Move Azure VMs into Availability Zones
Availability Zones in Azure help protect your applications and data from datacenter failures. Each Availability Zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there’s a minimum of three separate zones in all enabled regions. The physical separation of Availability Zones within a region helps protect applications and data from datacenter failures. With Availability Zones, Azure offers a service-level agreement (SLA) of 99.99% for uptime of virtual machines (VMs). Availability Zones are supported in select regions, as mentioned in What are Availability Zones in Azure?.
In a scenario where your VMs are deployed as single instance into a specific region, and you want to improve your availability by moving these VMs into an Availability Zone, you can do so by using Azure Site Recovery. This action can further be categorized into:
- Move single-instance VMs into Availability Zones in a target region
- Move VMs in an availability set into Availability Zones in a target region
Currently, Azure Site Recovery supports moving VMs from one region to another but doesn't support moving within a region.
Check whether the target region has support for Availability Zones. Check that your choice of source region/target region combination is supported. Make an informed decision on the target region.
Make sure that you understand the scenario architecture and components.
Review the support limitations and requirements.
Check account permissions. If you just created your free Azure account, you're the admin of your subscription. If you aren't the subscription admin, work with the admin to assign the permissions you need. To enable replication for a VM and eventually copy data to the target by using Azure Site Recovery, you must have:
Permission to create a VM in Azure resources. The Virtual Machine Contributor built-in role has these permissions, which include:
- Permission to create a VM in the selected resource group
- Permission to create a VM in the selected virtual network
- Permission to write to the selected storage account
Permission to manage Azure Site Recovery tasks. The Site Recovery Contributor role has all permissions required to manage Site Recovery actions in a Recovery Services vault.
Prepare the source VMs
Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery. You can convert existing Windows VMs that use unmanaged disks to use managed disks. Follow the steps at Convert a Windows virtual machine from unmanaged disks to managed disks. Ensure that the availability set is configured as managed.
Check that all the latest root certificates are present on the Azure VMs you want to move. If the latest root certificates aren't present, the data copy to the target region can't be enabled because of security constraints.
For Windows VMs, install all the latest Windows updates on the VM, so that all the trusted root certificates are on the machine. In a disconnected environment, follow the standard Windows update and certificate update processes for your organization.
For Linux VMs, follow the guidance provided by your Linux distributor to get the latest trusted root certificates and certificate revocation list on the VM.
Make sure you don't use an authentication proxy to control network connectivity for VMs that you want to move.
If the VM you're trying to move doesn't have access to the internet and uses a firewall proxy to control outbound access, check the requirements at Configure outbound network connectivity.
Identify the source networking layout and the resources you currently use for verification, including load balancers, NSGs, and public IP.
Prepare the target region
Check that your Azure subscription lets you create VMs in the target region used for disaster recovery. If necessary, contact support to enable the required quota.
Make sure your subscription has enough resources to support VMs with sizes that match your source VMs. If you use Site Recovery to copy data to the target, it picks the same size or the closest possible size for the target VM.
Create a target resource for every component identified in the source networking layout. This action ensures that after you cut over to the target region, your VMs have all the functionality and features that you had in the source.
Azure Site Recovery automatically discovers and creates a virtual network and storage account when you enable replication for the source VM. You can also pre-create these resources and assign to the VM as part of the enable replication step. But for any other resources, as mentioned later, you need to manually create them in the target region.
The following documents tell how to create the most commonly used network resources that are relevant to you, based on the source VM configuration.
For any other networking components, refer to the networking documentation.
Ensure that you use a zone-redundant load balancer in the target. You can read more at Standard Load Balancer and Availability Zones.
Manually create a non-production network in the target region if you want to test the configuration before you cut over to the target region. We recommend this approach because it causes minimal interference with the production environment.
The following steps will guide you when using Azure Site Recovery to enable replication of data to the target region, before you eventually move them into Availability Zones.
These steps are for a single VM. You can extend the same to multiple VMs. Go to the Recovery Services vault, select + Replicate, and select the relevant VMs together.
In the Azure portal, select Virtual machines, and select the VM you want to move into Availability Zones.
In Operations, select Disaster recovery.
In Configure disaster recovery > Target region, select the target region to which you'll replicate. Ensure this region supports Availability Zones.
Select Next: Advanced settings.
Choose the appropriate values for the target subscription, target VM resource group, and virtual network.
In the Availability section, choose the Availability Zone into which you want to move the VM.
Select Enable Replication. This action starts a job to enable replication for the VM.
After the replication job has finished, you can check the replication status, modify replication settings, and test the deployment.
In the VM menu, select Disaster recovery.
You can check replication health, the recovery points that have been created and the source, and target regions on the map.
Test the configuration
In the virtual machine menu, select Disaster recovery.
Select the Test Failover icon.
In Test Failover, select a recovery point to use for the failover:
- Latest processed: Fails the VM over to the latest recovery point that was processed by the Site Recovery service. The time stamp is shown. With this option, no time is spent processing data, so it provides a low recovery time objective (RTO).
- Latest app-consistent: This option fails over all VMs to the latest app-consistent recovery point. The time stamp is shown.
- Custom: Select any recovery point.
Select the test target Azure virtual network to which you want to move the Azure VMs to test the configuration.
We recommend that you use a separate Azure VM network for the test failure, and not the production network in the target region into which you want to move your VMs.
To start testing the move, select OK. To track progress, select the VM to open its properties. Or, you can select the Test Failover job in the vault name > Settings > Jobs > Site Recovery jobs.
After the failover finishes, the replica Azure VM appears in the Azure portal > Virtual Machines. Make sure that the VM is running, sized appropriately, and connected to the appropriate network.
If you want to delete the VM created as part of testing the move, select Cleanup test failover on the replicated item. In Notes, record and save any observations associated with the test.
Move to the target region and confirm
- In the virtual machine menu, select Disaster recovery.
- Select the Failover icon.
- In Failover, select Latest.
- Select Shut down machine before beginning failover. Site Recovery attempts to shut down the source VM before triggering the failover. Failover continues even if shutdown fails. You can follow the failover progress on the Jobs page.
- After the job is finished, check that the VM appears in the target Azure region as expected.
- In Replicated items, right-click the VM > Commit. This finishes the move process to the target region. Wait until the commit job is finished.
Discard the resource in the source region
Go to the VM. Select Disable Replication. This action stops the process of copying the data for the VM.
Do the preceding step to avoid getting charged for Site Recovery replication after the move. The source replication settings are cleaned up automatically. Note that the Site Recovery extension that is installed as part of the replication isn't removed and needs to be removed manually.
In this tutorial, you increased the availability of an Azure VM by moving into an availability set or Availability Zone. Now you can set disaster recovery for the moved VM.