Site Recovery – VMware Cloud on AWS

You might be aware of the VMware product Site Recovery Manager (SRM), this has been VMware’s core DR product for many years. With 2 main deployment models using storage replication or the vSphere replication SRM provides an integrated and solid on On-Premise solution.

With more and more workloads moving to the cloud protecting business-critical workloads is as important as ever. VMware Site Recovery is the add on service for VMware Cloud on AWS (VMC) and can be easily deployed into an SDDC. 

Site Recovery can be deployed in multiple different typologies, On-Premise to VMC, VMC to VMC as well as one to many or many to one option.

The below will focus on a VMC to VMC deployment with an AWS Direct Connect (DX) from On-Premise into the SDDC’s.

Deployment steps

The deployment of Site Recovery is quick and easy and fully automated. Before you activate you should understand the licensing options that are available which are On Demand or a Reserved Instance (1yr or 3Yr). If you plan to use reserved instances you will need to create a subscription in the cloud portal before activating. If On Demand you just need to activate the Service.

Activation will deploy the required components into the VMC MGMT resource pool (Sire Recovery Manager and vSphere Replication Server) this will take around 20 mins ish, this will need to be done on both SDDC’s.

Pricing Details – https://cloud.vmware.com/vmc-aws/pricing

Once the SRM and VR component builds are done the status should change to active in the service add on’s tab, we then need to look at setting up a bunch for firewall rules so admins can access the management interfaces and the SDDC’s can be paired and start replication.

Firewall Rules

Firewalls rules can commonly be the delay when deploying a solution, they need to be right the first time to ensure project success. The below table is what a typical SDDC to SDDC Site recovery would need as well as the networks to enable the admins to configure and manage the solution. The below is based off 2 Availability Zones in the same region (AZ1 and AZ2)

when you activate Site Recovery this creates a couple of services objects in the FW config that already have SRM standard ports

Networking & Security > Inventory > Services
VMware Site Recovery SRM (TCP 443,9086)
VMware Site Recovery vSphere Replication (TCP 8043,443,31031,44046)

You will also need a few user defined objects:

AZ2-SRM-VRRecvoery Site vSphere Repication Applicance 
AZ2-vCenter Revocery Site Virtual Centre
AZ2-SRMRecovery Site Site Recovery Manager
On-Premise-NetworksNetworks you need to access SRM mgmt from

The Rules:

Rule NameSourceDestinationServices ActionLogging
SRM-ESXi-AZ1toAZ2 ESXi AZ2-SRM-VR AnyAllow Disabled
SRM-VR-AZ2toAZ1 AZ2-SRM-VR
AZ2-vCenter
AZ2-SRM 
vSphere Replication VMware Site Recovery vSphere ReplicationAllow Disabled
SRM-AZ2toAZ1 AZ2-SRM-VR
 AZ2-vCenter
AZ2-SRM 
Site Recovery Manager VMware Site Recovery SRMAllow Disabled
SRM-VR-AccessOn-Premise-Networks vSphere Replication VMware Site Recovery vSphere ReplicationAllow Disabled
SRM-VR-AZ1toAZ2vSphere Replication AZ2-SRM-VR
AZ2-vCenter
AZ2-SRM 
AnyAllow Disabled
SRM-AZ1toAZ2Site Recovery Manager AZ2-SRM-VR
AZ2-vCenter AZ2-SRM 
AnyAllow Disabled
vCenter Inbound RuleAZ2-SRM-VR
On-Premise-Networks
AZ2-vCenter
AZ2-SRM 
vCenterAnyAllow Disabled

Permissions

The cloudadmin account will not have the new permissions to login to Sire Recovery, these will need t be added to a role that you intend to use for admins. Depending on the version of the SDDC this could looks little different as example the below shots are from 1.8v3 and 1.10

SDDC – 1.8v3

SDDC – 1.10

Direct Connect Traffic Flow

When a AWS DX is connected to the protection SDDC all vmkernel based traffic traverses the DX even if there is a route based VPN between SDDC’s. The below diagram shows the traffic flow for replication. This is import as this could increase your network costs as this is classed as egress traffic.

Leave a Reply

Your email address will not be published.