Information and announcements from Program Managers, Product Managers, Developers and Testers in the Microsoft Virtualization team.
For better control and security, it is recommended to specify the list of authenticated servers that can replicate rather than allowing replication traffic from any authenticated server. While enabling a Replica server, there are two sets of inputs which are required - Authentication and Authorization.
When allowing replication from specific servers, each entry in the list is called an "authorization entry". An authorization entry contains:
· Server(s) that are allowed to replicate (Primary Server)
· Default location where the Replica virtual hard disk files is to be created (Storage Location)
· Tag to group a set of such allowed primary servers into a trust zone (Security Tag).
The primary server can be one of the following:
· A single server identified by the Fully Qualified Domain Name (FQDN) (e.g., R2.constoso.com)
· FQDN using wild-card (*.advertisement.contoso.com). Wild-card is supported only in the first octet, e.g., "*.advertisement.*", but not "advertisement*"
· If the primary server is part of a cluster, you should specify the FQDN of the CAP (Client Access Point) of the Hyper-V Replica Broker of the primary side cluster. This allows you to add or remove nodes from the primary cluster without having to change the authorization entry in the Replica server.
The storage location specifies the folder where the virtual hard disk files for the Replica virtual machines will be created. If the Replica server is part of a cluster, then only a CSV or SMB file path can be provided.
If the storage location for an authorization entry is changed after a replica VM has been created, only subsequent replica VMs will be created in the new location.
A security tag needs to be specified for each authorization entry. A group of primary servers, with the same security tag can be considered to be part of a “trust zone”.
How is this useful? Hyper-V Replica allows replication to continue seamlessly when virtual machines are migrated either on the primary server/cluster or Replica server/cluster. Hence the replication traffic for a given Replica virtual machine cannot be tied only to the server that enabled replication of the virtual machine.
For the Replica server to allow replication traffic for a Replica virtual machine from a set of primary servers (the servers amongst which the primary virtual machine can move), those set of primary servers should be grouped into the same trust zone i,e the same security tag.
The security tag can be used for another scenario - in the above picture, servers in “Trust Zone 2” (say, security tag "TZ-2") will be able to send replication traffic for Replica virtual machines that were created by any of the servers in that trust zone. A server in “Trust Zone 2” will not be able to send replication traffic for a Replica virtual machine that was created by a server in “Trust Zone 1” (say, security tag "TZ-1"). This will ensure that in case a server from trust zone 2 gets compromised, the attacker cannot use replication to tamper the Replica virtual machine belonging to “Trust Zone 1”.
Security tag is a plain text, and can be created on the fly. No meta-data needs to be created for the same.
Using Powershell
New-VMReplicationAuthorizationEntry -AllowedPrimaryServer <Server to be authorized> -ReplicaStorageLocation <Location where Replica files should be created> -SecurityTag <Tag>
Example:
New-VMReplicationAuthorizationEntry -AllowedPrimaryServer *.constoso.com -ReplicaStorageLocation E:\Replica -SecurityTag Finance
Remove-VMReplicationAuthorizationEntry -AllowedPrimaryServer <authorized primary server>
Remove-VMReplicationAuthorizationEntry -AllowedPrimaryServer *.constoso.com
Set-VMReplicationServer -AllowAnyServer $FALSE
Get-VMReplicationAuthorizationEntry
Hello,
Thanks for your excellent blogs.
I want to test Hyper-V replication over WAN link.
What type of WAN link I have to deploy ? VPN, DirectAccess or something else ?
Thanks,
Emmanuel
Hi Emmanuel,
From a product perspective, we don't have a dependency on the type of WAN link. Till a network connection exists between the primary server and the replica server, you can replicate the virtual machine.
Praveen
Hello Praveen,
Thanks for your answer.
But I don't know if Hyper-V 3.0 replication between VM's is handled as a Web-application over HTTP and/or HTTPS ?
Or do I need a real VPN-tunnel between the 2 replication partners ?
Thanks in advance,
Hi,
Hyper-V Replica is implemented on top of http/s. You don't need to enable any role other than Hyper-V to get the replica functionality.
Whatever be the network infrastructure (VPN or otherwise), till the primary server is able to reach the replica server, replication should happen. If you use cert based authentication - you get encryption as well.