Configure HGS fallback URLs in VMM

This article describes how to define the fallback Host Guardian Service (HGS) URLs in System Center Virtual Machine Manager (VMM) global settings. For information about guarded fabrics, see this article.

Being at the heart of providing attestation and key protection services to run shielded VMs on Hyper-V hosts, the host guardian service (HGS) must operate even in situations of disaster.

With fallback HGS configuration feature in VMM, a guarded host can be configured with a primary and secondary pair of HGS URLS (an attestation and key protection URI). This capability enables scenarios, such as guarded fabric deployments spanning two data centers for disaster recovery purposes, HGS running as shielded VMs, and so on.

The primary HGS URLs will always be used in favor of the secondary. If the primary HGS fails to respond after the appropriate timeout and retry count, the operation will be reattempted against the secondary. Subsequent operations will always favor the primary; the secondary will only be used when the primary fails.

Before you start

Ensure that you've deployed and configured the Host Guardian Service before proceeding. Learn more about configuring HGS.

Configure fallback HGS

Use the following steps:

  1. Navigate to VMM Settings > General Settings > Host Guardian Service Settings. On the Host Guardian Service Settings page, you see a section for Fallback Configurations.

  2. Define the primary and fallback HGS URLs and select Finish.

    Screenshot of fallback HGS.

  3. Enable the fallback URLs on the host by navigating to Host Properties > Host Guardian Service. Select Enable host Guardian Hyper-V support and use the URLs as configured as global settings in VMM and select OK.

    Note

    After this step, the VMM service configures the supported hosts with primary and fallback HGS URLs. Only hosts on and above Windows Server 1709 support fallback HGS URLs.

PowerShell command updates

  1. The following two parameters are added to the existing Set-SCVMHost PowerShell command:

    • AttestationFallbackServerUrl
    • KeyProtectionFallbackServerUrl

    Here's the sample syntax.

    
    Set-SCVMHost [-VMHost] <Host> [-ApplyLatestCodeIntegrityPolicy] [-AttestationServerUrl <String>]        [-AttestationFallbackServerUrl <String>]
    [-AvailableForPlacement <Boolean>] [-BMCAddress <String>]
    [-BMCCustomConfigurationProvider <ConfigurationProvider>] [-BMCPort <UInt32>]
    [-BMCProtocol <OutOfBandManagementType>] [-BMCRunAsAccount <RunAsAccount>] [-BaseDiskPaths <String>]
    [-BypassMaintenanceModeCheck] [-CPUPercentageReserve <UInt16>] [-CodeIntegrityPolicy <CodeIntegrityPolicy>]
    [-Custom1 <String>] [-Custom10 <String>] [-Custom2 <String>] [-Custom3 <String>] [-Custom4 <String>]
    [-Custom5 <String>] [-Custom6 <String>] [-Custom7 <String>] [-Custom8 <String>] [-Custom9 <String>]
    [-Description <String>] [-DiskSpaceReserveMB <UInt64>] [-EnableLiveMigration <Boolean>]
    [-FibreChannelWorldWideNodeName <String>] [-FibreChannelWorldWidePortNameMaximum <String>]
    [-FibreChannelWorldWidePortNameMinimum <String>] [-IsDedicatedToNetworkVirtualizationGateway <Boolean>]
    [-JobGroup <Guid>] [-JobVariable <String>] [-KeyProtectionServerUrl <String>] [-KeyProtectionFallbackServerUrl <String>] [-LiveMigrationMaximum <UInt32>]
    [-LiveStorageMigrationMaximum <UInt32>] [-MaintenanceHost <Boolean>] [-ManagementAdapterMACAddress <String>]
    [-MaxDiskIOReservation <UInt64>] [-MemoryReserveMB <UInt64>]
    [-MigrationAuthProtocol <MigrationAuthProtocolType>]
    [-MigrationPerformanceOption <MigrationPerformanceOptionType>] [-MigrationSubnet <String[]>]
    [-NetworkPercentageReserve <UInt16>] [-NumaSpanningEnabled <Boolean>] [-OverrideHostGroupReserves <Boolean>]
    [-PROTipID <Guid>] [-RemoteConnectCertificatePath <String>] [-RemoteConnectEnabled <Boolean>]
    [-RemoteConnectPort <UInt32>] [-RemoveRemoteConnectCertificate] [-RunAsynchronously] [-SMBiosGuid <Guid>]
    [-SecureRemoteConnectEnabled <Boolean>] [-UseAnyMigrationSubnet <Boolean >]
    [-VMHostManagementCredential <VMMCredential>] [-VMPaths <String>] [<CommonParameters>]
    
  2. The following parameter is added to Get-SCGuardianConfiguration to let the user specify from which HGS the metadata must be fetched.

    [-Guardian {Primary | Fallback}]

    Syntax

    Get-SCGuardianConfiguration [-Guardian {Primary | Fallback}] [-OnBehalfOfUser <String>] [-OnBehalfOfUserRole <UserRole>] [-VMMServer <ServerConnection>] [<CommonParameters>]
    

Next steps