• Home
  • Blog
  • Technical
  • Three ways to protect your customer’s on-premises data with Azure: Part 3 – Azure Site Recovery

Three ways to protect your customer’s on-premises data with Azure: Part 3 – Azure Site Recovery

Back to Blog
29Nov2017

Three ways to protect your customer’s on-premises data with Azure: Part 3 – Azure Site Recovery

In the previous two posts we looked at:

  • Azure Backup (using the MARS agent)
  • Azure Backup Server (free DPM server)

Those two solutions are markedly different from one another, but they both basically provide some kind of backup. The former does only file, folder & system state information–no application data is possible.The latter will do application data, including SQL, Exchange and virtual machines from Hyper-V or VMware, as well as bare metal restores of physical servers.

But the last solution we will talk about is really just targeted at true DR: replication of full servers into Azure (so you can run them as virtual machines in the cloud). This is typically only necessary when you have or expect a complete loss of the primary datacenter, with no local hardware to which you would restore for an extended period of outage.

For today, I want to review the basics of ASR architecture, and certain other considerations.

A closer look at ASR architecture

The other important thing to realize is that ASR is an incomplete solution if all you do is setup the vault and turn on replication. That is not a DR strategy. When sh*# hits the fan, what good do those servers in the cloud do you? In short, you need an infrastructure in place up there, so that you can actually use the failover feature and get users connected to the environment (usually via Remote Desktop Services and/or VPN).

Image credit: Alex Fields, ITProMentor.com

As you can see from the image above, an Azure provider / agent is still at work here, only this time it is configured on the Hyper-V host. Note: it is also possible to configure this solution with VMware, but you will need to elect another Windows system on the network for the task of pairing with your Azure Backup & Recovery vault.

What I would recommend to complete this solution is:

  1. Azure Virtual Network – have one ready to go with subnets and everything you will need (this network is where VM’s would be restored into, in Azure)
  2. Site-to-Site VPN – Even if it isn’t always on, know how you can get the tunnels up in advance, and test it
  3. Domain Services – Maybe a small VM stays online up there to run AD/DNS services, replicating information from your on-premises environment (requires the always on S2S VPN)–this can make recovery a bit quicker and provides fault-tolerance for your core domain services
  4. Remote Desktop – Have a server ready to go with this service, even if it is offline most of the time. Or, if you have this service on-premises and you are replicating it, know that you may have some DNS reconfiguration to do, in order to get clients reconnected to it after failover (do you have a static IP provisioned in Azure that you can use for this?)

That’s what I’d call out, as a minimum. If you are providing a different connectivity option, then just be sure it is actually tested/validated so that you can ensure a smooth recovery. And of course: plan for failback. You want to be able to failback to your on-prem servers eventually, unless you are using ASR as a one-way migration tool. Therefore, part of your DR plan should include a failover and failback test, so you know what your full recovery strategy looks like.

Pricing considerations

There will be a small per-instance fee to replicate a full virtual machine to Azure. In addition, you will also pay for storage space and other related costs, just like always with these vaults. Check out Azure pricing for more details.

Obviously the additional infrastructure we just discussed will come with a cost as well, so don’t forget to account for it. For most small businesses, the infrastructure solution I most often describe with a single small domain controller in the cloud, on a S2S Basic VPN-connected Virtual Network will clock in under USD $100.00/month pretty easily. And this just means your DR site is always-on and ready to go. It is optional of course, but recommended if your downtime tolerance is very low, and you need to support quicker Recovery Time Objectives.

Retention considerations

You can only retain recovery points for up to 72 hours on standard storage (and only 24 hours on premium storage). Therefore, the use case for this service is limited in scope to true immediate DR-type scenarios, and not backup.

Azure Site Recovery is only providing a current image of an entire system, and you would not refer to this image in order to say, restore a file or folder that someone accidentally deleted, or something like that. You would restore the entire VM, usually in an Azure network.

So implement this solution as part of a DR strategy–e.g. How can I get my systems back online quickly if everything is down in my datacenter? But I would still recommend a backup be used in conjunction with this solution.

Key takeaway: ASR is not meant to replace your backup. If you want to use ASR as one of your three “backups” in a 3-2-1 solution, then great! But don’t neglect the other two. (3-2-1 = Three backups, two of which are on different media, and one of which is offline).

Conclusions

This is still a pretty great DRaaS product: affordable and easy to setup. However, in most cases where I’ve run into this being implemented, the whole picture wasn’t really developed, meaning the recovery strategy and infrastructure, and testing the failover/failback process.

My old articles are a bit dated now, and there have been some changes since that time, but for the most part it is still good for the classic deployment model. You can see that series here:

  1. Extend your on-premises network with Azure Virtual Network
  2. Replicate Hyper-V VM’s to Azure Site Recovery
  3. Initiate a test failover to Azure Virtual Network

Another way to deploy this solution is by using the Azure integrations for Windows Server Essentials. This will deploy into Azure Resource Manager (ARM). That series is located here:

  1. Pre-requisites for enabling Azure Site Recovery using Windows Server Essentials role
  2. Configure Azure Virtual Network and Azure Site Recovery using Windows Server Essentials role
  3. Prepare for and test a planned failover event using Windows Server Essentials role
Technical , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

27Sep

Security Reports and Identity Protection features available in Azure AD, Azure AD Premium P1 and P2

Azure AD Premium P1 is included with Enterprise Mobility and Security (EMS) E3. I have been experimenting with numerous aspects of this subscription, since security is such a high priority these days, especially for the SMB (small businesses are statistically far more more likely to... read more
21Jan

How-to Complete your Office 365 Setup and Exchange E-Mail Migration

When setting up a new Office 365 tenancy or migrating from an on-premises or hosted Email system to Office 365, one last step will be to add all the necessary DNS records to your DNS zone file, and then make the appropriate changes to your... read more
Adopting the Traffic Light Protocol with Sensitivity Labels
07Sep

Adopting the Traffic Light Protocol (TLP) with Microsoft 365’s Sensitivity Labels

I have previously written about Sensitivity labels, along with a template of the core labels that I like to use when introducing Small Businesses to the concept of data classification. Recently, I decided to update this standard to align more closely with the Traffic Light... read more
10Sep

How to quickly provision Microsoft 365 Business subscriptions for Exchange Online and ATP using PowerShell

Hey folks, Microsoft 365 Business is a really cool subscription for small businesses, and if you are doing these configurations for a lot of tenants, then you're probably going to want to automate some of the setup.  Today I'm going to share a script I... read more
Unboxing MDB, part 3: ASR rules
12Feb

Unboxing Defender for Business, Part 3: Attack Surface Reduction rules

If you haven't been following this series, let me catch you up. First, understand that Microsoft recently made a huge announcement: their enterprise-class endpoint security solution, known as Microsoft Defender for Endpoint, has been re-packaged and released for the SMB (and included in the popular... read more
04Oct

Introducing the Windows 10 Business Secure Configuration Framework

Update March 2023: This publication has been updated significantly and renamed as well. It is now called The SMB Guide to Threat Defense and Microsoft Defender in Microsoft 365 Business Premium Plans. This guide describes implementation of Microsoft Defender for Office 365 as well as... read more
11Aug

Multifactor Authentication Server is not compatible with password sync?

I was recently asked for help implementing Microsoft's Multifactor Authentication Server for an on-premises Remote Desktop farm.  There is a great resource on the web at RDS Gurus that steps you through this process.  Just for the sake of doing my homework, I decided to read... read more
11Oct

Removing local admin: a game of compromise (and some tips and tricks)

Look, I am a realist. Yes: from a security perspective it would be ideal if we could take away local admin privileges on every corporate owned Windows 10 workstation. But that still isn't very easy to do for many organizations. Some orgs do need to maintain... read more
07Jan

How-to Verify Your Domain with Office 365

So this is a very common task when provisioning new Office 365 accounts.  You can obtain a free trial here. I recommend the E3 trial, even if you only plan to buy the Exchange Online plan ultimately.  The licensing can be changed out seamlessly, and in... read more
15Aug

Teams, SharePoint and OneDrive best practices? Part 3: Data governance

In part 1 of this series, we discussed external sharing and chat. In part 2, we dealt with access controls and notifications. Now, we turn our focus to Data governance, a very important conversation indeed when it comes to compliance. And when it comes to compliance,... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me