|
| 1 | +--- |
| 2 | +title: Enable replication for encrypted Azure VMs in Azure Site Recovery |
| 3 | +description: This article describes how to configure replication for VMs with customer-managed key (CMK) enabled disks from one Azure region to another by using Site Recovery. |
| 4 | +author: mayurigupta13 |
| 5 | +manager: rochakm |
| 6 | +ms.service: site-recovery |
| 7 | +ms.topic: article |
| 8 | +ms.date: 01/10/2020 |
| 9 | +ms.author: mayg |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +# Replicate machines with Customer-Managed Keys (CMK) enabled disks |
| 14 | + |
| 15 | +This article describes how to replicate Azure VMs with Customer-Managed Keys (CMK) enabled managed disks, from one Azure region to another. |
| 16 | + |
| 17 | +## Prerequisite |
| 18 | +You must create the Disk Encryption set(s) in the target region for the target subscription before enabling replication for your virtual machines that have CMK-enabled managed disks. |
| 19 | + |
| 20 | +## Enable replication |
| 21 | + |
| 22 | +For this example, the primary Azure region is East Asia, and the secondary region is South East Asia. |
| 23 | + |
| 24 | +1. In the vault, select **+Replicate**. |
| 25 | +2. Note the following fields. |
| 26 | + - **Source**: The point of origin of the VMs, which in this case is **Azure**. |
| 27 | + - **Source location**: The Azure region where you want to protect your virtual machines. For this example, the source location is "East Asia." |
| 28 | + - **Deployment model**: The Azure deployment model of the source machines. |
| 29 | + - **Source subscription**: The subscription to which your source virtual machines belong. It can be any subscription that's in the same Azure Active Directory tenant as your recovery services vault. |
| 30 | + - **Resource Group**: The resource group to which your source virtual machines belong. All the VMs in the selected resource group are listed for protection in the next step. |
| 31 | + |
| 32 | +3. In **Virtual Machines** > **Select virtual machines**, select each VM that you want to replicate. You can only select machines for which replication can be enabled. Then, select **OK**. |
| 33 | + |
| 34 | +4. In **Settings**, you can configure the following target-site settings. |
| 35 | + |
| 36 | + - **Target location**: The location where your source virtual machine data will be replicated. Site Recovery provides a list of suitable target regions based on the selected machine's location. We recommend that you use the same location as the Recovery Services vault's location. |
| 37 | + - **Target subscription**: The target subscription that's used for disaster recovery. By default, the target subscription is the same as the source subscription. |
| 38 | + - **Target resource group**: The resource group to which all your replicated virtual machines belong. By default, Site Recovery creates a new resource group in the target region. The name gets the `asr` suffix. If a resource group already exists that was created by Azure Site Recovery, it's reused. You can also choose to customize it, as shown in the following section. The location of the target resource group can be any Azure region except the region where the source virtual machines are hosted. |
| 39 | + - **Target virtual network**: By default, Site Recovery creates a new virtual network in the target region. The name gets the `asr` suffix. It's mapped to your source network and used for any future protection. [Learn more](site-recovery-network-mapping-azure-to-azure.md) about network mapping. |
| 40 | + - **Target storage accounts (if your source VM doesn't use managed disks)**: By default, Site Recovery creates a new target storage account by mimicking your source VM storage configuration. If a storage account already exists, it's reused. |
| 41 | + - **Replica managed disks (if your source VM uses managed disks)**: Site Recovery creates new replica managed disks in the target region to mirror the source VM's managed disks of the same storage type (standard or premium) as the source VM's managed disks. |
| 42 | + - **Cache storage accounts**: Site Recovery needs an extra storage account called *cache storage* in the source region. All the changes on the source VMs are tracked and sent to the cache storage account. They're then replicated to the target location. |
| 43 | + - **Availability set**: By default, Site Recovery creates a new availability set in the target region. The name has the `asr` suffix. If an availability set that was created by Site Recovery already exists, it's reused. |
| 44 | + - **Disk encryption sets (DES)**: Site Recovery needs the disk encryption set(s) to be used for replica and target managed disks. You must pre-create DES in the target subscription and the target region before enabling the replication. By default, a DES is not selected. You must click on ‘Customize’ to choose a DES per source disk. |
| 45 | + - **Replication policy**: Defines the settings for recovery point retention history and app-consistent snapshot frequency. By default, Site Recovery creates a new replication policy with default settings of *24 hours* for recovery point retention and *60 minutes* for app-consistent snapshot frequency. |
| 46 | + |
| 47 | +  |
| 48 | + |
| 49 | +## Customize target resources |
| 50 | + |
| 51 | +Follow these steps to modify the Site Recovery default target settings. |
| 52 | + |
| 53 | +1. Select **Customize** next to "Target subscription" to modify the default target subscription. Select the subscription from the list of subscriptions that are available in the Azure AD tenant. |
| 54 | + |
| 55 | +2. Select **Customize** next to "Resource group, Network, Storage, and Availability sets" to modify the following default settings: |
| 56 | + - For **Target resource group**, select the resource group from the list of resource groups in the target location of the subscription. |
| 57 | + - For **Target virtual network**, select the network from a list of virtual networks in the target location. |
| 58 | + - For **Availability set**, you can add availability set settings to the VM, if they're part of an availability set in the source region. |
| 59 | + - For **Target Storage accounts**, select the account to use. |
| 60 | + |
| 61 | +3. Select **Customize** next to "Storage encryption settings" to select the target DES for every customer-managed key (CMK) enabled source managed disk. At the time of selection, you will also be able to see which target key vault the DES is associated with. |
| 62 | + |
| 63 | +4. Select **Create target resource** > **Enable Replication**. |
| 64 | +5. After the VMs are enabled for replication, you can check the VMs' health status under **Replicated items**. |
| 65 | + |
| 66 | + |
| 67 | + |
| 68 | +>[!NOTE] |
| 69 | +>During initial replication, the status might take some time to refresh, without apparent progress. Click **Refresh** to get the latest status. |
| 70 | +
|
| 71 | +## FAQs |
| 72 | + |
| 73 | +* I have enabled CMK on an existing replicated item, how can I ensure that CMK is applied on the target region as well? |
| 74 | + |
| 75 | + You can find out the name of the replica managed disk (created by Azure Site Recovery in the target region) and attach DES to this replica disk. However, you will not be able to see the DES details in the Disks blade once you attach it. Alternatively, you can choose to disable the replication of the VM and enable it again. It will ensure you see DES and key vault details in the Disks blade for the replicated item. |
| 76 | + |
| 77 | +* I have added a new CMK enabled disk to the replicated item. How can I replicate this disk with Azure Site Recovery? |
| 78 | + |
| 79 | + Addition of a new CMK enabled disk to an existing replicated item is not supported. Disable the replication and enable the replication again for the virtual machine. |
| 80 | + |
0 commit comments