question

Shashank-Singh avatar image
0 Votes"
Shashank-Singh asked Shashank-Singh answered

Azure site recovery without proxy.

So I am planning to Configure ASR but my requirements are below

  1. I do not want data replication to go over internet, hence I will use Expressroute combined with private endpoints on storage and ASR vault.


  2. I do not want to use proxy for communication between Configuration server and Azure API( storage account *blobs.microsoft.com). Can I use Microsoft Peering ?. Or what is other way around

Is this possible ? How do config server communicates with public websites of Storage account for handshake if proxy is not there ?

Thanks


azure-site-recovery
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Shashank-Singh - Site Recovery replicates data to an Azure Storage account or replica Managed Disk on the target Azure region over a public endpoint. To use ExpressRoute for Site Recovery replication traffic, you can utilize Microsoft peering. Doc reference: https://docs.microsoft.com/en-us/azure/site-recovery/concepts-expressroute-with-site-recovery#on-premises-to-azure-replication-with-expressroute

Will get back to you on your query about not using proxy.

0 Votes 0 ·

Hello Sadiq,
Is Microsoft peering a "necessity" when using ER ? Cant we just use ER and private endpoints ?.
Thanks for the revert

0 Votes 0 ·
Shashank-Singh avatar image
0 Votes"
Shashank-Singh answered

I am posting this as answer as the answer given by Sadiq is not "completely" true.

  1. If you are using Express route and private endpoint and keeping PS/CS server on-premises YOU WILL NEED PROXY, unless you have direct internet connection from your machine to Azure which is highly unlikely.

  2. If you dont want to use proxy keep PS/CS server in Azure. Make sure you have connectivity from on-premises to Azure.


Rest all is covered in MS Books online.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SadiqhAhmed-MSFT avatar image
1 Vote"
SadiqhAhmed-MSFT answered Shashank-Singh commented

@Shashank-Singh - You can use private endpoints for both storage and for the Recovery Services Vault. That way you can use the private peering path in Express-route for everything.

If you enable private endpoints on both the storage and the vault, then all traffic is routed across the private peering path of the Express-route circuit to a private IP address created by the private endpoint. Private endpoints allow you to create a private IP address within an Azure VNet that allows you to connect to Azure PaaS objects across private network IPs.

It is very basic and missing some components (like DNS) – but in the graphic below. The left side box is the on-premises network at 10.0.0.0/16 with an Express-route connection in place and only the private peering path enabled. It is connected to an Azure VNet and 10.2.0.0/16 with a subnet defined as 10.2.1.0/16. Private endpoint connections for each of the Vault and a storage account allow for each of those services to be assigned an IP address in the 10.2.1.x/24 range. So now the storage account and the recovery services vault only need a path from the 10.0.0.0/16 network on-premises to the 10.2.0.0/16 VNet in Azure, which should exist by default in the BGP routes built in to Express-route. No proxy is needed because you are connecting to private address – not public ones.

83763-image.png


If the response helped, do "Accept Answer" and up-vote it



image.png (83.1 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SadiqhAhmed-MSFT Many thanks, even I had made similar configuration but please also clarify two more points.
1. As you said no proxy needed so how would connection from configuration server reach to Azure API's or since we have ER and private link that is NOT NEEDED AT ALL only ER with private link is enough for both process and configuration server to reach storage account ?
2. If above is true how what should I put in proxy information while installing Unified setup, without proxy it would not move forward. If i select connect directly it would again fail and setup would not move forward

Thanks




0 Votes 0 ·

@SadiqhAhmed-MSFT Awaiting for your response

0 Votes 0 ·

@Shashank-Singh Sorry for the delayed response!
The access is dependent on connectivity defined between on-prem environment and Azure. If the CS has a default gateway that has direct access to ER, no proxy is needed.
If not, you can provide the proxy details in Unified setup like IP, Port and authentication information(if required).

As to the exact values required, this would be dependent on the proxy server configured in the customer environment. ASR requires either direct connectivity established between CS and ER, or failing that connectivity between proxy server and ER with CS redirecting traffic via the proxy.
Please also note that AAD URL needs public internet access in addition to private link connectivity for ASR service endpoints.



If the response helped, do "Accept Answer" and up-vote it

2 Votes 2 ·
Show more comments
SadiqhAhmed-MSFT avatar image
1 Vote"
SadiqhAhmed-MSFT answered Shashank-Singh commented

@Shashank-Singh I believe this statement in bold needs to be taken in context of preceding and following statements in the doc.

In essence, CS needs to have connectivity to ASR endpoints.
In case of non-PE vaults, this means CS needs access to ASR public endpoints - https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-deploy-configuration-server#network-requirements
In case of PE vaults, CS needs access to ASR private endpoints. An exception is required for AAD where access needs to be provided via internet Enable replication for on-premises machines with private endpoints - Azure Site Recovery | Microsoft Docs

In both cases, ExpressRoute is allowed – for non-PE vaults only ExpressRoute with MS Peering or Public peering(deprecated) is allowed. For PE vaults additionally Private peering is also allowed.
In both cases, actual connectivity is subjective to customer topology and access to ER directly or via proxy needs to be configured on a case basis.



If the response helped, do "Accept Answer" and up-vote it

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That is clear thanks. Also a big thanks for spending time on this thread.

0 Votes 0 ·