Replicate machines with private endpoints

Azure Site Recovery allows you to use Azure Private Link private endpoints for replicating your machines from inside an isolated virtual network. Private endpoint access to a recovery vault is supported in all Azure Commercial & Government regions.

This article provides instructions for you to perform the following steps:

  • Create an Azure Backup Recovery Services vault to protect your machines.
  • Enable a managed identity for the vault and grant the required permissions to access customer storage accounts to replicate traffic from source to target locations. Managed identity access for storage is necessary when you're setting up Private Link access to the vault.
  • Make DNS changes required for private endpoints
  • Create and approve private endpoints for a vault inside a virtual network
  • Create private endpoints for the storage accounts. You can continue to allow public or firewalled access for storage as needed. Creation of a private endpoint for accessing storage isn't mandatory for Azure Site Recovery.

Below is a reference architecture on how the replication workflow changes with private endpoints.

Reference architecture for Site Recovery with private endpoints.

Prerequisites and caveats

  • Private endpoints can be created only for new Recovery Services vaults that don't have any items registered to the vault. As such, private endpoints must be created before any items are added to the vault. Review the pricing structure for private endpoints.
  • When a private endpoint is created for a vault, the vault is locked down and isn't accessible from networks other than those networks that have private endpoints.
  • Microsoft Entra ID currently doesn't support private endpoints. As such, IPs and fully qualified domain names required for Microsoft Entra ID to work in a region need to be allowed outbound access from the secured network. You can also use network security group tag "Azure Active Directory" and Azure Firewall tags for allowing access to Microsoft Entra ID, as applicable.
  • At least seven IP addresses are required in the subnets of both your source machines and your recovery machines. When you create a private endpoint for the vault, Site Recovery creates five private links for access to its microservices. Further, when you enable the replication, it adds two additional private links for the source and target region pairing.
  • One additional IP address is required in both the source and recovery subnets. This IP address is needed only when you need to use private endpoints connecting to cache storage accounts. Private endpoints for storage can only be created on General Purpose v2 type. Review the pricing structure for data transfer on GPv2.

Creating and using private endpoints for Site Recovery

This section talks about the steps involved in creating and using private endpoints for Azure Site Recovery inside your virtual networks.


It's highly recommended that you follow these steps in the same sequence as provided. Failure to do so may lead to the vault being rendered unable to use private endpoints and requiring you to restart the process with a new vault.

Create a Recovery Services vault

A recovery services vault is an entity that contains the replication information of machines and is used to trigger Site Recovery operations. For more information, see Create a Recovery Services vault.

Enable the managed identity for the vault.

A managed identity allow the vault to gain access to the customer's storage accounts. Site Recovery needs to access the source storage, target storage, and cache/log storage accounts depending on the scenario requirement. Managed identity access is essential when you're using private links service for the vault.

  1. Go to your Recovery Services vault. Select Identity under Settings.

    Shows the Azure portal and the Recovery Services page.

  2. Change the Status to On and select Save.

  3. An Object ID is generated indicating that the vault is now registered with Azure Active Directory.

Create private endpoints for the Recovery Services vault

To enable both failover and failback for Azure virtual machines, you'll need two private endpoints for the vault. One private endpoint for the protection of machines in the source network and another for the reprotection of failed over machines in the recovery network.

Ensure that you create a recovery virtual network in your target region as well during this setup process.

Create the first private endpoint for your vault inside your source virtual network using the Private Link Center in the portal or through Azure PowerShell. Create the second private endpoint for the vault inside your recovery network. Following are the steps to create the private endpoint in source network. Repeat the same guidance to create the second private endpoint.

  1. In the Azure portal search bar, search for and select "Private Link". This action takes you to the Private Link Center.

    Shows searching the Azure portal for the Private Link Center.

  2. On the left navigation bar, select Private Endpoints. Once on the Private Endpoints page, select +Add to start creating a private endpoint for your vault.

    Shows creating a private endpoint in the Private Link Center.

  3. Once in the "Create Private Endpoint" experience, you're required to specify details for creating your private endpoint connection.

    1. Basics: Fill in the basic details for your private endpoints. The region should be the same as the source machines.

      Shows the Basic tab, project details, subscription, and other related fields for creating a private endpoint in the Azure portal.

    2. Resource: This tab requires you to mention the platform-as-a-service resource for which you want to create your connection. Select Microsoft.RecoveryServices/vaults from the Resource type for your selected subscription. Then, choose the name of your Recovery Services vault for Resource and set Azure Site Recovery as the Target sub-resource.

      Shows the Resource tab, resource type, resource, and target sub-resource fields for linking to a private endpoint in the Azure portal.

    3. Configuration: In configuration, specify the virtual network and subnet where you want the private endpoint to be created. This virtual network is the network where the virtual machine is present. Enable integration with private DNS zone by selecting Yes. Choose an already created DNS zone or create a new one. Selecting Yes automatically links the zone to the source virtual network and adds the DNS records that are required for DNS resolution of new IPs and fully qualified domain names created for the private endpoint.

      Ensure that you choose to create a new DNS zone for every new private endpoint connecting to the same vault. If you choose an existing private DNS zone, the previous CNAME records are overwritten. Refer to Private endpoint guidance before you continue.

      If your environment has a hub and spoke model, you need only one private endpoint and only one private DNS zone for the entire setup since all your virtual networks already have peering enabled between them. For more information, see Private endpoint DNS integration.

      To manually create the private DNS zone, follow the steps in Create private DNS zones and add DNS records manually.

      Shows the Configuration tab with networking and DNS integration fields for configuration of a private endpoint in the Azure portal.

    4. Tags: Optionally, you can add tags for your private endpoint.

    5. Review + create: When the validation completes, select Create to create the private endpoint.

Once the private endpoint is created, five fully qualified domain names are added to the private endpoint. These links enable the machines in the virtual network to get access to all the required Site Recovery microservices in the context of the vault. Later, when you enable the replication, two additional fully qualified domain names are added to the same private endpoint.

The five domain names are formatted with the following pattern:


Approve private endpoints for Site Recovery

If the user creating the private endpoint is also the owner of the Recovery Services vault, the private endpoint created above is auto approved within a few minutes. Otherwise, the owner of the vault must approve the private endpoint before you to use it. To approve or reject a requested private endpoint connection, go to Private endpoint connections under "Settings" on the recovery vault page.

You can go to the private endpoint resource to review the status of the connection before proceeding.

Shows the private endpoint connections page of the vault and the list of connections in the Azure portal.

(Optional) Create private endpoints for the cache storage account

A private endpoint to Azure Storage may be used. Creating private endpoints for storage access is optional for Azure Site Recovery replication. When creating a private endpoint for storage, the following requirements apply:

  • You need a private endpoint for the cache/log storage account in your source virtual network.
  • You need a second private endpoint at the time of reprotection of the failed-over machines in the recovery network. This private endpoint is for the new storage account created in the target region.


If private endpoints are not enabled on storage account, protection would still be successful. However, replication traffic would transit to Azure Site Recovery public endpoints. To ensure replication traffic flows via private links, storage account must be enabled with private endpoints.


Private endpoint for storage can only be created on a General Purpose v2 storage accounts. For pricing information, see Standard page blob prices.

Follow the guidance for creation of private storage to create a storage account with private endpoint. Ensure to select Yes to integration with private DNS zone. Select an already created DNS zone or create a new one.

Grant required permissions to the vault

If your virtual machines are using managed disks, you need to grant the managed identity permissions only to the cache storage accounts. In case the virtual machines are using unmanaged disks, you need to grant the managed identity permissions for source, cache, and target storage accounts. In this case, you need to create the target storage account in advance.

Before enabling replication of virtual machines, the managed identity of the vault must have the following role permissions depending on the type of storage account:

The following steps describe how to add a role assignment to your storage accounts, one at a time. For detailed steps, see Assign Azure roles using the Azure portal.

  1. In the Azure portal, navigate to the cache storage account you created.

  2. Select Access control (IAM).

  3. Select Add > Add role assignment.

    Screenshot that shows Access control (IAM) page with Add role assignment menu open.

  4. On the Role tab, select one of the roles listed in the beginning of this section.

  5. On the Members tab, select Managed identity, and then select Select members.

  6. Select your Azure subscription.

  7. Select System-assigned managed identity, search for a vault, and then select it.

  8. On the Review + assign tab, select Review + assign to assign the role.

In addition to these permissions, you need to allow access to Microsoft trusted services. To do so, follow these steps:

  1. Go to Firewalls and virtual networks.

  2. In Exceptions, select Allow trusted Microsoft services to access this storage account.

Protect your virtual machines

Once all the above configurations are completed, continue with enabling replication for your virtual machines. All of the Site Recovery operations work without any additional steps if DNS integration was used while creating private endpoints on the vault. However, if the DNS zones are manually created and configured, you need additional steps to add specific DNS records in both source and target DNS zones after enabling the replication. For details and steps, see Create private DNS zones and add DNS records manually.

Create private DNS zones and add DNS records manually

If you didn't select the option to integrate with private DNS zone at the time of creating private endpoint for the vault, follow the steps in this section.

Create one private DNS zone to allow the mobility agent to resolve private link fully qualified domain names to private IPs.

  1. Create a private DNS zone

    1. Search for "Private DNS zone" in the All services search bar and select "Private DNS zones" from the drop-down.

      Shows searching for 'private dns zone' on new resources page in the Azure portal.

    2. Once on the "Private DNS zones" page, select the +Add button to start creating a new zone.

    3. On the "Create private DNS zone" page, fill in the required details. Enter the name of the private DNS zone as You can choose any resource group and any subscription to create it.

      Shows the Basics tab of the Create Private DNS zone page and related project details in the Azure portal.

    4. Continue to the Review + create tab to review and create the DNS zone.

  2. Link private DNS zone to your virtual network

    The private DNS zones created above must now be linked to the virtual network where your servers currently are. You also need to link the private DNS zone to the target virtual network in advance.

    1. Go to the private DNS zone that you created in the previous step and navigate to Virtual network links on the left side of the page. Once there, select the +Add button.

    2. Fill in the required details. The Subscription and Virtual network fields must be filled with the corresponding details of the virtual network where your servers exist. The other fields must be left as is.

      Shows the page to add a virtual network link with the link name, subscription, and related virtual network in the Azure portal.

  3. Add DNS records

    Once you've created the required private DNS zones and the private endpoints, you need to add DNS records to your DNS zones.


    In case you are using a custom private DNS zone, make sure that similar entries are made as discussed below.

    This step requires you to make entries for each fully qualified domain name in your private endpoint into your private DNS zone.

    1. Go to your private DNS zone and navigate to the Overview section on the left side of the page. Once there, select +Record set to start adding records.

    2. In the "Add record set" page that opens, add an entry for each fully qualified domain name and private IP as an A type record. The list of fully qualified domain names and IPs can be obtained from the "Private Endpoint" page in Overview. As shown in the example below, the first fully qualified domain name from the private endpoint is added to the record set in the private DNS zone.

      These fully qualified domain names match the pattern: {Vault-ID}-asr-pod01-{type}-.{target-geo-code}

      Shows the page to add a DNS A type record for the fully qualified domain name to the private endpoint in the Azure portal.


    After you enable replication, two more fully qualified domain names are created on the private endpoints in both regions. Ensure that you add the DNS records for these newly created fully qualified domain names as well.

Next steps

Now that you've enabled private endpoints for your virtual machine replication, see these other pages for additional and related information: