You can use Site Recovery Manager (SRM) with NSX Federation for disaster recovery use cases.

SRM supports the following workflows with NSX Federation:

  • NSX Federation Global Manager (GM) VMs support full and test recovery of GM VMs (supported with or without NSX Federation management cluster VIP).
  • Compute VMs support full and test recovery of compute VMs. Recovered VMs in the disaster recovery site have their NSX tags and firewall rules based on these NSX tags or not such as IP addresses and VM names.

To ensure that groups and firewall rules replicate at the disaster recovery location during recovery, the NSX Local Manager managing the disaster recovery location must have the NSX tags present at recovery time.

SRM does not replicate the NSX VM tags to the Local Managers managing disaster recovery location.

Prior to NSX Federation 3.2, had no support for replication of VM tags between Local Managers. As a result, NSX did not replicate any security based on VM tags to recovered VMs. Security not based on VM tags, for instance, IP addresses or VM names, gets applied to recovered VMs.

To configure VM tag replication across Local Managers run the following Global Manager API:
PUT https://{{gm}}/global-manager/api/v1/global-infra/vm-tag-replication-policies/policy1
{
    "display_name":"vm tag replication policy Paris to London",
    "description":"vm tag replication policy1",
    "protected_site": "/global-infra/sites/LM_Paris",
    "recovery_sites": [
        "/global-infra/sites/LM_London"
    ],
    "groups":[
        "/global-infra/domains/default/groups/Web-VM-Group",
        "/global-infra/domains/default/groups/DB-VM-Group"
    ],
    "vm_match_criteria": "MATCH_BIOS_UUID_NAME"
In the previous Global Manager configuration, LM_Paris sends the tag information of the VMs for the BIOS UUID of the VMs in the groups Web-VM-Group + DB-VM-Group to LM_London. Before the recovery of the London VMs by SRM, LM_London does not have the VMs with the BIOS UUID and the VMs are not visible in LM_London yet. However, when SRM recovers the VMs in London, LM_London sees those VMs with the BIOS UUID and applies their NSX tags on them. The VMs get their security based on NSX tags.
Note: vm_match_criteria has two possible values MATCH_BIOS_UUID_NAME or MATCH_NSX_ATTACHMENT_ID. At the recovery, SRM copies both so any configuration is valid with SRM. However, if another product completes VM replication and copies one, but not the other value, then configure GM with the appropriate vm_match_criteria value.
To get details on VM tag replication across Local Managers run the following Global Manager API :
GET https://{{gm}}/global-manager/api/v1/global-infra/vm-tag-replication-policies
The output returns something similar to:
{
  "protected_site": "/global-infra/sites/LM_Paris",
  "recovery_sites": [
    "/global-infra/sites/LM_London"
  ],
  "vm_match_criteria": "MATCH_BIOS_UUID_NAME",
  "groups": [
    "/global-infra/domains/default/groups/Web-VM-Group",
    "/global-infra/domains/default/groups/DB-VM-Group"
  ],
  "resource_type": "VMTagReplicationPolicy",
  "id": "policy1",
  "display_name": "vm tag replication policy Paris to London",
  "description": "vm tag replication policy1",
  "path": "/global-infra/vm-tag-replication-policies/policy1",
  "relative_path": "policy1",
  "parent_path": "/global-infra",
  "unique_id": "9ee18586-5480-41d9-8223-690c9226d763",
  "marked_for_delete": false,
  "overridden": false,
  "_create_time": 1638413861377,
  "_create_user": "admin",
  "_last_modified_time": 1638413861377,
  "_last_modified_user": "admin",
  "_system_owned": false,
  "_protection": "NOT_PROTECTED",
  "_revision": 0
}

NSX supports only one entry from recovery sites. For details, see the vm-tag-replication-policies/policy-name API in the NSX-T Data Center Global Manager REST API Guide.