Merge pull request #100735 from mayurigupta13/master

CMK and TLS 1.2

Author: PRMerger18

articles/site-recovery/azure-to-azure-support-matrix.md

@@ -2,10 +2,10 @@
 title: Support matrix for Azure VM disaster recovery with Azure Site Recovery 
 description: Summarizes support for Azure VMs disaster recovery to a secondary region with Azure Site Recovery.
 ms.topic: article
-ms.date: 12/23/2019
-
-
+ms.date: 01/10/2020
+ms.author: raynew
 ---
+
 # Support matrix for Azure VM disaster recovery between Azure regions
 
 This article summarizes support and prerequisites for disaster recovery of Azure VMs from one Azure region to another, using the [Azure Site Recovery](site-recovery-overview.md) service.
@@ -198,7 +198,7 @@ Redundancy | LRS and GRS are supported.<br/><br/> ZRS isn't supported.
 Cool and hot storage | Not supported | VM disks aren't supported on cool and hot storage
 Storage Spaces | Supported |
 Encryption at rest (SSE) | Supported | SSE is the default setting on storage accounts.	 
-Encryption at rest (CMK) | Not Supported | 	 
+Encryption at rest (CMK) | Supported | Both Software and HSM keys are supported for managed disks	 
 Azure Disk Encryption (ADE) for Windows OS | Supported for VMs with managed disks. VMs using unmanaged disks are not supported |
 Azure Disk Encryption (ADE) for Linux OS | Supported |
 Hot add	| Supported | Enabling replication for a data disk that you add to a replicated Azure VM is supported for VMs that use managed disks.

articles/site-recovery/hyper-v-azure-powershell-resource-manager.md

@@ -5,7 +5,7 @@ author: sujayt
 manager: rochakm
 ms.service: site-recovery
 ms.topic: article
-ms.date: 06/18/2019
+ms.date: 01/10/2020
 ms.author: sutalasi
 
 ---
@@ -185,7 +185,13 @@ Before you start, note that the storage account specified should be in the same
 
         Succeeded
 
-
+> [!NOTE]
+> If you wish to replicate to CMK enabled managed disks in Azure, do the following steps using Az PowerShell 3.3.0 onwards:
+>
+> 1. Enable failover to managed disks by updating VM properties
+> 2. Use the Get-AsrReplicationProtectedItem cmdlet to fetch the disk ID for each disk of the protected item
+> 3. Create a dictionary object using New-Object "System.Collections.Generic.Dictionary``2[System.String,System.String]" cmdlet to contain the mapping of disk ID to disk encryption set. These disk encryption sets are to be pre-created by you in the target region.
+> 4. Update the VM properties using Set-AsrReplicationProtectedItem cmdlet by passing the dictionary object in -DiskIdToDiskEncryptionSetMap parameter.
 
 ## Step 8: Run a test failover
 1. Run a test failover as follows:

articles/site-recovery/hyper-v-azure-support-matrix.md

@@ -5,7 +5,7 @@ author: rayne-wiselman
 manager: carmonm
 ms.service: site-recovery
 ms.topic: conceptual
-ms.date: 11/12/2019
+ms.date: 1/10/2020
 ms.author: raynew
 ---
 
@@ -126,7 +126,7 @@ Cool storage | No | No
 Hot storage| No | No
 Block blobs | No | No
 Encryption at rest (SSE)| Yes | Yes
-Encryption at rest (CMK)| No | No
+Encryption at rest (CMK) <br></br> (Only for failover to managed disks)| Yes (via PowerShell Az 3.3.0 module onwards) | Yes (via PowerShell Az 3.3.0 module onwards)
 Premium storage | Yes | Yes
 Import/export service | No | No
 Azure storage accounts with firewall enabled | Yes. For target storage and cache. | Yes. For target storage and cache.

articles/site-recovery/site-recovery-faq.md

@@ -2,7 +2,8 @@
 title: General questions about the Azure Site Recovery service
 description: This article discusses popular general questions about Azure Site Recovery.
 ms.topic: conceptual
-ms.date: 11/14/2019
+ms.date: 1/10/2020
+ms.author: raynew
 
 ---
 # General questions about Azure Site Recovery
@@ -96,7 +97,8 @@ Yes. When you create a Site Recovery vault in a region, we ensure that all metad
 ### Does Site Recovery encrypt replication?
 For virtual machines and physical servers, replicating between on-premises sites encryption-in-transit is supported. For virtual machines and physical servers replicating to Azure, both encryption-in-transit and [encryption-at-rest (in Azure)](https://docs.microsoft.com/azure/storage/storage-service-encryption) are supported.
 
-
+### How can I enforce TLS 1.2 on all on-premises Azure Site Recovery components?
+Mobility agents installed on the replicated items communicate to Process Server only on TLS 1.2. However, communication from Configuration Server to Azure and from Process Server to Azure could be on TLS 1.1 or 1.0. Please follow the [guidance](https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi) to enforce TLS 1.2 on all Configuration Servers and Process Servers set up by you.
 
 
 ## Disaster recovery

articles/site-recovery/vmware-azure-disaster-recovery-powershell.md

@@ -4,7 +4,7 @@ description: Learn how to set up replication and failover to Azure for disaster
 author: sujayt
 manager: rochakm
 ms.service: site-recovery
-ms.date: 06/30/2019
+ms.date: 01/10/2020
 ms.topic: conceptual
 ms.author: sutalasi
 
@@ -368,10 +368,14 @@ $PolicyMap  = Get-AzRecoveryServicesAsrProtectionContainerMapping -ProtectionCon
 #Get the protectable item corresponding to the virtual machine CentOSVM1
 $VM1 = Get-AzRecoveryServicesAsrProtectableItem -ProtectionContainer $ProtectionContainer -FriendlyName "CentOSVM1"
 
-# Enable replication for virtual machine CentOSVM1 using the Az.RecoveryServices module 2.0.0
+# Enable replication for virtual machine CentOSVM1 using the Az.RecoveryServices module 2.0.0 onwards to replicate to managed disks
 # The name specified for the replicated item needs to be unique within the protection container. Using a random GUID to ensure uniqueness
 $Job_EnableReplication1 = New-AzRecoveryServicesAsrReplicationProtectedItem -VMwareToAzure -ProtectableItem $VM1 -Name (New-Guid).Guid -ProtectionContainerMapping $PolicyMap -ProcessServer $ProcessServers[1] -Account $AccountHandles[2] -RecoveryResourceGroupId $ResourceGroup.ResourceId -logStorageAccountId $LogStorageAccount.Id -RecoveryAzureNetworkId $RecoveryVnet.Id -RecoveryAzureSubnetName "Subnet-1"
 
+# Alternatively, if the virtual machine CentOSVM1 has CMK enabled disks, enable replication using Az module 3.3.0 onwards as below
+# $diskID is the Disk Encryption Set ID to be used for all replica managed disks and target managed disks in the target region
+$Job_EnableReplication1 = New-AzRecoveryServicesAsrReplicationProtectedItem -VMwareToAzure -ProtectableItem $VM1 -Name (New-Guid).Guid -ProtectionContainerMapping $PolicyMap -ProcessServer $ProcessServers[1] -Account $AccountHandles[2] -RecoveryResourceGroupId $ResourceGroup.ResourceId -logStorageAccountId -DiskEncryptionSetId $diskId $LogStorageAccount.Id -RecoveryAzureNetworkId $RecoveryVnet.Id -RecoveryAzureSubnetName "Subnet-1"
+
 #Get the protectable item corresponding to the virtual machine Win2K12VM1
 $VM2 = Get-AzRecoveryServicesAsrProtectableItem -ProtectionContainer $ProtectionContainer -FriendlyName "Win2K12VM1"
 

articles/site-recovery/vmware-physical-azure-support-matrix.md

@@ -3,8 +3,8 @@ title: Support matrix for VMware/physical disaster recovery in Azure Site Recove
 description: Summarizes support for disaster recovery of VMware VMs and physical server to Azure using Azure Site Recovery.
 ms.service: site-recovery
 ms.topic: conceptual
-ms.date: 12/23/2019
-
+ms.date: 1/10/2020
+ms.author: raynew
 
 ---
 # Support matrix for disaster recovery  of VMware VMs and physical servers to Azure
@@ -222,7 +222,7 @@ Cool storage | No
 Hot storage| No
 Block blobs | No
 Encryption-at-rest (SSE)| Yes
-Encryption-at-rest (CMK)| No
+Encryption-at-rest (CMK)| Yes (via Powershell Az 3.3.0 module onwards)
 Premium storage | Yes
 Import/export service | No
 Azure Storage firewalls for VNets | Yes.<br/> Configured on target storage/cache storage account (used to store replication data).