Getting Started with Azure Site Recovery: On-Premises to Azure Protection
Use Azure Site Recovery to protect virtual machines that run on Hyper-V hosts located in System Center Virtual Machine Manager (VMM) clouds. You can configure:
- On-premises to Azure protection—Replicate on-premise virtual machines located on Hyper-V host servers in VMM clouds to Azure. You configure and enable protection settings in Azure Site Recovery vaults. Virtual machine data is replicated from the on-premises Hyper-V server to Azure storage.
- On-premises to on-premises protection—Replicate virtual machines located on Hyper-V host servers in VMM clouds from one on-premises site to another. You configure and enable protection settings in Azure Site Recovery vaults. Virtual machine data is replicated from one on-premises Hyper-V server to another. Azure Site Recovery simply orchestrates the process. Learn about this scenario in Getting Started with Azure Site Recovery: On-Premises to On-Premises Protection.
About this tutorial
This tutorial is intended to help you deploy Azure Site Recovery for a quick proof-of-concept. It uses the quickest path and default settings where possible. Including steps to:
- Set up an Azure Site Recovery vault—Get a certificate uploaded to the vault and set up on the source VMM server, and generate a vault key.
- Set up the source VMM server and Hyper-V host servers—Install the Azure Site Recovery Provider on the source VMM server, and install the Azure Recovery Services Agent on Hyper-V host servers.
- Configure the VMM clouds—Configure protection settings for clouds on the source VMM server.
- Enable virtual machines—Enable protection for virtual machines
- Run a failover—Create a recovery plan and run a test failover.
For information about a full deployment see:
If you run into problems during this tutorial, review the wiki article Azure Site Recovery: Common Error Scenarios and Resolutions, or post your questions on the Azure Recovery Services Forum.
Before you begin
Before you start this tutorial check the prerequisites.
- Azure account—You'll need an Azure account. If you don't have one, see Azure free trial. Get pricing information at Azure Site Recovery Manager Pricing Details.
- Certificate—You'll need to upload a management certificate (.cer) with a public key to the vault. You'll export this certificate as a .pfx file (with private key) and import it on each VMM server you want to register in the vault. For this tutorial you'll use a self-signed certificate. For a full deployment you can use a valid SSL certificate that complies with the certificate requirements described in the planning guide.
- Azure storage account—You'll need an Azure storage account to store data replicated to Azure. The account needs geo-replication enabled. It should be in the same region as the Azure Site Recovery service, and be associated with the same subscription. To learn more about setting up Azure storage, see Introduction to Microsoft Azure Storage.
- VMM server—A VMM server running on System Center 2012 R2.
- VMM clouds—At least one cloud on the VMM server.The cloud should contain:
- One or more VMM host groups
- One or more Hyper-V host servers or clusters in each host group.
- One or more virtual machines located on the source Hyper-V server in the cloud. The virtual machines should be generation 1.
Virtual machine prerequisites
- Generation—Azure only supports generation 1 virtual machines.
- For a full list of virtual machine support requirements for failover to Azure, read Prerequisites and support in the Planning guide.
After verifying the prerequisites, do the following:
Step 1: Obtain and configure certificates
Obtain and configure certificates as follows:
- Obtain a self-signed certificate for the walkthrough—Obtain a certificate using the MakeCert tool.
- Export the certificate in .pfx format—On the server on which you created the certificate, export the .cer file as a .pfx file (with the private key).
- Import the .pfx certificate to the VMM server—After export, import the .pfx file into the Personal folder of the Local Computer store on the VMM server that you want to register with the vault.
Obtain a self-signed certificate (.cer)
Create a .cer x.509 certificate that complies with all certificate requirements:
- On the computer on which you want to run MakeCert, download the latest version of the Windows SDK. You won't need to install the entire SDK.
- On the Specify Location page, select Install the Windows Software Development Kit for Windows 8.1 to this computer.
- On the Select the Features you Want to Install page, clear all options except Windows Software Development Kit.
- After the installation is complete, verify that makecert.exe appears in the folder C:\ProgramFiles (x86)\Windows Kits\WindowsVersion\bin\x64.
- Open a command prompt (cmd.exe) with Administrator privileges and navigate to the makecert.exe folder.
- Run the following command to create your self-signed certificate. Replace CertificateName with the name you want to use for the certificate, and specify the actual expiration date of your certificate after -e:
makecert.exe -r -pe -n CN=CertificateName -ss my -sr localmachine -eku 22.214.171.124.126.96.36.199.2 -len 2048 -e 01/01/2016 CertificateName.cer
A succeeded status indicates that the certificate has been created. It's stored in the same folder as makecert.exe. You might want to move it to a more accessible location for export.
Export the certificate in .pfx format
Complete the steps in this procedure to export the .cer file in .pfx format.
- A succeeded status indicates that the certificate has been created. It's stored in the same folder as makecert.exe. You might want to move it to a more accessible location for export.
- In the details pane, click the certificate you want to manage.
- On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.
- On the Export Private Key page, click Yes to export the private key. Click Next. Note that this is only required if you want to export the private key to other servers after the installation.
- On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.
- On the Password page, type and confirm the password that is used to encrypt the private key. Click Next.
- Follow the pages of the wizard to export the certificate in .pfx format.
Import the .pfx certificate to VMM servers
After export copy the .pfx to the VMM server, and then import it. Note that if you ran MakeCert.exe on the VMM server, you don't need to import the certificate on that server.
After you complete these steps, you'll be able to choose the .cer certificate for upload when you configure the vault, and to select the .pfx certificate when you register a VMM server during Provider installation.
- Copy the private-key (.pfx) certificate files to a location on the local server.
- In the Certificates MMC snap-in select Computer account and then click Next.
- Select Local Computer, and click Finish.
- In the MMC, expand Certificates, right-click Personal, point to All Tasks, and then click Import to start the Certificate Import Wizard.
- On the File to Import page, click Browse and locate the folder that contains the .pfx certificate file that contains the certificate that you want to import. Select the appropriate file, and then click Open.
- On the Password page, in the Password box, type the password for the private key .pfx file and click Next.
- On the Certificate Store page, select Place all certificates in the following store, click Browse, select the Personal store, click OK, and then click Next. Complete the wizard
Step 2: Create a vault
Sign in to the Management Portal.
Expand Data Services, expand Recovery Services, and click Site Recovery Vault.
Click Create New and then click Quick Create.
In Name, enter a friendly name to identify the vault.
In Region, select the geographic region for the vault. Available geographic regions include East Asia, West Europe, West US, East US, North Europe, Southeast Asia.
Click Create vault.
Check the status bar to confirm that the vault was successfully created. The vault will be listed as Active on the main Recovery Services page.
Step 3: Configure the vault
In the Recovery Services page, click the vault to open the Quick Start page. Quick Start can also be opened at any time using the icon.
In the Setup Recovery dropdown list, select Between an on-premises site and Microsoft Azure.
To upload the certificate (.cer) to the vault, click Manage Certificate.
In the Manage Certificate dialog box, click Browse for file and select the .cer file.
To generate a key for the vault, click Get the vault key. The key is generated automatically. If you regenerate a key it overwrites the previous key. Note that you'll need this key later when you install the Azure Site Recovery Provider on the VMM server.
Step 4: Install the Azure Site Recovery Provider
On the Quick Start page, click Download Provider to obtain the latest version of the Provider installation file.
Run this file on the source VMM server.
After the Provider is installed, continue Setup to register the server in the vault.
On the Internet Connection page specify how the Provider running on the VMM server connects to the Internet. Click Next to use the default Internet connection settings configured on the server.
On the Vault Registration page, do the following:
- Select the private key (.pfx) that you imported to the VMM server.
- Select the vault in which you want to register the server.
- Specify the vault key. This is the vault key you generated earlier. Cut and paste the key value from the Quick Start page.
On the Data Encryption page, you specify whether you want to allow the option to encrypt data during replication for a specific cloud. If you select this option, an SSL certificate will be automatically generated. When you run a failover, you’ll need to select this certificate. After you enable this setting, you can enable or disable data encryption for a cloud in the Azure Site Recovery portal. For this tutorial leave the default setting and click Next.
On the VMM Server page, do the following:
- Specify a friendly name for the VMM server. This name is used to identify the server in the Azure Site Recovery console.
- Select Synchronize cloud metadata with the vault to synchronize information about VMM clouds with Azure Site Recovery vault. This action only needs to happen once on each server. If you don't want to synchronize all clouds, you can publish each cloud individually to synchronize it, before you configure cloud protection settings.
Click Register to complete the process.
After a server has been successfully registered its friendly name will be displayed on the Resources tab on the Servers page in the vault.
Step 5: Install the Azure Recovery Services Agent
Install the Azure Recovery Services agent on each Hyper-V host server located in the VMM clouds you want to protect.
On the Quick Start page, click Download Azure Site Recovery Services Agent and install on hosts, to obtain the latest version of the agent installation file.
Run the installation file on each Hyper-V host server that's located in VMM clouds you want to protect.
On the Prerequisites Check page click Next. Any missing prerequisites will be automatically installed.
- On the Installation Settings page, specify where you want to install the Agent and select the cache location in which backup metadata will be installed. Then click Install.
On the Internet Connection page specify how the Provider running on the VMM server connects to the Internet. Click Next to use the default Internet connection settings configured on the server
Step 6: Configure cloud protection settings
After VMM servers are registered, you can configure cloud protection settings. You enabled the option Synchronize cloud data with the vault when you installed the Provider so all clouds on the VMM server will appear in the Protected Items tab in the vault.
Configure protection settings as follows:
- On the Quick Start page, click Set up protection for VMM clouds.
- On the Protected Items tab, click on the cloud you want to configure and go to the Configuration tab.
- In Target, select Microsoft Azure.
- In Storage Account, select the Azure storage you want to use to store Azure virtual machines.
- Set Encrypt stored data to Off. This setting specifies that data should be encrypted replicated between the on-premises site and Azure.
- In Copy frequency leave the default setting. This value specifies how frequently data should be synchronized between source and target locations.
- In Retain recovery points for, leave the default setting. With a default value of zero only the latest recovery point for a primary virtual machine is stored on a replica host server.
In Frequency of application-consistent snapshots, leave the default setting. This value specifies how often to create snapshots. Snapshots use Volume Shadow Copy Service (VSS) to ensure that applications are in a consistent state when the snapshot is taken. If you do set a value, make sure it's less than the number of additional recovery points you configure.
In Replication start time, specify when initial replication of data to Azure should start. The timezone on the Hyper-V host server will be used. We recommend that you schedule the initial replication during off-peak hours.
After you save the settings a job will be created and can be monitored on the Jobs tab. All Hyper-V host servers in the VMM source cloud will be configured for replication. After saving, cloud settings can be modified on the Configure tab. To modify the target location or target storage you'll need to remove the cloud configuration, and then reconfigure the cloud. Note that if you change the storage account the change is only applied for virtual machines that are enabled for protection after the storage account has been modified. Existing virtual machines are not migrated to the new storage account.
Step 7: Configure network mapping
You can optionally enable network mapping to map source VM networks to target Azure virtual networks. If you don’t create network mappings then only virtual machines that fail over in the same recovery plan can connect to each other in Azure. If you create a network mapping then all virtual machines that fail over on the same network can connect to each other, irrespective of which recovery plan they belong to. In addition if a network gateway is setup on the target Azure network then virtual machines can connect to on-premises virtual machines. If you want to configure network mapping as part of this tutorial, see Configure network mapping in the deployment guide.
Step 8: Enable protection for virtual machines
After servers, clouds, and networks are configured correctly, you can enable protection for virtual machines in the cloud.
Before you enable protection for a virtual machine verify and update its settings if required. For example the guest operating system on the virtual machine must be Windows Server 2008 or later, or Linux. The virtual machine must be generation 1 only. For a full list of Azure Site Recovery requirements, see Prerequisites and support in the Planning guide.
In the VMM console check and update settings. You modify operating system settings for the virtual machine in the General page of the virtual machine properties. You update the operating system disk settings in the Hardware Configuration page.
- To enable protection, on the Virtual Machines tab in the cloud in which the virtual machine is located, click Enable protection and then select Add virtual machines.
- From the list of virtual machines in the cloud, select the one you want to protect.
After protection is enabled two jobs are created. The Enable Protection job runs. Then after the initial replication is completed the Finalize Protection job runs. The virtual machine is only ready for failover after these jobs have finished successfully. You can monitor progress on the Jobs tab.
Step 9: Configure and run a recovery plan
A recovery plan gathers virtual machines into groups so that they can fail over as a single unit. To create a recovery plan, do the following:
- On the Recovery Plans tab, click Create.
On the Specify the Recovery Page Name and Target page, select the source VMM server and Azure as the target.
On the Select Virtual Machines page, select virtual machines to add to the recovery plan. Only virtual machines with protection enabled are shown. The virtual machines are added to the recovery plan in default group (Group 1).
Click the check mark to create the recovery plan.
Test a failover
Recovery plans can run as part of a proactive test or planned failover, or during an unplanned failover. This walkthrough describes how to run a test failover from VMM to Azure to verify that your failover strategy is working as expected. Test failover simulates your failover and recovery mechanism in an isolated network. Note the following:
- If you want to connect to the virtual machine in Azure using Remote Desktop after the failover, enable Remote Desktop Connection on the virtual machine before you run the test failover.
- After failover you'll use a public IP address to connect to the virtual machine in Azure using Remote Desktop. If you want to do this, ensure you don't have any domain policies that prevent you from connecting to a virtual machine using a public address.
Run the failover Run a test failover for a recovery plan as follows:
- Before you run the recovery plan you can validate the settings of virtual machines in the plan. To do this, on the properties page for the cloud, click the virtual machine. On the Source and Target Properties for Failover page, verify the settings. In particular verify that the suggested size for the target virtual machine in Azure is correct, and that network settings are accurate. For a full list of virtual machine prerequirements, see Prerequisites and support.
- On the Recovery Plans tab, select the required recovery plan.
- To initiate the failover, click the Test Failover button.
- On the Confirm Test Failover page, select the Azure network to which your virtual machines will be connected after failover. Optionally you can select No Network. With this setting selected the virtual machines won't be connected to a network after failover.
You can follow the progress of test failover jobs on the Jobs tab. After the test failover is complete, do the following:
- Verify that the virtual machines start successfully in Azure.
- Click Notes to record and save any observations associated with the test failover.
- In addition to details on the Jobs tab, when you run a test failover for a recovery plan the process is displayed on the recovery plan details page. You can view failover steps and status, and view or create notes for the test failover.
You can use the Jobs tab and Dashboard to view and monitor the main jobs performed by the Azure Site Recovery vault, including configuring protection for a cloud, enabling and disabling protection for a virtual machine, running a failover (planned, unplanned, or test), and committing an unplanned failover.
From the Jobs tab you view jobs, drill down into job details and errors, run job queries to retrieve jobs that match specific criteria, export jobs to Excel, and restart failed jobs.
From the Dashboard you can download the latest versions of Provider and Agent installation files, get configuration information for the vault, see the number of virtual machines that have protection managed by the vault, see recent jobs, manage the vault certificate, and resynchronize virtual machines.
For more information about interacting with jobs and the dashboard, see the Operations and Monitoring Guide.