs are running. 可以选择与保管库位于同一 Azure Active Directory (AD) 租户中的任何订阅。You can select any subscription that's in the same Azure Active Directory (AD) tenant as the vault.

  5. 在“源资源组”中,选择包含 VM 的资源组。In Source resource group, select the resource group containing the VMs.

  6. 在“可用性区域之间的灾难恢复”中,保留默认的“否”设置 。In Disaster recovery between availability zones, leave the default No setting.


  7. 选择“下一步”。Select Next.

选择 VMSelect the VMs

Site Recovery 检索与所选订阅/资源组关联的 VM。Site Recovery retrieves the VMs associated with the selected subscription/resource group.

  1. 在“虚拟机”中,选择要为灾难恢复启用的 VM。In Virtual Machines, select the VMs you want to enable for disaster recovery.

    用于选择 VM 进行复制的页面

  2. 选择“下一步”。Select Next.

查看复制设置Review replication settings

  1. 在“复制设置”中,查看设置。In Replication settings, review the settings. Site Recovery 会为目标区域创建默认设置/策略。Site Recovery creates default settings/policy for the target region. 出于本教程的目的,我们使用默认设置。For the purposes of this tutorial, we use the default settings.

  2. 选择“启用复制” 。Select Enable replication.


  3. 在通知中跟踪复制进度。Track replication progress in the notifications.

    在通知中跟踪进度 跟踪复制成功通知

  4. 启用的 VM 将显示在“保管库”>“复制的项”页面上。The VMs you enable appear on the vault > Replicated items page.

    “复制的项”页面上的 VM

后续步骤Next steps

在本教程中,为 Azure VM 启用了灾难恢复。In this tutorial, you enabled disaster recovery for an Azure VM. 现在,运行演练,检查故障转移是否按预期方式工作。Now, run a drill to check that failover works as expected.