This use case provides instructions for connecting a Site Recovery Manager instance on an Azure VMware Solution SDDC site to a VMware Site Recovery instance on a VMware Cloud on AWS SDDC. You must use a VPN connection to access VMware Site Recovery on VMware Cloud on AWS and the Site Recovery Manager instance on Azure VMware Solution.

Figure 1. Network connectivity between VMware Site Recovery on VMware Cloud on AWS and VMware Site Recovery Manager on Azure VMware Solution

Diagram showing the network connectivity between VMware Site Recovery on VMware Cloud on AWS and Site Recovery Manager on Azure VMware Solution.

Prerequisites

Verify that you have deployed Site Recovery Manager and vSphere Replication on Azure VMware Solution. See Deploy Site Recovery Manager on Azure VMware Solution.

Activate VMware Site Recovery

To use your Site Recovery Manager instance on an Azure VMware Solution SDDC with a VMware Site Recovery service, you must activate the VMware Site Recovery service on a VMware Cloud™ on AWS SDDC.

Prerequisites

  • Verify that you have deployed a Software-Defined Data Center (SDDC) on VMware Cloud™ on AWS.

Procedure

  1. Log in to the VMware Cloud on AWS Console at https://vmc.vmware.com.
  2. Click your SDDC, and then click Add-Ons.
  3. Select Site Recovery and click Activate.
  4. Read the information on the Activate Site Recovery page and click Activate.

Set the NSX-T Edge Management Gateway Firewall Rules for VMware Site Recovery

To enable VMware Site Recovery on your SDDC environment that uses VMware NSX-T®, you must create firewall rules between your VMware Cloud on AWS SDDC and the Management Gateway. After the initial firewall rules configuration, you can add, edit or delete any rules as needed.

Procedure

  1. Log in to the VMware Cloud on AWS Console at https://vmc.vmware.com.
  2. Select Networking & Security > Edge Firewall > Management Gateway.
  3. Click Add New Rule.
  4. Enter the management gateway rule parameters.
    Management gateway controls management traffic that flows in and out of the SDDC.
    Option Description
    Name Enter a descriptive name for the rule.
    Source
    Click Set Source and enter or select one of the following options:
    • Select Any to allow traffic from any source address or address range.
      Important: Although you can select Any as the source address in a firewall rule, using Any as the source address in this firewall rule can enable attacks on your SDDC and might lead to compromise of your SDDC. As a best practice, configure this firewall rule to allow access only from trusted source addresses. See VMware Knowledge Base article 84154.
    • Select System Defined Groups and select one of the following source options.
      • vCenter to allow traffic from your SDDC's vCenter Server
      • Site Recovery Manager to allow traffic from your SDDC's Site Recovery Manager.
      • vSphere Replication to allow traffic from your SDDC's vSphere Replication.
    • Select User Defined Groups to enter the name and CIDR IP range of a remote network.
    Destination
    Click Set Destination and enter or select one of the following options:
    • Select Any to allow traffic to any destination address or address range.
    • Select System Defined Groups and select one of the following destination options.
      • vCenter to allow traffic to your SDDC's vCenter Server.
      • Site Recovery Manager to allow traffic to your SDDC's Site Recovery Manager.
      • vSphere Replication to allow traffic to your SDDC's vSphere Replication.
    • Select User Defined Groups to enter the name and CIDR IP range of a remote network.
    Service

    Select one of the services to apply the rule to.

    • HTTPS (TCP 443) applies to vCenter Server and vSphere Replication as destinations.
    • VMware Site Recovery SRM applies only to Site Recovery Manager as a destination.
    • VMware Site Recovery vSphere Replication applies only to vSphere Replication as a destination.
    Action The only action available for management gateway firewall rules is Allow.
  5. Repeat the previous step to apply the following firewall rules for VMware Site Recovery.
    Name Source Destination Service Action
    Remote SRM to vCenter Server User-Defined Group that includes the remote Site Recovery Manager IP address. vCenter HTTPS (TCP 443) Allow
    Remote VR to vCenter Server User-Defined Group that includes the remote vSphere Replication IP address. vCenter HTTPS (TCP 443) Allow
    Remote network to SRM (SRM Server Management) User-Defined Group that includes the remote Site Recovery Manager and vSphere Replication IP addresses. Site Recovery Manager VMware Site Recovery SRM Allow
    Remote network to VR (VM Replication) User-Defined Group that includes the remote ESXi hosts IP addresses. vSphere Replication VMware Site Recovery vSphere Replication Allow
    Remote network to VR (VR Server Management) or User-Defined Group that includes the remote Site Recovery Manager and vSphere Replication IP addresses. vSphere Replication VMware Site Recovery vSphere Replication Allow
    Remote network to VR (UI and API) User-Defined Group that includes the remote browser IP address. vSphere Replication VMware Site Recovery vSphere Replication Allow
    SRM (HTTPS) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote Platform Services Controller and vCenter Server IP addresses. HTTPS (TCP 443) Allow
    VR (HTTPS) to remote network vSphere Replication Any or User-Defined Group that includes the remote Platform Services Controller and vCenter Server IP addresses. HTTPS (TCP 443) Allow
    SRM (SRM Server Management) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote Site Recovery Manager IP address. VMware Site Recovery SRM Allow
    VR (SRM Server Management) to remote network vSphere Replication Any or User-Defined Group that includes the remote Site Recovery Manager IP address. VMware Site Recovery SRM Allow
    ESXi (VM Replication) to remote network ESXi Any or User-Defined Group that includes the remote vSphere Replication IP addresses (combined vSphere Replication appliance and any add-on vSphere Replication appliances). VMware Site Recovery vSphere Replication Allow
    SRM (VR Server Management) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote vSphere Replication IP address. VMware Site Recovery vSphere Replication Allow
    VR (VR Server Management) to remote network vSphere Replication Any or User-Defined Group that includes the remote vSphere Replication IP address. VMware Site Recovery vSphere Replication Allow
  6. Click Publish.

Results

After the firewall rules are created, they are shown in the Management Gateway Edge Firewall list.

Connect the Site Recovery Manager Server Instances on the Azure VMware Solution SDDC and the VMware Cloud on AWS SDDC

Before you can protect your virtual machines between an Azure VMware Solution SDDC and a VMware Cloud on AWS SDDC and the reverse, you must connect the Site Recovery Manager Server and vSphere Replication instances on the protected and the recovery sites. This procedure is known as site pairing.

Procedure

  1. In the vSphere Client, click Site Recovery > Open Site Recovery.
  2. Click the New Site Pair button.
  3. Select the first site from the list. Enter the address of the Platform Services Controller for the Site Recovery Manager Server on the VMware Cloud on AWS site, provide the user name and password, and click Next.
  4. Select the vCenter Server and the services you want to pair, and click Next.
  5. On the Ready to complete page, review the pairing settings, and click Finish.

Results

The protected and the recovery sites are connected. The pair appears under Site Pairs on the Site Recovery Home tab.