使用专用终结点复制本地计算机Replicate on-premises machines by using private endpoints

Azure Site Recovery 支持使用 Azure 专用链接专用终结点将本地计算机复制到 Azure 中的虚拟网络。Azure Site Recovery allows you to use Azure Private Link private endpoints to replicate your on-premises machines to a virtual network in Azure. 所有 Azure 中国区域都支持专用终结点访问恢复保管库。Private endpoint access to a recovery vault is supported all Azure China regions.

本文介绍如何完成以下步骤:This article describes how to complete the following steps:

  • 创建 Azure 备份恢复服务保管库来保护计算机。Create an Azure Backup Recovery Services vault to protect your machines.

  • 为保管库启用托管标识。Enable a managed identity for the vault. 授予访问存储帐户所需的权限,以允许将流量从本地复制到 Azure 目标位置。Grant the permissions required to access the storage accounts to enable replication of traffic from on-premises to Azure target locations. 需要针对存储的托管标识访问权限才可允许专用链接访问保管库。Managed identity access for storage is required for Private Link access to the vault.

  • 进行专用终结点所需的 DNS 更改。Make DNS changes that are required for private endpoints.

  • 为虚拟网络中的保管库创建和批准专用终结点。Create and approve private endpoints for a vault inside a virtual network.

  • 为存储帐户创建专用终结点。Create private endpoints for the storage accounts. 你可以根据需要继续允许对存储的公共或防火墙访问。You can continue to allow public or firewalled access for storage as needed. Azure Site Recovery 不需要创建专用终结点来访问存储。Creating a private endpoint to access storage isn't required for Azure Site Recovery.

下图显示了具有专用终结点的混合灾难恢复的复制工作流。The following diagram shows the replication workflow for hybrid disaster recovery with private endpoints. 无法在本地网络中创建专用终结点。You can't create private endpoints in your on-premises network. 要使用专用链接,需要创建 Azure 虚拟网络(在本文中称为“旁路网络”),在本地和旁路网络之间建立专用连接,然后在旁路网络中创建专用终结点。To use private links, you need to create an Azure virtual network (called a bypass network in this article), establish private connectivity between on-premises and the bypass network, and then create private endpoints in the bypass network. 可以选择任何形式的专用连接。You can choose any form of private connectivity.

显示 Azure Site Recovery 和专用终结点的体系结构的图表。

先决条件和注意事项Prerequisites and caveats

  • Site Recovery 9.35 及更高版本支持专用链接。Private links are supported in Site Recovery 9.35 and later.

  • 只能为新的恢复服务保管库创建专用终结点,没有任何项已注册到该保管库。You can create private endpoints only for new Recovery Services vaults that don't have any items registered to them. 因此,必须在将任何项添加到保管库之前创建专用终结点。So you must create private endpoints before any items are added to the vault.

  • 为保管库创建专用终结点时,保管库将被锁定。When you create a private endpoint for a vault, the vault is locked down. 只能从具有专用终结点的网络进行访问。It can be accessed only from networks that have private endpoints.

  • Azure Active Directory 当前不支持专用终结点。Azure Active Directory doesn't currently support private endpoints. 因此,需要允许从安全的 Azure 虚拟网络出站访问使 Azure Active Directory 在某个区域中正常工作所需的 IP 和完全限定的域名。So you need to allow outbound access from the secured Azure virtual network to IPs and fully qualified domain names that are required for Azure Active Directory to work in a region. 如果适用,还可以使用网络安全组标记“Azure Active Directory”和 Azure 防火墙标记来允许访问 Azure Active Directory。As applicable, you can also use network security group tag "Azure Active Directory" and Azure Firewall tags to allow access to Azure Active Directory.

  • 在创建专用终结点的旁路网络中,需要五个 IP 地址。Five IP addresses are required in the bypass network where you create your private endpoint. 为保管库创建专用终结点时,Site Recovery 会创建五个用于访问其微服务的专用链接。When you create a private endpoint for the vault, Site Recovery creates five private links for access to its microservices.

  • 旁路网络中还需要一个额外的 IP 地址,以便与缓存存储帐户建立专用终结点连接。One additional IP address is required in the bypass network for private endpoint connectivity to a cache storage account. 可以在本地和存储帐户终结点之间使用任何连接方法。You can use any connectivity method between on-premises and your storage account endpoint. 例如,可以使用 Internet 或 Azure ExpressRouteFor example, you can use the internet or Azure ExpressRoute. 建立专用链接是可选的。Establishing a private link is optional. 只能在常规用途 v2 帐户上为存储创建专用终结点。You can create private endpoints for storage only on General Purpose v2 accounts. 有关常规用途 v2 帐户上数据传输的定价信息,请参阅 Azure 页 Blob 定价See Azure Page Blobs pricing for information about pricing for data transfer on General Purpose v2 accounts.

为站点恢复创建和使用专用终结点Create and use private endpoints for site recovery

以下部分介绍为虚拟网络中的站点恢复创建和使用专用终结点所需的步骤。The following sections describe the steps you need to take to create and use private endpoints for site recovery in your virtual networks.

备注

建议按所示顺序执行这些步骤。We recommend that you follow these steps in the order shown. 否则可能无法在保管库中使用专用终结点,并且可能需要使用新保管库重新开始执行该过程。If you don't, you might not be able to use private endpoints in the vault, and you might need to restart the process with a new vault.

创建恢复服务保管库Create a Recovery Services vault

恢复服务保管库包含计算机的复制信息。A Recovery Services vault contains the machines' replication information. 它用于触发 Site Recovery 操作。It's used to trigger Site Recovery operations. 有关如何在 Azure 区域(要用于在发生灾难时进行故障转移的区域)中创建恢复服务保管库的信息,请参阅创建恢复服务保管库For information about how to create a Recovery Services vault in the Azure region where you want to fail over if there's a disaster, see Create a Recovery Services vault.

为保管库启用托管标识Enable the managed identity for the vault

托管标识允许保管库访问存储帐户。A managed identity allows the vault to access your storage accounts. Site Recovery 可能需要访问目标存储和缓存/日志存储帐户,具体取决于你的要求。Site Recovery might need to access the target storage and cache/log storage accounts, depending on your requirements. 对保管库使用专用链接服务时,需要托管标识访问权限。Managed identity access is required when you're using the Private Link service for the vault.

  1. 转到恢复服务保管库。Go to your Recovery Services vault. 在“设置”下选择“标识” :Select Identity under Settings:

    显示标识设置页的屏幕截图。

  2. 将“状态”更改为“开”,然后选择“保存” 。Change the Status to On and select Save.

    一个对象 ID 随即生成。An Object ID is generated. 现已向 Azure Active Directory 注册保管库。The vault is now registered with Azure Active Directory.

为恢复服务保管库创建专用终结点Create private endpoints for the Recovery Services vault

要保护本地源网络中的计算机,需要为旁路网络中的保管库提供一个专用终结点。To protect the machines in the on-premises source network, you'll need one private endpoint for the vault in the bypass network. 使用 Azure 门户中的“专用链接中心”创建专用终结点。Create the private endpoint by using Private Link Center in the Azure portal.

  1. 在 Azure 门户的搜索框中,搜索“专用链接”。In the Azure portal search box, search for "private link". 选择“专用链接”,转到专用链接中心:Select Private Link to go to Private Link Center:

    显示在 Azure 门户中搜索专用链接中心的屏幕截图。

  2. 在左侧窗格中,选择“专用终结点”。In the left pane, select Private endpoints. 在“专用终结点”页上选择“添加”,开始为保管库创建专用终结点: On the Private endpoints page, select Add to start creating a private endpoint for your vault:

    显示如何在专用链接中心创建专用终结点的屏幕截图。

  3. 在“创建专用终结点”页上,指定用于创建专用终结点连接的详细信息。On the Create a private endpoint page, specify the details to create your private endpoint connection.

    1. 基本信息Basics. 提供专用终结点的基本详细信息。Provide the basic details for your private endpoints. 使用用于旁路网络的区域:Use the region that you used for the bypass network:

      显示用于创建专用终结点的“基本信息”选项卡的屏幕截图。

    2. 资源Resource. 在此选项卡上,需要指定要为其创建连接的平台即服务资源。On this tab, you need to specify the platform-as-a-service resource for which you want to create your connection. 在所选订阅的“资源类型”下,选择“Microsoft.RecoveryServices/vaults” 。Under Resource type for your selected subscription, select Microsoft.RecoveryServices/vaults. 在“资源”下,选择恢复服务保管库的名称。Choose the name of your Recovery Services vault under Resource. 选择“Azure Site Recovery”作为“目标子资源” 。Select Azure Site Recovery as the Target sub-resource.

      显示用于链接到专用终结点的“资源”选项卡的屏幕截图。

    3. 配置Configuration. 在此选项卡上,指定要在其中创建专用终结点的旁路网络和子网。On this tab, specify the bypass network and subnet where you want the private endpoint to be created.

      通过选择“是”启用与专用 DNS 区域的集成。Enable integration with a private DNS zone by selecting Yes. 选择现有 DNS 区域或创建一个新区域。Choose an existing DNS zone or create a new one. 选择“是”会自动将区域链接到旁路网络。Selecting Yes automatically links the zone to the bypass network. 此操作还会添加对新 IP 进行 DNS 解析所需的 DNS 记录,以及为专用终结点创建的完全限定的域名。This action also adds the DNS records that are required for DNS resolution of new IPs and fully qualified domain names created for the private endpoint.

      确保选择为连接到同一保管库的每个新专用终结点创建新的 DNS 区域。Ensure that you choose to create a new DNS zone for every new private endpoint connecting to the same vault. 如果选择现有的专用 DNS 区域,将覆盖以前的 CNAME 记录。If you choose an existing private DNS zone, the previous CNAME records are overwritten.

      如果你的环境具有中心辐射模型,则整个安装过程只需要一个专用终结点和一个专用 DNS 区域。If your environment has a hub and spoke model, you need only one private endpoint and only one private DNS zone for the entire setup. 这是因为所有虚拟网络之间都已启用了对等互连。This is because all your virtual networks already have peering enabled between them.

      要手动创建专用 DNS 区域,请按照创建专用 DNS 区域并手动添加 DNS 记录中的步骤操作。To manually create the private DNS zone, follow the steps in Create private DNS zones and add DNS records manually.

      显示用于配置专用终结点的“配置”选项卡的屏幕截图。

    4. 标记Tags. (可选)可以为专用终结点添加标记。Optionally, you can add tags for your private endpoint.

    5. 查看 + 创建Review + create. 完成验证后,选择“创建”以创建专用终结点。When validation completes, select Create to create the private endpoint.

创建专用终结点时,有五个完全限定的域名 (FQDN) 会添加到专用终结点。When the private endpoint is created, five fully qualified domain names (FQDNs) are added to the private endpoint. 这些链接使本地网络中的计算机能够通过旁路网络访问保管库上下文中所有必需的 Site Recovery 微服务。These links enable the machines in the on-premises network to access, via the bypass network, all the required Site Recovery microservices in the context of the vault. 可以使用同一专用终结点来保护旁路网络和所有对等网络中的任何 Azure 计算机。You can use the same private endpoint for the protection of any Azure machine in the bypass network and all peered networks.

这五个域名的格式为:The five domain names are formatted in this pattern:

{Vault-ID}-asr-pod01-{type}-.{target-geo-code}.siterecovery.windowsazure.cn

为站点恢复批准专用终结点Approve private endpoints for site recovery

如果你创建了专用终结点,并且还是恢复服务保管库的所有者,则你先前创建的专用终结点将在几分钟内自动获得批准。If you create the private endpoint and you're also the owner of the Recovery Services vault, the private endpoint you created previously is automatically approved within a few minutes. 否则,保管库的所有者必须先批准专用终结点,然后你才能使用该终结点。Otherwise, the owner of the vault must approve the private endpoint before you can use it. 要批准或拒绝请求的专用终结点连接,请转到恢复保管库页中“设置”下的“专用终结点连接” 。To approve or reject a requested private endpoint connection, go to Private endpoint connections under Settings on the recovery vault page.

在继续操作之前,可以先转到专用终结点资源,查看连接的状态:You can go to the private endpoint resource to review the status of the connection before you continue:

显示保管库的专用终结点连接页和连接列表的屏幕截图。

(可选)为缓存存储帐户创建专用终结点(Optional) Create private endpoints for the cache storage account

可以使用 Azure 存储的专用终结点。You can use a private endpoint to Azure Storage. 对于 Azure Site Recovery 复制,为存储访问创建专用终结点是可选的。Creating private endpoints for storage access is optional for Azure Site Recovery replication. 如果为存储创建专用终结点,则需要为旁路虚拟网络中的缓存/日志存储帐户提供专用终结点。If you create a private endpoint for storage, you need a private endpoint for the cache/log storage account in your bypass virtual network.

备注

如果未在存储帐户上启用专用终结点,保护仍会成功。If private endpoints are not enabled on storage account, protection would still be successful. 但是,复制流量会通过 Internet 传输到 Azure Site Recovery 的公共终结点。However, replication traffic would transit via internet to Azure Site Recovery public endpoints.

备注

只能在常规用途 v2 存储帐户上为存储创建专用终结点。Private endpoints for storage can be created only on General Purpose v2 storage accounts. 有关定价信息,请参阅 Azure 页 Blob 定价For pricing information, see Azure Page Blobs pricing.

创建采用专用终结点的存储帐户。Create a storage account with a private endpoint. 请确保在“与专用 DNS 区域集成”下选择“是” 。Be sure to select Yes under Integrate with private DNS zone. 选择现有 DNS 区域或创建一个新区域。Select an existing DNS zone or create a new one.

向保管库授予所需的权限Grant required permissions to the vault

根据设置,可能需要目标 Azure 区域中的一个或多个存储帐户。Depending on your setup, you might need one or more storage accounts in the target Azure region. 接下来,为 Site Recovery 所需的所有缓存/日志存储帐户授予托管标识权限。Next, grant the managed identity permissions for all the cache/log storage accounts required by Site Recovery. 在这种情况下,必须提前创建所需的存储帐户。In this case, you must create the required storage accounts in advance.

在启用虚拟机复制之前,保管库的托管标识必须具有以下角色权限,具体取决于存储帐户的类型。Before you enable replication of virtual machines, the managed identity of the vault must have the following role permissions, depending on the type of storage account.

以下步骤介绍如何向存储帐户添加角色分配:These steps describe how to add a role assignment to your storage account:

  1. 转到存储帐户。Go to the storage account. 在左侧窗格中选择“访问控制(IAM)”。Select Access control (IAM) in the left pane.

  2. 在“添加角色分配”部分,选择“添加” :In the Add a role assignment section, select Add:

    显示存储帐户的访问控制 (IAM) 页的屏幕截图。

  3. 在“添加角色分配”页上的“角色”列表中,选择本节开头部分列出的角色 。On the Add a role assignment page, in the Role list, select the role from the list at the start of this section. 输入保管库的名称,然后选择“保存”。Enter the name of the vault and then select Save.

    显示“添加角色分配”页的屏幕截图。

添加这些权限后,需要允许访问 Azure 信任的服务。After you add these permissions, you need to allow access to Azure trusted services. 转到“防火墙和虚拟网络”,在“例外”中选择“允许受信任的 Microsoft 服务访问此存储帐户” 。Go to Firewalls and virtual networks and select Allow trusted Microsoft services to access this storage account in Exceptions.

保护虚拟机Protect your virtual machines

完成上述任务后,继续设置本地基础结构。After you finish the preceding tasks, continue with the setup of your on-premises infrastructure. 继续完成以下任务之一:Continue by completing one of the following tasks:

设置完成后,为源计算机启用复制。After the setup is complete, enable replication for your source machines. 在旁路网络中创建保管库的专用终结点之前,请勿设置基础结构。Don't set up the infrastructure until after the private endpoints for the vault are created in the bypass network.

创建专用 DNS 区域并手动添加 DNS 记录Create private DNS zones and add DNS records manually

如果在为保管库创建专用终结点时未选择与专用 DNS 区域集成的选项,请按照本节中的步骤操作。If you didn't select the option to integrate with a private DNS zone when you created the private endpoint for the vault, follow the steps in this section.

创建一个专用 DNS 区域,允许 Site Recovery 提供程序(对于 Hyper-V 计算机)或进程服务器(对于 VMware/物理计算机)将专用 FQDN 解析为专用 IP。Create one private DNS zone to allow the Site Recovery provider (for Hyper-V machines) or the Process Server (for VMware/physical machines) to resolve private FQDNs to private IPs.

  1. 创建专用 DNS 区域。Create a private DNS zone.

    1. 在“所有服务”搜索框中搜索“专用 DNS 区域”,然后在结果中选择“专用 DNS 区域” :Search for "private DNS zone" in the All services search box and then select Private DNS zone in the results:

      显示在 Azure 门户的新建资源页上搜索专用 DNS 区域的屏幕截图。

    2. 在“专用 DNS 区域”页上,选择“添加”按钮以开始创建新区域 。On the Private DNS zones page, select the Add button to start creating a new zone.

    3. 在“创建专用 DNS 区域”页上,输入所需的详细信息。On the Create private DNS zone page, enter the required details. 输入 privatelink.siterecovery.windowsazure.cn 作为专用 DNS 区域的名称。Enter privatelink.siterecovery.windowsazure.cn for the name of the private DNS zone. 可以选择任何资源组和任何订阅。You can choose any resource group and any subscription.

      显示“创建专用 DNS 区域”页的“基本信息”选项卡的屏幕截图。

    4. 继续选择“查看 + 创建”选项卡,查看并创建 DNS 区域。Continue to the Review + create tab to review and create the DNS zone.

  2. 将专用 DNS 区域链接到虚拟网络。Link the private DNS zone to your virtual network.

    现在需要将创建的专用 DNS 区域链接到旁路。You now need to link the private DNS zone that you created to the bypass.

    1. 转到在上一步中创建的专用 DNS 区域,然后转到左侧窗格中的“虚拟网络链接”。Go to the private DNS zone that you created in the previous step and then go to Virtual network links in the left pane. 选择“添加”。Select Add.

    2. 输入必需的详细信息。Enter the required details. 在“订阅”和“虚拟网络”列表中,选择与旁路网络相对应的详细信息 。In the Subscription and Virtual network lists, select details that correspond to the bypass network. 保留其他字段中的默认值。Leave the default values in the other fields.

      显示“添加虚拟网络链接”页的屏幕截图。

  3. 添加 DNS 记录。Add DNS records.

    现已创建所需的专用 DNS 区域和专用终结点,接下来需要将 DNS 记录添加到 DNS 区域。Now that you've created the required private DNS zone and the private endpoint, you need to add DNS records to your DNS zone.

    备注

    如果使用的是自定义专用 DNS 区域,请确保使用类似的条目,如以下步骤所述。If you're using a custom private DNS zone, be sure to make similar entries, as described in the following step.

    在此步骤中,需要将专用终结点中的每个 FQDN 条目添加到专用 DNS 区域。In this step, you need to make entries for each FQDN in your private endpoint into your private DNS zone.

    1. 转到专用 DNS 区域,然后转到左侧窗格中的“概述”部分。Go to your private DNS zone and then go to the Overview section in the left pane. 选择“记录集”以开始添加记录。Select Record set to start adding records.

    2. 在“添加记录集”页上,为每个完全限定的域名和专用 IP 添加一个条目,作为“A”类型的记录 。On the Add record set page, add an entry for each fully qualified domain name and private IP as an A type record. 可以在“概述”中的“专用终结点”页上获得完全限定的域名和 IP 列表 。You can get a list of the fully qualified domain names and IPs on the Private Endpoint page in Overview. 如以下屏幕截图中所示,来自专用终结点的第一个完全限定的域名会添加到专用 DNS 区域中的记录集。As you can see in the following screenshot, the first fully qualified domain name from the private endpoint is added to the record set in the private DNS zone.

      这些完全限定的域名采用以下格式:{Vault-ID}-asr-pod01-{type}-.{target-geo-code}.siterecovery.windowsazure.cnThese fully qualified domain names match this pattern: {Vault-ID}-asr-pod01-{type}-.{target-geo-code}.siterecovery.windowsazure.cn

      显示“添加记录集”页的屏幕截图。

后续步骤Next steps

现在,你已为虚拟机复制启用了专用终结点,请参阅其他文章了解其他相关信息:Now that you've enabled private endpoints for your virtual machine replication, see these other articles for additional and related information: