Working with Site Recovery Manager and NSX Federation

You can use VMware Site Recovery Manager™ (SRM) with NSX Federation for disaster recovery use cases.

Site Recovery Manager supports the following workflows with NSX Federation:

NSX Federation Global Manager (GM) VMs support full and test recovery of GM VMs (supported with or without NSX Federation management cluster VIP).
Compute VMs support full and test recovery of compute VMs. Recovered VMs in the disaster recovery site have their NSX tags and firewall rules based on these NSX tags or not such as IP addresses and VM names.

To ensure that groups and firewall rules replicate at the disaster recovery location during recovery, the NSX Local Manager managing the disaster recovery location must have the NSX tags present at recovery time.

How to configure VM tag replication across LMs using GM API

In NSX Federation release 4.0, to configure VM tag replication across Local Managers, run the following Global Manager API:

PUT https://{{gm}}/global-manager/api/v1/global-infra/vm-tag-replication-policies/policy1
{
    "display_name":"vm tag replication policy Paris to London",
    "description":"vm tag replication policy1",
    "protected_site": "/global-infra/sites/LM_Paris",
    "recovery_sites": [
        "/global-infra/sites/LM_London"
    ],
    "groups":[
        "/global-infra/domains/default/groups/Web-VM-Group",
        "/global-infra/domains/default/groups/DB-VM-Group"
    ],
    "vm_match_criteria": "MATCH_BIOS_UUID_NAME"

LM_Paris sends the tag information of the VMs for the BIOS UUID of the VMs in the groups Web-VM-Group + DB-VM-Group to LM_London. Before the recovery of the London VMs by Site Recovery Manager, LM_London does not have the VMs with the BIOS UUID and the VMs are not visible in LM_London yet. However, when Site Recovery Manager recovers the VMs in London, LM_London sees those VMs with the BIOS UUID and applies their NSX tags on them. The VMs get their security based on NSX tags.

Note: vm_match_criteria has two possible values MATCH_BIOS_UUID_NAME or MATCH_NSX_ATTACHMENT_ID. At the recovery, Site Recovery Manager copies both so any configuration is valid with Site Recovery Manager. However, if another product completes VM replication and copies one, but not the other value, then configure GM with the appropriate vm_match_criteria value.

How to check VM tag replication across LMs using GM API

To get details on VM tag replication across Local Managers run the following Global Manager API :

GET https://{{gm}}/global-manager/api/v1/global-infra/vm-tag-replication-policies

The output returns something similar to:

{
  "protected_site": "/global-infra/sites/LM_Paris",
  "recovery_sites": [
    "/global-infra/sites/LM_London"
  ],
  "vm_match_criteria": "MATCH_BIOS_UUID_NAME",
  "groups": [
    "/global-infra/domains/default/groups/Web-VM-Group",
    "/global-infra/domains/default/groups/DB-VM-Group"
  ],
  "resource_type": "VMTagReplicationPolicy",
  "id": "policy1",
  "display_name": "vm tag replication policy Paris to London",
  "description": "vm tag replication policy1",
  "path": "/global-infra/vm-tag-replication-policies/policy1",
  "relative_path": "policy1",
  "parent_path": "/global-infra",
  "unique_id": "9ee18586-5480-41d9-8223-690c9226d763",
  "marked_for_delete": false,
  "overridden": false,
  "_create_time": 1638413861377,
  "_create_user": "admin",
  "_last_modified_time": 1638413861377,
  "_last_modified_user": "admin",
  "_system_owned": false,
  "_protection": "NOT_PROTECTED",
  "_revision": 0
}

NSX supports only one entry from recovery sites. For details, see the vm-tag-replication-policies/policy-name API in the NSX Global Manager REST API Guide.