Azure site recovery without proxy.

Question

Azure site recovery without proxy.

Shashank Singh 6,251

So I am planning to Configure ASR but my requirements are below

I do not want data replication to go over internet, hence I will use Expressroute combined with private endpoints on storage and ASR vault.
I do not want to use proxy for communication between Configuration server and Azure API( storage account *blobs.microsoft.com). Can I use Microsoft Peering ?. Or what is other way around

Is this possible ? How do config server communicates with public websites of Storage account for handshake if proxy is not there ?

Thanks

SadiqhAhmed-MSFT 49,326 Reputation points Microsoft Employee Moderator

2021-04-01T10:37:56.773+00:00

@Shashank Singh - Site Recovery replicates data to an Azure Storage account or replica Managed Disk on the target Azure region over a public endpoint. To use ExpressRoute for Site Recovery replication traffic, you can utilize Microsoft peering. Doc reference: https://learn.microsoft.com/en-us/azure/site-recovery/concepts-expressroute-with-site-recovery#on-premises-to-azure-replication-with-expressroute

Will get back to you on your query about not using proxy.
Shashank Singh 6,251 Reputation points

2021-04-01T11:19:50.903+00:00

Hello Sadiq,
Is Microsoft peering a "necessity" when using ER ? Cant we just use ER and private endpoints ?.
Thanks for the revert

Accepted answer

2 additional answers

Your answer

SadiqhAhmed-MSFT 49,326 Reputation points Microsoft Employee Moderator

2021-04-01T10:37:56.773+00:00

@Shashank Singh - Site Recovery replicates data to an Azure Storage account or replica Managed Disk on the target Azure region over a public endpoint. To use ExpressRoute for Site Recovery replication traffic, you can utilize Microsoft peering. Doc reference: https://learn.microsoft.com/en-us/azure/site-recovery/concepts-expressroute-with-site-recovery#on-premises-to-azure-replication-with-expressroute

Will get back to you on your query about not using proxy.
Shashank Singh 6,251 Reputation points

2021-04-01T11:19:50.903+00:00

Hello Sadiq,
Is Microsoft peering a "necessity" when using ER ? Cant we just use ER and private endpoints ?.
Thanks for the revert

Answer 1

Shashank Singh 6,251

I am posting this as answer as the answer given by Sadiq is not "completely" true.

If you are using Express route and private endpoint and keeping PS/CS server on-premises YOU WILL NEED PROXY, unless you have direct internet connection from your machine to Azure which is highly unlikely.
If you dont want to use proxy keep PS/CS server in Azure. Make sure you have connectivity from on-premises to Azure.

Rest all is covered in MS Books online.

Answer 2

SadiqhAhmed-MSFT 49,326 Microsoft Employee Moderator

@Shashank Singh - You can use private endpoints for both storage and for the Recovery Services Vault. That way you can use the private peering path in Express-route for everything.

If you enable private endpoints on both the storage and the vault, then all traffic is routed across the private peering path of the Express-route circuit to a private IP address created by the private endpoint. Private endpoints allow you to create a private IP address within an Azure VNet that allows you to connect to Azure PaaS objects across private network IPs.

It is very basic and missing some components (like DNS) – but in the graphic below. The left side box is the on-premises network at 10.0.0.0/16 with an Express-route connection in place and only the private peering path enabled. It is connected to an Azure VNet and 10.2.0.0/16 with a subnet defined as 10.2.1.0/16. Private endpoint connections for each of the Vault and a storage account allow for each of those services to be assigned an IP address in the 10.2.1.x/24 range. So now the storage account and the recovery services vault only need a path from the 10.0.0.0/16 network on-premises to the 10.2.0.0/16 VNet in Azure, which should exist by default in the BGP routes built in to Express-route. No proxy is needed because you are connecting to private address – not public ones.

----------------------------------------------------------------------------------------------------------------------

If the response helped, do "Accept Answer" and up-vote it

Shashank Singh 6,251 Reputation points

2021-04-02T08:23:36.553+00:00
@SadiqhAhmed-MSFT Many thanks, even I had made similar configuration but please also clarify two more points.

As you said no proxy needed so how would connection from configuration server reach to Azure API's or since we have ER and private link that is NOT NEEDED AT ALL only ER with private link is enough for both process and configuration server to reach storage account ?

If above is true how what should I put in proxy information while installing Unified setup, without proxy it would not move forward. If i select connect directly it would again fail and setup would not move forward

Thanks
Shashank Singh 6,251 Reputation points

2021-04-06T08:14:46.897+00:00

@SadiqhAhmed-MSFT Awaiting for your response
SadiqhAhmed-MSFT 49,326 Reputation points Microsoft Employee Moderator

2021-04-10T19:15:25.433+00:00

@Shashank Singh Sorry for the delayed response!
The access is dependent on connectivity defined between on-prem environment and Azure. If the CS has a default gateway that has direct access to ER, no proxy is needed.
If not, you can provide the proxy details in Unified setup like IP, Port and authentication information(if required).

As to the exact values required, this would be dependent on the proxy server configured in the customer environment. ASR requires either direct connectivity established between CS and ER, or failing that connectivity between proxy server and ER with CS redirecting traffic via the proxy.
Please also note that AAD URL needs public internet access in addition to private link connectivity for ASR service endpoints.

----------------------------------------------------------------------------------------------------------------------

If the response helped, do "Accept Answer" and up-vote it
Shashank Singh 6,251 Reputation points

2021-04-12T13:50:00.817+00:00

Thanks so as per you if CS has default GW that has access to ER then it is possible but as per MS doc

To use ExpressRoute for Site Recovery replication traffic, you can utilize Microsoft peering or an existing public peering (deprecated for new creations). Microsoft peering is the recommended routing domain for replication. Note that replication is supported over private peering only when private ends points are enabled for the vault.

Ensure that the Networking Requirements for Configuration Server are also met. Connectivity to specific URLs is required by Configuration Server for orchestration of Site Recovery replication. ExpressRoute cannot be used for this connectivity.

Now this is confusing and saying ER cannot be used for this connectivity

Answer 3

@Shashank Singh I believe this statement in bold needs to be taken in context of preceding and following statements in the doc.

In essence, CS needs to have connectivity to ASR endpoints.
In case of non-PE vaults, this means CS needs access to ASR public endpoints - https://learn.microsoft.com/en-us/azure/site-recovery/vmware-azure-deploy-configuration-server#network-requirements
In case of PE vaults, CS needs access to ASR private endpoints. An exception is required for AAD where access needs to be provided via internet Enable replication for on-premises machines with private endpoints - Azure Site Recovery | Microsoft Learn

In both cases, ExpressRoute is allowed – for non-PE vaults only ExpressRoute with MS Peering or Public peering(deprecated) is allowed. For PE vaults additionally Private peering is also allowed.
In both cases, actual connectivity is subjective to customer topology and access to ER directly or via proxy needs to be configured on a case basis.

----------------------------------------------------------------------------------------------------------------------

If the response helped, do "Accept Answer" and up-vote it

Shashank Singh 6,251 Reputation points

2021-04-14T11:36:09.933+00:00

That is clear thanks. Also a big thanks for spending time on this thread.

Share via

Azure site recovery without proxy.

2 additional answers

Your answer