Move encrypted Azure VMs across regions

Azure Resource Mover helps you move Azure resources between Azure regions. This article discusses how to move encrypted Azure virtual machines (VMs) to a different Azure region by using Azure Resource Mover.

Encrypted VMS can be described as either:

• VMs that have disks with Azure Disk Encryption enabled. For more information, see Create and encrypt a Windows virtual machine by using the Azure portal.
• VMs that use customer-managed keys (CMKs) for encryption at rest, or server-side encryption. For more information, see Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks.

In this tutorial, you learn how to:

• Move encrypted Azure VMs and their dependent resources to another Azure region.

Note

Tutorials show the quickest path for trying out a scenario, and use default options where possible.

Sign in to Azure

If you don't have an Azure subscription, create a free account before you begin and sign in to the Azure portal.

Prerequisites

Before you begin, verify the following:

Requirement	Details
Subscription permissions	Ensure that you have Owner access on the subscription that contains the resources you want to move. Why do I need Owner access? The first time you add a resource for a specific source and destination pair in an Azure subscription, Resource Mover creates a system-assigned managed identity, formerly known as the Managed Service Identity (MSI). This identity is trusted by the subscription. Before you can create the identity and assign it the required roles (Contributor and User access administrator in the source subscription), the account you use to add resources needs Owner permissions in the subscription. For more information, see Azure roles, Microsoft Entra roles, and classic subscription administrator roles.
VM support	Ensure that the VMs you want to move are supported by doing the following: Verify supported Windows VMs. Verify supported Linux VMs and kernel versions. Check supported compute, storage, and networking settings.
Key vault requirements (Azure Disk Encryption)	If you have Azure Disk Encryption enabled for VMs, you require a key vault in both the source and destination regions. For more information, see Create a key vault. For the key vaults in the source and destination regions, you require these permissions: Key permissions: Key Management Operations (Get, List) and Cryptographic Operations (Decrypt and Encrypt) Secret permissions: Secret Management Operations (Get, List, and Set) Certificate (List and Get)
Disk encryption set (server-side encryption with CMK)	If you're using VMs with server-side encryption that uses a CMK, you require a disk encryption set in both the source and destination regions. For more information, see Create a disk encryption set. Moving between regions isn't supported if you're using a hardware security module (HSM keys) for customer-managed keys.
Target region quota	The subscription needs enough quota to create the resources you're moving in the target region. If it doesn't have a quota, request additional limits.
Target region charges	Verify the pricing and charges that are associated with the target region to which you're moving the VMs. Use the pricing calculator.

Verify permissions in the key vault

If you're moving VMs that have Azure Disk Encryption enabled, you must run a script. The users who execute the script should have appropriate permissions to do so. To understand which permissions are required, refer to the following table. You'll find the options for changing the permissions by going to the key vault in the Azure portal. Under Settings, select Access policies.

If the user permissions aren't in place, select Add Access Policy, and specify the permissions. If the user account already has a policy, under User, set the permissions according to the instructions in the following table.

Azure VMs that use Azure Disk Encryption can have the following variations, and you'll require to set the permissions according to their relevant components. The VMs might have:

• A default option where the disk is encrypted with secrets only.
• Added security that uses a Key Encryption Key (KEK).

Source region key vault

For users who execute the script, set permissions for the following components:

Component	Permissions needed
Secrets	Get Select Secret permissions > Secret Management Operations, and select Get.
Keys If you're using a KEK, you require these permissions in addition to the permissions for secrets.	Get and Decrypt Select Key Permissions > Key Management Operations, and select Get. In Cryptographic Operations, select Decrypt.

Destination region key vault

On the Access policies tab, ensure that Azure Disk Encryption for volume encryption is enabled.

For users who execute the script, set permissions for the following components:

Component	Permissions needed
Secrets	Set Select Secret permissions > Secret Management Operations, and select Set.
Keys If you're using a KEK, you require these permissions in addition to the permissions for secrets.	Get, Create, and Encrypt Select Key Permissions > Key Management Operations, and select Get and Create. In Cryptographic Operations, select Encrypt.

In addition to the preceding permissions, in the destination key vault, you must add permissions for the Managed System Identity that Resource Mover uses to access the Azure resources on your behalf.

Add permissions to Managed System Identity

To add permissions for the Managed System Identity (MSI), follow these steps:

1. Under Settings, select Add Access policies.

2. In Select principal, search for the MSI. The MSI name is movecollection-<sourceregion>-<target-region>-<metadata-region>.

3. For the MSI, add the following permissions:

   Component	Permissions needed
   Secrets	Get and List Select Secret permissions > Secret Management Operations, and select Get and List.
   Keys If you're using a KEK, you require these permissions in addition to the permissions for secrets.	Get and List Select Key Permissions > Key Management Operations, and select Get and List.

Copy the keys to the destination key vault

Copy the encryption secrets and keys from the source key vault to the destination key vault by using the provided script.

To copy the keys from the source key vault to the destination key vault, follow these steps:

• Run the script in PowerShell. We recommend that you use the latest PowerShell version.
• Specifically, the script requires these modules:
  • Az.Compute
  • Az.KeyVault (version 3.0.0)
  • Az.Accounts (version 2.2.3)

To run the script, do the following:

1. Open the script in GitHub.

2. Copy the contents of the script to a local file, and name it Copy-keys.ps1.

3. Run the script.

4. Sign in to the Azure portal.

5. Under User Inputs window, select the source subscription, resource group, the source VM, the target location, and the target vaults for disk and key encryption.

   

6. Use the Select button, to run the script.

   When the script has finished running, a message notifies you that CopyKeys has succeeded.

Prepare VMs

To prepare VMs for the move, follow these steps:

1. After you've checked to ensure that the VMs satisfy the prerequisites, ensure that the VMs you want to move are turned on. All VM disks that you want to be available in the destination region must be attached and initialized in the VM.
2. To ensure that the VMs have the latest trusted root certificates and an updated certificate revocation list (CRL), do the following:
   • On Windows VMs, install the latest Windows updates.
   • On Linux VMs, follow distributor guidance so that the machines have the latest certificates and CRL.
3. To allow outbound connectivity from the VMs, do either of the following:
   • If you're using a URL-based firewall proxy to control outbound connectivity, allow access to the URLs.
   • If you're using network security group (NSG) rules to control outbound connectivity, create these service tag rules.

Select the resources to move

You can select any supported resource type in any of the resource groups in the source region you select. You can move resources to a target region that's in the same subscription as the source region. If you want to change the subscription, you can do so after the resources are moved.

To select the resources, do the following:

1. On the Azure portal, search for resource mover. Under Services, select Azure Resource Mover.

   

2. On the Azure Resource Mover Overview pane, select Move across regions.

   

3. On the Move resources > Source + destination tab, do the following:

   1. Select the source subscription and region.
   2. Under Destination, select the region where you want to move the VMs, select Next.

   

4. On the Resources to move tab, select the Select resources option to open a new tab with available VMs list.

   

5. On the Select resources tab, select the VMs you want to move. As mentioned in the Select the resources to move section, you can add only resources that are supported for a move.

   

   Note

   In this tutorial, you're selecting a VM that uses server-side encryption (rayne-vm) with a customer-managed key, and a VM with disk encryption enabled (rayne-vm-ade).

6. Select Done.

7. Select the Resources to move tab and select Next.

8. Select the Review tab, and check the source and destination settings.

   

9. Select Proceed to begin adding the resources.

10. Select the notifications icon to track the progress. After the process finishes successfully, on the Notifications pane, select Added resources for move.

    

11. After you select the notification, review the resources on the Across regions page.

    

Note

• The resources you add are placed into a Prepare pending state.
• The resource group for the VMs is added automatically.
• If you modify the Destination configuration entries to use a resource that already exists in the destination region, the resource state is set to Commit pending, because you don't need to initiate a move for it.
• If you want to remove a resource that's been added, the method you'll use depends on where you are in the move process. For more information, see Manage move collections and resource groups.

Resolve dependencies

To resolve dependencies before the move, follow these steps:

1. Dependencies are validated in the background after you add them. If you see a Validate dependencies button, select it to trigger the manual validation.

   

   The validation process begins.

2. If dependencies are found, select Add dependencies.

   

3. On the Add dependencies pane, retain the default Show all dependencies option.

   • Show all dependencies iterates through all the direct and indirect dependencies for a resource. For example, for a VM, it shows the NIC, virtual network, network security groups (NSGs), and so on.
   • Show first-level dependencies only shows only direct dependencies. For example, for a VM it shows the NIC but not the virtual network.

4. Select the dependent resources you want to add and select Add dependencies.

   

5. Dependencies are automatically validated in the background after you add them. If you see a Validate dependencies option, select it to trigger the manual validation.

   

Assign destination resources

You must manually assign destination resources that are associated with encryption.

If you're moving a VM that has Azure Disk Encryption enabled, the key vault in your destination region appears as a dependency. If you're moving a VM with server-side encryption that uses CMKs, the disk encryption set in the destination region appears as a dependency.

Because this tutorial demonstrates moving a VM that has Azure Disk Encryption enabled and that uses a CMK, both the destination key vault and the disk encryption set show up as dependencies.

To assign the destination resources manually, do the following:

1. In the disk encryption set entry, select Resource not assigned in the Destination configuration column.

2. In Configuration settings, select the destination disk encryption set, and select Save changes.

3. You can save and validate dependencies for the resource you're modifying, or you can save only the changes, and validate everything you modify at the same time.

   

   After you've added the destination resource, the status of the disk encryption set is changed to Commit move pending.

4. In the key vault entry, select Resource not assigned in the Destination configuration column. Under Configuration settings, select the destination key vault, and save your changes.

At this stage, the disk encryption set and key vault statuses are changed to Commit move pending.

To commit and finish the move process for encryption resources, do the following:

1. In Across regions, select the resource (disk encryption set or key vault), and select Commit move.
2. In Move Resources, select Commit.

Note

After you've committed the move, the resource status changes to Delete source pending.

Prepare resources to move

Now that the encryption resources and the source resource group are moved, you can prepare to move other resources whose current status is Prepare pending.

1. On the Across regions pane, validate the move again and resolve any issues.

2. If you want to edit the target settings before you begin the move, select the link in the Destination configuration column for the resource, and edit the settings. If you edit the target VM settings, the target VM size shouldn't be smaller than the source VM size.

3. For resources with a Prepare pending status that you want to move, select Prepare.

4. On the Prepare resources pane, select Prepare.

   • During the preparation, the Azure Site Recovery mobility agent is installed on the VMs to replicate them.
   • The VM data is replicated periodically to the target region. This doesn't affect the source VM.
   • Resource Move generates ARM templates for the other source resources.

Note

After you've prepared the resources, their status changes to Initiate move pending.

Initiate the move

Now that you've prepared the resources prepared, you can initiate the move.

1. On the Across regions pane, select the resources whose status is Initiate move pending, and select Initiate move.

2. On the Move resources pane, select Initiate move.

3. Track the progress of the move in the notifications bar.

   • For VMs, replica VMs are created in the target region. The source VM is shut down, and some downtime occurs (usually minutes).
   • Resource Mover re-creates other resources by using the prepared ARM templates. There's usually no downtime.
   • After you've moved the resources, their status changes to Commit move pending.

   

Discard or commit the move

After the initial move, you can decide whether to commit the move or discard it.

• Discard: You might discard a move if you're testing it and don't want to actually move the source resource. Discarding the move returns the resource to Initiate move pending status.
• Commit: Commit completes the move to the target region. After you've committed a source resource, its status changes to Delete source pending, and you can decide whether you want to delete it.

Discard the move

To discard the move, do the following:

1. On the Across regions pane, select resources whose status is Commit move pending, and select Discard move.
2. On the Discard move pane, select Discard.
3. Track the progress of the move in the notifications bar.

Note

After you've discarded the resources, The VM statuses change to Initiate move pending.

Commit the move

To complete the move process, you commit the move by doing the following:

1. On the Across regions pane, select resources whose status is Commit move pending, and select Commit move.

2. On the Commit resources pane, select Commit.

   

3. Track the commit progress in the notifications bar.

Note

• After you've committed the move, the VMs stop replicating. The source VM is unaffected by the commit.
• The commit process doesn't affect the source networking resources.
• After you've committed the move, the resource statuses change to Delete source pending.

Configure settings after the move

You can configure the following settings after the move process:

• The mobility service isn't uninstalled automatically from VMs. Uninstall it manually, or leave it if you plan to move the server again.
• Modify Azure role-based access control (RBAC) rules after the move.

Delete source resources after commit

After the move, you can optionally delete resources in the source region.

1. On the Across regions pane, select each source resource that you want to delete, and select Delete source.
2. In Delete source, review what you intend to delete and, in Confirm delete, type yes.

   Caution

   The action is irreversible, so check carefully!

3. After you type yes, select Delete source.

Note

In the Resource Move portal, you can't delete resource groups, key vaults, or SQL Server instances. You must delete each individually from the properties page for each resource.

Delete resources that you created for the move

After the move, you can manually delete the move collection and Site Recovery resources that you created during this process.

• The move collection is hidden by default. To see it you must turn on hidden resources.
• The cache storage has a lock that must be deleted before it can be deleted.

To delete your resources, do the following:

1. Locate the resources in the resource group RegionMoveRG-<sourceregion>-<target-region>.

2. Check to ensure that all the VMs and other source resources in the source region have been moved or deleted. This step ensures that no pending resources are using them.

3. Delete the resources:

   • Move collection name: movecollection-<sourceregion>-<target-region>
   • Cache storage account name: resmovecache<guid>
   • Vault name: ResourceMove-<sourceregion>-<target-region>-GUID

Next steps

Learn more about moving Azure SQL databases and elastic pools to another region.