You might be aware of the VMware product Site Recovery Manager (SRM), this has been VMware’s core DR product for many years. With 2 main deployment models using storage replication or the vSphere replication SRM provides an integrated and solid on On-Premise solution.
With more and more workloads moving to the cloud protecting business-critical workloads is as important as ever. VMware Site Recovery is the add on service for VMware Cloud on AWS (VMC) and can be easily deployed into an SDDC.
Site Recovery can be deployed in multiple different typologies, On-Premise to VMC, VMC to VMC as well as one to many or many to one option.
The below will focus on a VMC to VMC deployment with an AWS Direct Connect (DX) from On-Premise into the SDDC’s.
The deployment of Site Recovery is quick and easy and fully automated. Before you activate you should understand the licensing options that are available which are On Demand or a Reserved Instance (1yr or 3Yr). If you plan to use reserved instances you will need to create a subscription in the cloud portal before activating. If On Demand you just need to activate the Service.
Activation will deploy the required components into the VMC MGMT resource pool (Sire Recovery Manager and vSphere Replication Server) this will take around 20 mins ish, this will need to be done on both SDDC’s.
Pricing Details – https://cloud.vmware.com/vmc-aws/pricing
Once the SRM and VR component builds are done the status should change to active in the service add on’s tab, we then need to look at setting up a bunch for firewall rules so admins can access the management interfaces and the SDDC’s can be paired and start replication.
Firewalls rules can commonly be the delay when deploying a solution, they need to be right the first time to ensure project success. The below table is what a typical SDDC to SDDC Site recovery would need as well as the networks to enable the admins to configure and manage the solution. The below is based off 2 Availability Zones in the same region (AZ1 and AZ2)
when you activate Site Recovery this creates a couple of services objects in the FW config that already have SRM standard ports
Networking & Security > Inventory > Services
VMware Site Recovery SRM (TCP 443,9086)
VMware Site Recovery vSphere Replication (TCP 8043,443,31031,44046)
You will also need a few user defined objects:
|AZ2-SRM-VR||Recvoery Site vSphere Repication Applicance|
|AZ2-vCenter||Revocery Site Virtual Centre|
|AZ2-SRM||Recovery Site Site Recovery Manager|
|On-Premise-Networks||Networks you need to access SRM mgmt from|
|vSphere Replication||VMware Site Recovery vSphere Replication||Allow||Disabled|
|Site Recovery Manager||VMware Site Recovery SRM||Allow||Disabled|
|SRM-VR-Access||On-Premise-Networks||vSphere Replication||VMware Site Recovery vSphere Replication||Allow||Disabled|
|SRM-AZ1toAZ2||Site Recovery Manager||AZ2-SRM-VR|
|vCenter Inbound Rule||AZ2-SRM-VR|
The cloudadmin account will not have the new permissions to login to Sire Recovery, these will need t be added to a role that you intend to use for admins. Depending on the version of the SDDC this could looks little different as example the below shots are from 1.8v3 and 1.10
SDDC – 1.8v3
SDDC – 1.10
Direct Connect Traffic Flow
When a AWS DX is connected to the protection SDDC all vmkernel based traffic traverses the DX even if there is a route based VPN between SDDC’s. The below diagram shows the traffic flow for replication. This is import as this could increase your network costs as this is classed as egress traffic.