nwipfli avatar image
0 Votes"
nwipfli asked SadiqhAhmed-MSFT commented

Failback while retaining the IP addresses ?


I took over an Azure Site Recovery (ASR) Project with about 13 VMware machines which are replicated in Azure. Currently, the Azure environment includes:

  • 1x Hub vNet with the VPN Gateway.

  • 1x Spoke vNet (Prod) with already running instances, including one Domain Controller. Peering exist with the Hub vNet.

  • 1x Spoke vNet (DRMain) which has the same CIDR range has the on-premises and it will include the VM after the failover. There is no peering with the Hub vNet because the VPN S2S is active.

The idea from the previous colleague was certainly to proceed as below in case of a failover:

  • Cut the VPN S2S connection.

  • Create a peering between the DRMain vNet et the Hub vNet.

  • Run the recovery plan to restart the machine in the DRMain vNet.

  • Update the DNS for the vNet DRMain to point to the Domain Controller already running in the Prod.

In that situation there won't be an overlap with the on-premises network because the VPN will be disconnected.

In regards to the failback from Azure to on-premises, we'll need to activate the VPN for the resynchro. However, when reading through the document, I can read the following:

> For retained IP addresses the configuration server needs two NICs - one for source machine connectivity, and one for Azure failback connectivity. This avoids overlap of subnet address ranges for the source and failed over VMs

This might be a stupid question but if the on-prem network has the same IP range than the vNet, how can I have both NICs in different subnet ?

Can anyone shed some light on this ?

Thanks in advance

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

For S2S VPN same subnets cannot be used at multiple locations.
Would be interested to know what exactly you are looking for?

0 Votes 0 ·

Yes, I know the same subnets cannot be used. For that reason, the VPN connection is deleted before starting the protected VM in Azure.

Therefore, this means that later when the customer failback, he will have anyway to use a different on-premises network addressing than he had initially. In other words, Azure Site Recovery allows you to failover machines into Azure while keeping the same IP addresses, but for the failback, you have to use a different network addressing than the original production.

Am I correct

0 Votes 0 ·

As far as I know, you need to have VPN S2S/ExP route connectivity between the failed over VM’s subnet(In Azure) and the Configuration server.
Now since we retained the IP’s in Azure, that means a similar subnet exists in our On-Premise environment as well.
If the subnet address range is same for Azure and Onpremise, we cannot have Connectivity between them.
So we have a configuration Server Failback NIC in a separate Subnet, with a different range and connect it with the Azure subnet(failed over subnet).
This allows communication within Config server and protected items.
The other NIC of the Config server remains in the original subnet in OnPremise Vnet, so that CS can communicate with the original VM’s and push the delta changes using MT.

1 Vote 1 ·
Show more comments

0 Answers