Tutorial: Set up disaster recovery for Azure VMs

This tutorial shows you how to set up disaster recovery for Azure VMs using Azure Site Recovery. In this article, you learn how to:

  • Verify Azure settings and permissions
  • Prepare VMs you want to replicate
  • Create a Recovery Services vault
  • Enable VM replication

When you enable replication for a VM to set up disaster recovery, the Site Recovery Mobility service extension installs on the VM, and registers it with Azure Site Recovery. During replication, VM disk writes are sent to a cache storage account in the source region. Data is sent from there to the target region, and recovery points are generated from the data. When you fail over a VM during disaster recovery, a recovery point is used to restore the VM in the target region.

Note

Tutorials provide instructions with the simplest default settings. If you want to set up Azure VM disaster recovery with customized settings, review this article.

If you don’t have an Azure subscription, create a free account before you begin.

Prerequisites

Before you start this tutorial:

Check Azure settings

Check permissions, and settings in the target region.

Check permissions

Your Azure account needs permissions to create a Recovery Services vault, and to create VMs in the target region.

  • If you just created a free Azure subscription, you're the account admin, and no further action is needed.
  • If you aren't the admin, work with the admin to get the permissions you need.
    • Create a vault: Admin or owner permissions on the subscription.
    • Manage Site Recovery operations in the vault: The Site Recovery Contributor built-in Azure role.
    • Create Azure VMs in the target region: Either the built-in Virtual Machine Contributor role, or specific permissions to:
      • Create a VM in the selected virtual network.
      • Write to an Azure storage account.
      • Write to an Azure-managed disk.

Verify target settings

During disaster recovery, when you fail over from the source region, VMs are created in the target region.

Check that your subscription has enough resources in the target region. You need to be able to create VMs with sizes that match VMs in the source region. When you set up disaster recovery, Site Recovery picks the same size (or the closest possible size) for the target VM.

Prepare VMs

Make sure VMs have outbound connectivity, and the latest root certificates.

Set up VM connectivity

VMs that you want to replicate need outbound network connectivity.

Note

Site Recovery doesn't support using an authentication proxy to control network connectivity.

Outbound connectivity for URLs

If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these URLs:

Name Commercial Government Description
Storage *.blob.core.windows.net *.blob.core.usgovcloudapi.net Allows data to be written from the VM to the cache storage account in the source region.
Azure Active Directory login.microsoftonline.com login.microsoftonline.us Provides authorization and authentication to Site Recovery service URLs.
Replication *.hypervrecoverymanager.windowsazure.com *.hypervrecoverymanager.windowsazure.com Allows the VM to communicate with the Site Recovery service.
Service Bus *.servicebus.windows.net *.servicebus.usgovcloudapi.net Allows the VM to write Site Recovery monitoring and diagnostics data.

Outbound connectivity for IP address ranges

If you're using network security groups (NSGs) to control connectivity, create service-tag based NSG rules that allow HTTPS outbound to port 443 for these service tags(groups of IP addresses):

Tag Allow
Storage tag Allows data to be written from the VM to the cache storage account.
Azure AD tag Allows access to all IP addresses that correspond to Azure AD.
EventsHub tag Allows access to Site Recovery monitoring.
AzureSiteRecovery tag Allows access to the Site Recovery service in any region.
GuestAndHybridManagement tag Use if you want to automatically upgrade the Site Recovery Mobility agent that's running on VMs enabled for replication.

Learn more about required tags and tagging examples.

Verify VM certificates

Check that the VMs have the latest root certificates. Otherwise, the VM can't be registered with Site Recovery because of security constraints.

  • Windows VMs: Install all the latest Windows updates on the VM, so that all the trusted root certificates are on the machine. In a disconnected environment, follow your standard processes for Windows Update, and certificate updates.
  • Linux VMs: Follow the guidance provided by your Linux distributor, to get the latest trusted root certificates and certificate revocation list (CRL).

Create a Recovery Services vault

Create a Recovery Services vault in any region, except in the source region from which you want to replicate VMs.

  1. Sign in to the Azure portal.

  2. In the search box, type recovery. Under Services, select Recovery Services vaults.

    Search for Recovery Services vaults

  3. In Recovery Services vaults, select Add.

  4. In Create Recovery Services vault > Basics, select the subscription in which to create the vault.

  5. In Resource group, select an existing resource group for the vault, or create a new one.

  6. In Vault name, specify a friendly name to identify the vault.

  7. In Region, select the Azure region in which to place the vault. Check supported regions.

  8. Select Review + create.

    Vault settings on page for creating a new vault

  9. In Review + create, select Create.

  10. Vault deployment begins. Follow progress in the notifications.

  11. After the vault is deployed, select Pin to dashboard to save it for quick reference. Select Go to resource to open the new vault.

    Buttons for opening the vault after deployment, and pinning to dashboard

Enable Site Recovery

In the vault settings, select Enable Site Recovery.

Selection to enable Site Recovery in the vault

Enable replication

Select the source settings, and enable VM replication.

Select source settings

  1. In the vault > Site Recovery page, under Azure virtual machines, select Enable replication.

    Selection to enable replication for Azure VMs

  2. In Source> Source location, select the source Azure region in which VMs are currently running.

  3. In Azure virtual machine deployment model, leave the default Resource Manager setting.

  4. In Source subscription, select the subscription in which VMs are running. You can select any subscription that's in the same Azure Active Directory (AD) tenant as the vault.

  5. In Source resource group, select the resource group containing the VMs.

  6. In Disaster recovery between availability zones, leave the default No setting.

    Set up source

  7. Select Next.

Select the VMs

Site Recovery retrieves the VMs associated with the selected subscription/resource group.

  1. In Virtual Machines, select the VMs you want to enable for disaster recovery.

    Page to select VMs for replication

  2. Select Next.

Review replication settings

  1. In Replication settings, review the settings. Site Recovery creates default settings/policy for the target region. For the purposes of this tutorial, we use the default settings.

  2. Select Enable replication.

    Page to customize settings and enable replication

  3. Track replication progress in the notifications.

    Track progress in notifications Track successful replication notification

  4. The VMs you enable appear on the vault > Replicated items page.

    VM on the Replicated Items page

Next steps

In this tutorial, you enabled disaster recovery for an Azure VM. Now, run a drill to check that failover works as expected.