为 Azure VM 设置灾难恢复Set up disaster recovery for Azure VMs

Azure Site Recovery 服务可管理和协调本地计算机和 Azure 虚拟机 (VM) 的复制、故障转移和故障回复,因而有利于灾难恢复策略。The Azure Site Recovery service contributes to your disaster recovery strategy by managing and orchestrating replication, failover, and failback of on-premises machines and Azure virtual machines (VMs).

本教程介绍如何为 Azure VM 设置灾难恢复:将 VM 从一个 Azure 区域复制到另一个区域。This tutorial shows you how to set up disaster recovery for Azure VMs by replicating them from one Azure region to another. 本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建恢复服务保管库Create a Recovery Services vault
  • 验证目标资源设置Verify target resource settings
  • 为 VM 设置出站访问Set up outbound access for VMs
  • 为虚拟机启用复制Enable replication for a VM

Note

本文说明了如何使用最简单的设置来部署灾难恢复。This article provides instructions for deploying disaster recovery with the simplest settings. 若要了解自定义的设置,请查看“操作方法”部分的文章。If you want to learn about customized settings, review the articles under the How To section.

先决条件Prerequisites

完成本教程:To complete this tutorial:

创建保管库Create a vault

在除了源区域之外的任意区域中创建保管库。Create the vault in any region, except the source region.

  1. 登录到 Azure 门户 > 恢复服务Sign in to the Azure portal > Recovery Services.

  2. 单击“创建资源” > “监视 + 管理” > “备份和站点恢复(OMS)”。 Click Create a resource > Monitoring + Management > Backup and Site Recovery(OMS).

  3. 在“名称” 中,指定一个友好名称以标识该保管库。In Name, specify a friendly name to identify the vault. 如果有多个订阅,请选择合适的一个。If you have more than one subscription, select the appropriate one.

  4. 创建一个资源组或选择一个现有的资源组。Create a resource group or select an existing one. 指定 Azure 区域。Specify an Azure region. 若要查看受支持的区域,请参阅 Azure Site Recovery 定价详细信息中的“地域可用性”。To check supported regions, see geographic availability in Azure Site Recovery Pricing Details.

  5. 若要从仪表板快速访问保管库,请单击“固定到仪表板”,然后单击“创建”。 To quickly access the vault from the dashboard, click Pin to dashboard and then click Create.

    新保管库

    新保管库将添加到“仪表板”中的“所有资源”下,以及“恢复服务保管库”主页面上。 The new vault is added to the Dashboard under All resources, and on the main Recovery Services vaults page.

验证目标资源Verify target resources

  1. 验证 Azure 订阅是否允许在目标区域中创建 VM。Verify that your Azure subscription allows you to create VMs in the target region. 请联系支持部门,启用所需配额。Contact support to enable the required quota.
  2. 确保订阅中有足够的资源,能够支持与源 VM 匹配的 VM 大小。Make sure your subscription has enough resources to support VM sizes that match your source VMs. Site Recovery 会为目标 VM 选择相同的大小或尽可能接近的大小。Site Recovery picks the same size, or the closest possible size, for the target VM.

配置出站网络连接Configure outbound network connectivity

若要使 Site Recovery 按预期工作,需在要复制的 VM 中对出站网络连接进行修改。For Site Recovery to work as expected, you need to modify outbound network connectivity from the VMs that you want to replicate.

Note

Site Recovery 不支持使用身份验证代理来控制网络连接。Site Recovery doesn't support using an authentication proxy to control network connectivity.

URL 的出站连接Outbound connectivity for URLs

如果使用基于 URL 的防火墙代理来控制出站连接,请允许访问以下 URL。If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these URLs.

URLURL 详细信息Details
*.blob.core.chinacloudapi.cn*.blob.core.chinacloudapi.cn 允许将数据从 VM 写入源区域中的缓存存储帐户。Allows data to be written from the VM to the cache storage account in the source region.
login.chinacloudapi.cnlogin.chinacloudapi.cn 向 Site Recovery 服务 URL 提供授权和身份验证。Provides authorization and authentication to Site Recovery service URLs.
*.hypervrecoverymanager.windowsazure.cn*.hypervrecoverymanager.windowsazure.cn 允许 VM 与 Site Recovery 服务进行通信。Allows the VM to communicate with the Site Recovery service.
*.servicebus.chinacloudapi.cn*.servicebus.chinacloudapi.cn 允许 VM 写入 Site Recovery 监视和诊断数据。Allows the VM to write Site Recovery monitoring and diagnostics data.

IP 地址范围的出站连接Outbound connectivity for IP address ranges

如果想要使用 IP 地址而不是 URL 来控制出站连接,请允许将这些地址用于基于 IP 的防火墙、代理或 NSG 规则。If you want to control outbound connectivity using IP addresses instead of URLs, allow these addresses for IP-based firewalls, proxy, or NSG rules.

如果你正在使用 NSG,则可以为源区域创建存储服务标记 NSG 规则。If you're using NSG you can create a storage service tag NSG rules for the source region. 了解详细信息Learn more.

验证 Azure VM 证书Verify Azure VM certificates

检查要复制的 VM 是否有最新的根证书。Check that the VMs you want to replicate have the latest root certificates. 如果没有,则 VM 会由于安全约束而无法注册到 Site Recovery。If they don't the VM can't registered to Site Recovery, due to security constraints.

  • 对于 Windows VM,请在 VM 上安装所有最新的 Windows 更新,使所有受信任的根证书位于该计算机上。For Windows VMs, install all the latest Windows updates on the VM, so that all the trusted root certificates are on the machine. 在未联网的环境中,请按照你的组织的标准 Windows 更新和证书更新过程执行操作。In a disconnected environment, follow the standard Windows Update and certificate update processes for your organization.
  • 对于 Linux VM,请遵循 Linux 分销商提供的指导,在 VM 上获取最新的受信任根证书和证书吊销列表。For Linux VMs, follow the guidance provided by your Linux distributor, to get the latest trusted root certificates and certificate revocation list on the VM.

设置帐户权限Set permissions on the account

Azure Site Recovery 提供了三个用于控制 Site Recovery 管理操作的内置角色。Azure Site Recovery provides three built-in roles to control Site Recovery management operations.

  • Site Recovery 参与者 - 此角色拥有管理恢复服务保管库中的 Azure Site Recovery 操作所需的所有权限。Site Recovery Contributor - This role has all permissions required to manage Azure Site Recovery operations in a Recovery Services vault. 不过,拥有此角色的用户既无法创建或删除恢复服务保管库,也无法向其他用户分配访问权限。A user with this role, however, can't create or delete a Recovery Services vault or assign access rights to other users. 此角色最适合分配给灾难恢复管理员,这样他们就可以为应用程序或整个组织启用和管理灾难恢复。This role is best suited for disaster recovery administrators who can enable and manage disaster recovery for applications or entire organizations.

  • Site Recovery 操作员 - 此角色有权执行和管理故障转移和故障回复操作。Site Recovery Operator - This role has permissions to execute and manage Failover and Failback operations. 拥有此角色的用户无法启用或禁用复制、无法创建或删除保管库,也无法注册新的基础结构或向其他用户分配访问权限。A user with this role can't enable or disable replication, create or delete vaults, register new infrastructure, or assign access rights to other users. 此角色最适合分配给灾难恢复操作员,这样他们就可以遵循应用程序所有者或 IT 管理员的指示,对虚拟机或应用程序进行故障转移。This role is best suited for a disaster recovery operator who can fail over virtual machines or applications when instructed by application owners and IT administrators. 解决灾难后,DR 操作员可以对虚拟机进行重新保护和故障回复。Post resolution of the disaster, the DR operator can reprotect and failback the virtual machines.

  • Site Recovery 读者 - 此角色有权查看所有 Site Recovery 管理操作。Site Recovery Reader - This role has permissions to view all Site Recovery management operations. 此角色最适合分配给 IT 监视主管,这样他们就可以监视当前保护状态并创建支持票证。This role is best suited for an IT monitoring executive who can monitor the current state of protection and raise support tickets.

详细了解 Azure RBAC 内置角色Learn more about Azure RBAC built-in roles.

启用复制Enable replication

选择源Select the source

  1. 在“恢复服务保管库”中,单击保管库名称 >“+复制” 。In Recovery Services vaults, click the vault name > +Replicate.

  2. 在“源”中,选择“Azure”。 In Source, select Azure.

  3. 在“源位置”中,选择当前运行 VM 的 Azure 源区域。 In Source location, select the source Azure region where your VMs are currently running.

  4. 选择运行虚拟机的源订阅Select the Source subscription where the virtual machines are running. 这可以是存在恢复服务保管库的同一 Azure Active Directory 租户中的任何订阅。This can be any subscription within the same Azure Active Directory tenant where your recovery services vault exists.

  5. 选择“源资源组”,然后单击“确定”保存设置。 Select the Source resource group, and click OK to save the settings.

    设置源

选择 VMSelect the VMs

Site Recovery 检索与订阅和资源组/云服务关联的 VM 列表。Site Recovery retrieves a list of the VMs associated with the subscription and resource group/cloud service.

  1. 在“虚拟机” 中,选择要复制的 VM。In Virtual Machines, select the VMs you want to replicate.
  2. 单击 “确定”Click OK.

配置复制设置Configure replication settings

Site Recovery 会针对目标区域创建默认设置和复制策略。Site Recovery creates default settings and replication policy for the target region. 可以根据需要更改设置。You can change the settings as required.

  1. 单击“设置”查看目标设置和复制设置 。Click Settings to view the target and replication settings.

  2. 若要重写默认目标设置,请单击“资源组、网络、存储和可用性”旁边的“自定义” 。To override the default target settings, click Customize next to Resource group, Network, Storage and Availability.

    配置设置

  3. 根据下表中的摘要内容自定义目标设置。Customize target settings as summarized in the table.

    设置Setting 详细信息Details
    目标订阅Target subscription 默认情况下,目标订阅与源订阅相同。By default, the target subscription is the same as the source subscription. 单击“自定义”以在同一 Azure Active Directory 租户中选择其他目标订阅。Click 'Customize' to select a different target subscription within the same Azure Active Directory tenant.
    目标位置Target location 用于灾难恢复的目标区域。The target region used for disaster recovery.

    建议选择与 Site Recovery 保管库位置匹配的目标位置。We recommend that the target location matches the location of the Site Recovery vault.
    目标资源组 Target resource group 故障转移后,目标区域中用于容纳 Azure VM 的资源组。The resource group in the target region that holds Azure VMs after failover.

    默认情况下,Site Recovery 会在目标位置中创建一个带有“asr”后缀的新资源组。By default, Site Recovery creates a new resource group in the target region with an "asr" suffix. 目标资源组的位置可以是除托管源虚拟机区域以外的任何区域。The location of the target resource group can be any region except the region in which your source virtual machines are hosted.
    目标虚拟网络 Target virtual network 故障转移后,目标区域中 VM 所位于的网络。The network in the target region that VMs are located after failover.

    默认情况下,Site Recovery 会在目标位置中创建一个带有“asr”后缀的新虚拟网络(以及子网)。By default, Site Recovery creates a new virtual network (and subnets) in the target region with an "asr" suffix.
    缓存存储帐户 Cache storage accounts Site Recovery 使用源区域中的一个存储帐户。Site Recovery uses a storage account in the source region. 复制到目标位置之前,对源 VM 的更改将发送到此帐户。Changes to source VMs are sent to this account before replication to the target location.

    如果使用支持防火墙的缓存存储帐户,请确保启用“允许受信任的 Azure 服务”。 If you are using a firewall-enabled cache storage account, make sure that you enable Allow trusted Azure services. 了解详细信息。Learn more.
    目标存储帐户(源 VM 使用非托管磁盘)Target storage accounts (source VM uses non-managed disks) 默认情况下,Site Recovery 会在目标区域中创建新存储帐户,从而形成源 VM 存储帐户的镜像。By default, Site Recovery creates a new storage account in the target region to mirror the source VM storage account.

    如果使用支持防火墙的缓存存储帐户,请启用“允许受信任的 Azure 服务”。 Enable Allow trusted Azure services if you're using a firewall-enabled cache storage account.
    副本托管磁盘(如果源 VM 使用托管磁盘)Replica managed disks (If source VM uses managed disks) 默认情况下,Site Recovery 在目标区域创建托管磁盘副本,以生成和源 VM 的托管磁盘存储类型一致(标准或高级)的镜像磁盘。By default, Site Recovery creates replica managed disks in the target region to mirror the source VM's managed disks with the same storage type (Standard or premium) as the source VM's managed disk.
    目标可用性集 Target availability sets 默认情况下,Azure Site Recovery 会在目标区域中创建一个名称带有“asr”后缀(针对源区域中可用性集的 VM 部分)的新可用性集。By default, Azure Site Recovery creates a new availability set in the target region with name having "asr" suffix for the VMs part of an availability set in source region. 如果 Azure Site recovery 创建的可用性集已存在,则重复使用它。In case availability set created by Azure Site Recovery already exists, it is reused.
  4. 若要自定义复制策略设置,请单击“复制策略”旁边的“自定义”,然后根据需要修改设置。 To customize replication policy settings, click Customize next to Replication policy, and modify the settings as needed.

    设置Setting 详细信息Details
    复制策略名称Replication policy name 策略名称。Policy name.
    恢复点保留期Recovery point retention 默认情况下,Site Recovery 会将恢复点保留 24 小时。By default, Site Recovery keeps recovery points for 24 hours. 可将此值配置为 1 - 72 小时。You can configure a value between 1 and 72 hours.
    应用一致性快照频率App-consistent snapshot frequency 默认情况下,Site Recovery 每隔 4 小时创建应用一致性快照。By default, Site Recovery takes an app-consistent snapshot every 4 hours. 可将此值配置为 1 - 12 小时之间的任何值。You can configure any value between 1 and 12 hours.

    应用一致的快照是 VM 内应用程序数据的时间点快照。An app-consistent snapshot is a point-in-time snapshot of the application data inside the VM. 卷影复制服务 (VSS) 确保 VM 上的应用在拍摄快照时处于一致状态。Volume Shadow Copy Service (VSS) ensures that app on the VM are in a consistent state when the snapshot is taken.
    复制组Replication group 如果应用程序需要跨 VM 的多 VM 一致性,可为这些 VM 创建一个复制组。If your application needs multi-VM consistency across VMs, you can create a replication group for those VMs. 默认情况下,所选的 VM 不属于任何复制组。By default, the selected VMs are not part of any replication group.
  5. 若要将 VM 添加到新的或现有的复制组,请在“自定义”中选择“是”以确保多 VM 一致性。 In Customize, select Yes for multi-VM consistency if you want to add VMs to a new or existing replication group. Then click OK.

    Note

    • 故障转移时,复制组中的所有计算机将获得共享的崩溃一致性恢复点和应用程序一致性恢复点。All the machines in a replication group have shared crash consistent and app-consistent recovery points when failed over.
    • 启用(CPU 密集型的)多 VM 一致性会影响工作负荷的性能。Enabling multi-VM consistency can impact workload performance (it's CPU intensive). 仅当计算机运行相同的工作负荷并且你需要在多个计算机之间保持一致时,才使用此功能。It should be used only if machines are running the same workload, and you need consistency across multiple machines.
    • 在一个复制组中最多可以包含 16 个 VM。You can have a maximum of 16 VMs in a replication group.
    • 如果启用了多 VM 一致性,则复制组中的计算机将通过端口 20004 相互通信。If you enable multi-VM consistency, machines in the replication group communicate with each other over port 20004. 确保没有防火墙阻止 VM 通过此端口进行内部通信。Make sure there's no firewall blocking the internal communication between the VMs over this port.
    • 对于复制组中的 Linux VM,请确保根据适用于 Linux 版本的指导手动打开端口 20004 上的出站流量。For Linux VMs in a replication group, ensure the outbound traffic on port 20004 is manually opened in accordance with guidance for the Linux version.

配置加密设置Configure encryption settings

如果源 VM 上已启用 Azure 磁盘加密 (ADE),请检查设置。If the source VM has Azure disk encryption (ADE) enabled, review the settings.

  1. 验证设置:Verify the settings:

    • 磁盘加密 Key Vault:默认情况下,Site Recovery 会在源 VM 磁盘加密密钥中创建新的 Key Vault,其名称带有“asr”后缀。Disk encryption key vaults: By default, Site Recovery creates a new key vault on the source VM disk encryption keys, with an "asr" suffix. 如果该 Key Vault 已存在,则会重复使用它。If the key vault already exists, it is reused.
    • 密钥加密 Key Vault:默认情况下,Site Recovery 会在目标区域中创建新的 Key Vault,Key encryption key vaults: By default, Site Recovery creates a new key vault in the target region. 其名称带有“asr”后缀,并且基于源 VM 的密钥加密密钥。The name has an "asr" suffix, and is based on the source VM key encryption keys. 如果 Site recovery 创建的 Key Vault 已存在,则会重复使用它。If the key vault created by Site Recovery already exists, it's reused.
  2. 单击“自定义”,选择自定义密钥保管库。 Click Customize to select custom key vaults.

Note

Azure Site Recovery 目前仅支持运行 Windows 操作系统且已使用 Azure AD 应用启用加密的 Azure VM。Only Azure VMs running Windows operating systems and enabled for encryption with Azure AD app are currently supported by Azure Site Recovery.

跟踪复制状态Track replication status

  1. 在“设置”中,单击“刷新”以获取最新状态。 In Settings, click Refresh to get the latest status.
  2. 跟踪进度和状态,如下所示:Track progress and status as follows:
    • 在“设置” > “作业” > “Site Recovery 作业”中,跟踪“启用保护”作业的进度。 Track progress of the Enable protection job in Settings > Jobs > Site Recovery Jobs.
    • 在“设置” > “复制的项”中,可以查看 VM 的状态和初始复制进度。 In Settings > Replicated Items, you can view the status of VMs and the initial replication progress. 单击 VM,向下钻取其设置。Click the VM to drill down into its settings.

后续步骤Next steps

在本教程中,已经为 Azure VM 配置了灾难恢复。In this tutorial, you configured disaster recovery for an Azure VM. 现在可以启动一个灾难恢复演练,检查故障转移是否按预期工作。Now you can initiate a disaster recovery drill to check that failover is working as expected.