Skip to content

Commit 05c6580

Browse files
author
Ankita Dutta
committed
acrofix
1 parent e9b65cb commit 05c6580

File tree

2 files changed

+36
-36
lines changed

2 files changed

+36
-36
lines changed

articles/site-recovery/azure-to-azure-about-networking.md

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -8,21 +8,21 @@ ms.date: 09/11/2024
88
ms.author: ankitadutta
99
ms.custom: engagement-fy23
1010
---
11-
# About networking in Azure VM disaster recovery
11+
# About networking in Azure virtual machine disaster recovery
1212

1313

1414

15-
This article provides networking guidance for platform connectivity when you're replicating Azure VMs from one region to another, using [Azure Site Recovery](site-recovery-overview.md).
15+
This article provides networking guidance for platform connectivity when you're replicating Azure virtual machines from one region to another, using [Azure Site Recovery](site-recovery-overview.md).
1616

1717
## Before you start
1818

1919
Learn how Site Recovery provides disaster recovery for [this scenario](azure-to-azure-architecture.md).
2020

2121
## Typical network infrastructure
2222

23-
The following diagram depicts a typical Azure environment, for applications running on Azure VMs:
23+
The following diagram depicts a typical Azure environment, for applications running on Azure virtual machines:
2424

25-
![Diagram that depicts a typical Azure environment for applications running on Azure VMs.](./media/site-recovery-azure-to-azure-architecture/source-environment.png)
25+
![Diagram that depicts a typical Azure environment for applications running on Azure virtual machines.](./media/site-recovery-azure-to-azure-architecture/source-environment.png)
2626

2727
If you're using Azure ExpressRoute or a VPN connection from your on-premises network to Azure, the environment is as follows:
2828

@@ -43,24 +43,24 @@ If you're using a URL-based firewall proxy to control outbound connectivity, all
4343

4444
**URL** | **Details**
4545
--- | ---
46-
*.blob.core.windows.net | Required so that data can be written to the cache storage account in the source region from the VM. If you know all the cache storage accounts for your VMs, you can allow access to the specific storage account URLs (Ex: cache1.blob.core.windows.net and cache2.blob.core.windows.net) instead of *.blob.core.windows.net
46+
*.blob.core.windows.net | Required so that data can be written to the cache storage account in the source region from the virtual machine. If you know all the cache storage accounts for your virtual machines, you can allow access to the specific storage account URLs (Ex: cache1.blob.core.windows.net and cache2.blob.core.windows.net) instead of *.blob.core.windows.net
4747
login.microsoftonline.com | Required for authorization and authentication to the Site Recovery service URLs.
48-
*.hypervrecoverymanager.windowsazure.com | Required so that the Site Recovery service communication can occur from the VM.
49-
*.servicebus.windows.net | Required so that the Site Recovery monitoring and diagnostics data can be written from the VM.
48+
*.hypervrecoverymanager.windowsazure.com | Required so that the Site Recovery service communication can occur from the virtual machine.
49+
*.servicebus.windows.net | Required so that the Site Recovery monitoring and diagnostics data can be written from the virtual machine.
5050
*.vault.azure.net | Allows access to enable replication for ADE-enabled virtual machines via portal
5151
*.automation.ext.azure.com | Allows enabling autoupgrade of mobility agent for a replicated item via portal
5252

5353
## Outbound connectivity using Service Tags
5454

5555
Apart from controlling URLs, you can also use service tags to control connectivity. To do so, you must first create a [Network Security Group](../virtual-network/network-security-group-how-it-works.md) in Azure. Once created, you need to use our existing service tags and create an NSG rule to allow access to Azure Site Recovery services.
5656

57-
The advantages of using service tags to control connectivity, when compared to controlling connectivity using IP addresses, is that there is no hard dependency on a particular IP address to stay connected to our services. In such a scenario, if the IP address of one of our services changes, then the ongoing replication is not impacted for your machines. Whereas, a dependency on hard coded IP addresses causes the replication status to become critical and put your systems at risk. Moreover, service tags ensure better security, stability and resiliency than hard coded IP addresses.
57+
The advantages of using service tags to control connectivity, when compared to controlling connectivity using IP addresses, is that there's no hard dependency on a particular IP address to stay connected to our services. In such a scenario, if the IP address of one of our services changes, then the ongoing replication isn't impacted for your machines. Whereas, a dependency on hard coded IP addresses causes the replication status to become critical and put your systems at risk. Moreover, service tags ensure better security, stability and resiliency than hard coded IP addresses.
5858

5959
While using NSG to control outbound connectivity, these service tags need to be allowed.
6060

6161
- For the storage accounts in source region:
6262
- Create a [Storage service tag](../virtual-network/network-security-groups-overview.md#service-tags) based NSG rule for the source region.
63-
- Allow these addresses so that data can be written to the cache storage account, from the VM.
63+
- Allow these addresses so that data can be written to the cache storage account, from the virtual machine.
6464
- Create a [Microsoft Entra service tag](../virtual-network/network-security-groups-overview.md#service-tags) based NSG rule for allowing access to all IP addresses corresponding to Microsoft Entra ID
6565
- Create an EventsHub service tag-based NSG rule for the target region, allowing access to Site Recovery monitoring.
6666
- Create an Azure Site Recovery service tag-based NSG rule for allowing access to Site Recovery service in any region.
@@ -70,10 +70,10 @@ While using NSG to control outbound connectivity, these service tags need to be
7070

7171
## Example NSG configuration
7272

73-
This example shows how to configure NSG rules for a VM to replicate.
73+
This example shows how to configure NSG rules for a virtual machine to replicate.
7474

7575
- If you're using NSG rules to control outbound connectivity, use "Allow HTTPS outbound" rules to port:443 for all the required IP address ranges.
76-
- The example presumes that the VM source location is "East US" and the target location is "Central US".
76+
- The example presumes that the virtual machine source location is "East US" and the target location is "Central US".
7777

7878
### NSG rules - East US
7979

@@ -103,18 +103,18 @@ These rules are required so that replication can be enabled from the target regi
103103

104104
## Network virtual appliance configuration
105105

106-
If you're using network virtual appliances (NVAs) to control outbound network traffic from VMs, the appliance might get throttled if all the replication traffic passes through the NVA. We recommend creating a network service endpoint in your virtual network for "Storage" so that the replication traffic doesn't go to the NVA.
106+
If you're using network virtual appliances (NVAs) to control outbound network traffic from virtual machines, the appliance might get throttled if all the replication traffic passes through the NVA. We recommend creating a network service endpoint in your virtual network for "Storage" so that the replication traffic doesn't go to the NVA.
107107

108108
### Create network service endpoint for Storage
109109

110110
You can create a network service endpoint in your virtual network for "Storage" so that the replication traffic doesn't leave Azure boundary.
111111

112-
- Select your Azure virtual network and click on 'Service endpoints'
112+
- Select your Azure virtual network and select **Service endpoints**.
113113

114114
![storage-endpoint](./media/azure-to-azure-about-networking/storage-service-endpoint.png)
115115

116-
- Click 'Add' and 'Add service endpoints' tab opens
117-
- Select 'Microsoft.Storage' under 'Service' and the required subnets under 'Subnets' field and click 'Add'
116+
- Select **Add** and **Add service endpoints** tab opens.
117+
- Select *Microsoft.Storage* under **Service** and the required subnets under 'Subnets' field and select **Add**.
118118

119119
>[!NOTE]
120120
>If you're using firewall enabled cache storage account or target storage account, ensure you ['Allow trusted Microsoft services'](../storage/common/storage-network-security.md). Also, ensure that you allow access to at least one subnet of source Vnet.
Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
title: Map virtual networks between two regions in Azure Site Recovery
3-
description: Learn about mapping virtual networks between two Azure regions for Azure VM disaster recovery with Azure Site Recovery.
3+
description: Learn about mapping virtual networks between two Azure regions for Azure virtual machine disaster recovery with Azure Site Recovery.
44
author: ankitaduttaMSFT
55
ms.service: azure-site-recovery
66
ms.topic: how-to
@@ -28,74 +28,74 @@ Map networks as follows:
2828

2929
:::image type="content" source="./media/site-recovery-network-mapping-azure-to-azure/network-mapping1.png" alt-text="Screenshot of Create a network mapping." lightbox="./media/site-recovery-network-mapping-azure-to-azure/network-mapping1.png":::
3030

31-
3. In **Add network mapping**, select the source and target locations. In our example, the source VM is running in the East Asia region, and replicates to the Southeast Asia region.
31+
3. In **Add network mapping**, select the source and target locations. In our example, the source virtual machine is running in the East Asia region, and replicates to the Southeast Asia region.
3232

3333
:::image type="content" source="./media/site-recovery-network-mapping-azure-to-azure/network-mapping2.png" alt-text="Screenshot of Select source and target." lightbox="./media/site-recovery-network-mapping-azure-to-azure/network-mapping2.png":::
34-
3. Now create a network mapping in the opposite direction. In our example, the source will now be Southeast Asia, and the target will be East Asia.
34+
3. Now create a network mapping in the opposite direction. In our example, the source is now Southeast Asia, and the target is East Asia.
3535

3636
:::image type="content" source="./media/site-recovery-network-mapping-azure-to-azure/network-mapping3.png" alt-text="Screenshot of Add network mapping pane - Select source and target locations for the target network." lightbox="./media/site-recovery-network-mapping-azure-to-azure/network-mapping3.png":::
3737

3838

3939
## Map networks when you enable replication
4040

41-
If you haven't prepared network mapping before you configure disaster recovery for Azure VMs, you can specify a target network when you [set up and enable replication](azure-to-azure-how-to-enable-replication.md). When you do this the following happens:
41+
If you haven't prepared network mapping before you configure disaster recovery for Azure virtual machines, you can specify a target network when you [set up and enable replication](azure-to-azure-how-to-enable-replication.md). When you do this, the following happens:
4242

4343
- Based on the target you select, Site Recovery automatically creates network mappings from the source to target region, and from the target to source region.
4444
- By default, Site Recovery creates a network in the target region that's identical to the source network. Site Recovery adds **-asr** as a suffix to the name of the target network. You can customize the target network. For example, if the source network name was *contoso-vnet*, then the target network is named *contoso-vnet-asr*.
4545

46-
So, if the source network name was "contoso-vnet", then the target network name will be "contoso-vnet-asr". Source network's name will not be edited by ASR.
47-
- If network mapping has already occurred for a source network, the mapped target network will always be the default at the time of enabling replications for more VMs. You can choose to change the target virtual network by choosing other available options from the dropdown.
46+
So, if the source network name was "contoso-vnet", then the target network name is `contoso-vnet-asr`. Source network's name won't be edited by Azure Site Recovery.
47+
- If network mapping has already occurred for a source network, the mapped target network is always the default at the time of enabling replications for more virtual machines. You can choose to change the target virtual network by choosing other available options from the dropdown.
4848
- To change the default target virtual network for new replications, you need to modify the existing network mapping.
4949
- If you wish to modify a network mapping from region A to region B, ensure that you first delete the network mapping from region B to region A. After reverse mapping deletion, modify the network mapping from region A to region B and then create the relevant reverse mapping.
5050

5151
>[!NOTE]
52-
>* Modifying the network mapping only changes the defaults for new VM replications. It does not impact the target virtual network selections for existing replications.
52+
>* Modifying the network mapping only changes the defaults for new virtual machine replications. It does not impact the target virtual network selections for existing replications.
5353
>* If you wish to modify the target network for an existing replication, go to **Network** Settings of the replicated item.
5454
5555
## Specify a subnet
5656

57-
The subnet of the target VM is selected based on the name of the subnet of the source VM.
57+
The subnet of the target virtual machine is selected based on the name of the subnet of the source virtual machine.
5858

59-
- If a subnet with the same name as the source VM subnet is available in the target network, that subnet is set for the target VM.
59+
- If a subnet with the same name as the source virtual machine subnet is available in the target network, that subnet is set for the target virtual machine.
6060
- If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target subnet.
61-
- You can modify the target subnet in the **Network** settings for the VM.
61+
- You can modify the target subnet in the **Network** settings for the virtual machine.
6262

6363
:::image type="content" source="./media/site-recovery-network-mapping-azure-to-azure/modify-subnet.png" alt-text="Screenshot of Network compute properties window." lightbox="./media/site-recovery-network-mapping-azure-to-azure/modify-subnet.png":::
6464

65-
## Set up IP addressing for target VMs
65+
## Set up IP addressing for target virtual machines
6666

6767
The IP address for each NIC on a target virtual machine is configured as follows:
6868

69-
- **DHCP**: If the NIC of the source VM uses DHCP, the NIC of the target VM is also set to use DHCP.
70-
- **Static IP address**: If the NIC of the source VM uses static IP addressing, the target VM NIC will also use a static IP address.
69+
- **DHCP**: If the NIC of the source virtual machine uses DHCP, the NIC of the target virtual machine is also set to use DHCP.
70+
- **Static IP address**: If the NIC of the source virtual machine uses static IP addressing, the target virtual machine NIC is also use a static IP address.
7171

7272
The same holds for the Secondary IP Configurations as well.
7373

7474
## IP address assignment during failover
7575

7676
>[!Note]
77-
>The following approach is used to assign IP address to the target VM, irrespective of the NIC settings.
77+
>The following approach is used to assign IP address to the target virtual machine, irrespective of the NIC settings.
7878
7979
**Source and target subnets** | **Details**
8080
--- | ---
81-
Same address space | IP address of the source VM NIC is set as the target VM NIC IP address.<br/><br/> If the address isn't available, the next available IP address is set as the target.
82-
Different address space | The next available IP address in the target subnet is set as the target VM NIC address.
81+
Same address space | IP address of the source virtual machine NIC is set as the target virtual machine NIC IP address.<br/><br/> If the address isn't available, the next available IP address is set as the target.
82+
Different address space | The next available IP address in the target subnet is set as the target virtual machine NIC address.
8383

8484

8585

8686
## IP address assignment during test failover
8787

8888
**Target network** | **Details**
8989
--- | ---
90-
Target network is the failover VNet | - Target IP address will be static with the same IP address. <br/><br/> - If the same IP address is already assigned, then the IP address is the next one available at the end of the subnet range. For example: If the source IP address is 10.0.0.19 and failover network uses range 10.0.0.0/24, then the next IP address assigned to the target VM is 10.0.0.254.
91-
Target network isn't the failover VNet | - Target IP address will be static with the same IP address, only if it is available in the target virtual network. <br/><br/> - If the same IP address is already assigned, then the IP address is the next one available at the end of the subnet range.<br/><br/> For example: If the source static IP address is 10.0.0.19 and failover is on a network that isn't the failover network, with the range 10.0.0.0/24, then the target static IP address will be 10.0.0.19 if available, and otherwise it will be 10.0.0.254.
90+
Target network is the failover VNet | - Target IP address is static with the same IP address. <br/><br/> - If the same IP address is already assigned, then the IP address is the next one available at the end of the subnet range. For example: If the source IP address is `10.0.0.19` and failover network uses range `10.0.0.0/24`, then the next IP address assigned to the target virtual machine is `10.0.0.254`.
91+
Target network isn't the failover VNet | - Target IP address is static with the same IP address, only if it's available in the target virtual network. <br/><br/> - If the same IP address is already assigned, then the IP address is the next one available at the end of the subnet range.<br/><br/> For example: If the source static IP address is `10.0.0.19` and failover is on a network that isn't the failover network, with the range `10.0.0.0/24`, then the target static IP address is `10.0.0.19` if available. Otherwise it is `10.0.0.254`.
9292

9393
- The failover VNet is the target network that you select when you set up disaster recovery.
94-
- We recommend that you always use a non-production network for test failover.
95-
- You can modify the target IP address in the **Network** settings of the VM.
94+
- We recommend that you always use a nonproduction network for test failover.
95+
- You can modify the target IP address in the **Network** settings of the virtual machine.
9696

9797

9898
## Next steps
9999

100-
- Review [networking guidance](./azure-to-azure-about-networking.md) for Azure VM disaster recovery.
100+
- Review [networking guidance](./azure-to-azure-about-networking.md) for Azure virtual machine disaster recovery.
101101
- [Learn more](site-recovery-retain-ip-azure-vm-failover.md) about retaining IP addresses after failover.

0 commit comments

Comments
 (0)