Azure services

How to replicate encrypted Azure VM to a secondary Azure Region?

In my previous post, I have explained how we can replicate Azure VM to a secondary Azure region, But what if we need to replicate an encrypted Azure VM? Azure VM encryption uses the Azure Key Vault to store encryption keys and secrets. If we are replicating encrypted Azure VM, we also need to copy encryption keys to the target region. In this demo, I am going to demonstrate how we can replicate encrypted Azure VM (Windows) to a secondary Azure Region

For the configuration process, I will be using PowerShell as well as GUI. Therefore, please make sure you have an Azure PowerShell module installed. More info about it available on this link.

As the first part of the configuration, I am going to create a new Azure VM and encrypt it using BitLocker.

Setup Azure Resource Group

The first step of the configuration is to create a new resource group.
To do that,

1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

Create new Azure Resource Group

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Configure Azure Key Vault

Next, we need to create a new key vault and encryption key.

1. As the first step, let’s go ahead and enable Azure Key Vault provider within the subscription by using,

Register-AzResourceProvider -ProviderNamespace “Microsoft.KeyVault”

Register Azure Key Vault Service

2. Then, let’s go ahead with Azure Vault setup,

New-AzKeyVault -Location “East US” -ResourceGroupName REBELRG1 -VaultName REBELVMKV2 -EnabledForDiskEncryption

Setup Azure Key Vault

In the above, REBELVMKV2 is the key vault name and it is created under REBELRG1 resource group. -EnabledForDiskEncryption parameter is used to prepare the key vault to use with disk encryption.

3. As the next step, we need to create an access policy so currently logged in user can create encryption keys.

Set-AzKeyVaultAccessPolicy -VaultName REBELVMKV2 -ObjectId xxxxxxxxxxxxxxxx -PermissionsToKeys create,import,delete,list -PermissionsToSecrets set,delete -PassThru

Create Access Policy under Azure Key Vault

In above -Objectid value should replace with the actual objectid value of the currently logged in global admin account. In here -PermissionsToKeys define the permissions allocated for keys and -PermissionsToSecrets defines the permissions allocated for secrets.

4. Next, we need a new encryption key to use with disk encryption.

Add-AzKeyVaultKey -VaultName REBELVMKV2 -Name “REBELVMKey” -Destination “Software”

Create new encryption key

In the above, REBELVMKey is the key name. -Destination is defined as Software as we creating the standard encryption key. If required it can be set to Hardware Security Model (HSM) but it comes with additional cost.

Create Azure VM

In this demo, I am going to create a new VM for testing. If required we also can encrypt any existing VM.

To create new VM,

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG1 -Name “REBELVM01” -Location “East US” -VirtualNetworkName “REBELVNET1” -SubnetName “REBELVMSubnet1” -PublicIpAddressName “REBELVM01IP1” -OpenPorts 80,3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

Setup new Azure VM

In the above, REBELVM01 is the VM name. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size.

Encrypt Azure VM

The next step of the configuration is to encrypt the VM. To do that we need the following values,

1. Azure Key Vault Resource ID

2. Azure Key Vault URI

3. Azure Key vault key ID

We can find the above values using,

Get-AzKeyVault -VaultName REBELVMKV2 -ResourceGroupName REBELRG1 | fl

Azure Key Vault Resource ID and Azure Key Vault URI

Get-AzKeyVaultKey -VaultName REBELVMKV2 -Name REBELVMKey

Azure Key vault key ID

You will require GET permissions to retrieve this key value. you have to update it under access policy properties. Or else you also can find this info from the output of the key creation command we used in the previous step.

Finally, we can encrypt the VM using,

Set-AzVMDiskEncryptionExtension -ResourceGroupName REBELRG1 -VMName “REBELVM01” -DiskEncryptionKeyVaultUrl (value of Azure Key Vault URI) -DiskEncryptionKeyVaultId (value of Azure Key Vault Resource ID) -KeyEncryptionKeyUrl (value of Azure Key vault key ID) -KeyEncryptionKeyVaultId (value of Azure Key Vault Resource ID)

In above, replace the parameter values according to your setup.

encrypt Azure VM

Once encryption is completed, VM will be rebooted.

After reboot, we have a VM with encrypted disks.

verify status of encrypted Azure VM

Create Azure Resource Group and Azure Virtual Network for Target

In this demo, I am going to replicate Azure VM to “Canada Central” Azure region. Before I start replication, I like to create a new resource group and virtual network for it.

1. Create a new resource group using,

New-AzResourceGroup -Name RECOVERRG1 -Location “Canada Central”

create new Azure resource group for target

In the above, RECOVERRG1 is the resource group name, and its created in “Canada Central” Azure region.

2. The next step is to create a new virtual network under RECOVERRG1 resource group.

$vmsubnet2 = New-AzVirtualNetworkSubnetConfig -Name vmsubnet2 -AddressPrefix “10.1.3.0/24”
New-AzVirtualNetwork -Name REBELVN2 -ResourceGroupName RECOVERRG1 -Location “Canada Central” -AddressPrefix “10.1.0.0/16” -Subnet $vmsubnet2

create new Azure virtual network for target

In the above, REBELVN2 is the new virtual network name. It has 10.1.0.0/16 address space. It also has a new subnet 10.1.3.0/24 (vmsubnet2) for virtual machines.

Add additional permissions to Azure Key vault user

To copy keys to the target region, the user required permission for Cryptographic Operations. To update the permissions for the user we can use,

Set-AzKeyVaultAccessPolicy -VaultName REBELVMKV2 -ObjectId xxxxxxxxxx -PermissionsToKeys get,create,import,delete,list,encrypt,decrypt -PermissionsToSecrets get,list,set,delete -PassThru

In above objectid should replace with the actual objectid value of the currently logged in global admin account.

Enable Azure VM Replication

Now we have the test VM and resource group ready. Let’s go ahead and enable the replication.
To do that,

1. Log in to Azure portal (https://portal.azure.com/) as a global administrator

2. Then go to the properties page of REBELTVM01 Virtual Machine.

3. Then click on Disaster recovery

encrypted Azure VM Disaster Recovery Settings

4. This will open the Azure Site Recovery configuration page. In the Target region option select Canada Central

Select secondary Azure region for replication

5. Then click on the Advanced settings tab.

Azure Disaster Recover Advanced Settings

6. Under VM resource group option select RECOVERRG1. This is the resource group we created for target resources. For the Virtual network option select REBELVN2, the virtual network which we created in the previous section. Under the Disk encryption key vault, we can see a new key is defined for the target with “asr” suffix. We also can see a similar entry for Key encryption key vault value. Once settings are in place click on Review + Start replication

encrypted Azure VM replication settings

7. Review the configuration settings on the next page and click on Start replication to complete the process.

start replication for encrypted Azure VM

Testing

Once replication is enabled, we can verify replication health by going into the virtual machine properties page | Disaster Recovery

verify replication status of encrypted Azure VM

We can test the failover process by doing a test failover. To do that, click on the Test Failover option

Initiate Test failover

Then select recovery point, virtual network, and then click on OK.

select recovery point and Azure virtual network for the test failover

After few minutes I can see Azure spin-up test VM.

Azure VM from test failover

Properties page of the Azure VM

With failover, VM will not have a public IP address. We need to assign public IP manually or using a runbook after the failover (unless you have a jump box in the target network).

To assign public ip to VM, search for a network interface in the portal search box.

Azure network interfaces

From the list, click on the interface belong to failover VM.

Select network interface for the failover Azure VM

Then go to IP configuration and click on the already existing IP address.

View existing Azure IP configuration

In the properties page associate new public IP to it.

Assign new Azure public IP address

Once the allocation is completed, log in to VM using new public IP.

Verifying Failover Process

As expected, the encrypted Azure VM is a failover to the secondary Azure region successfully.

I hope now you have a better understanding of how we can replicate Encrypted Azure VM to a secondary Azure region using Azure Site Recovery Service. If you have any further questions about this feel free to contact me at rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Related posts
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Azure servicesCyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra Permissions Management – Part 01 – How to onboard Azure Subscription ?

Today’s rapidly changing digital landscape creates new identity and access challenges. Microsoft…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : How to Automate JML process with Microsoft Entra lifecycle workflows ?

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *