Convert Azure VM Security Type - Trusted Launch to Standard to Enable ASR on existing workloads.

-

                                This document outlines the process for changing the Azure VM Security Type from Trusted Launch to Standard to enable Azure Site Recovery (ASR) on existing workloads.

Trusted Launch is a way to enable foundational compute security on Azure Generation 2 VMs. It protects your virtual machines against advanced and persistent attack techniques like boot kits and rootkits by combining infrastructure technologies such as Secure Boot, vTPM, and Boot Integrity Monitoring.

Currently, Azure Site Recovery does not support Trusted Launch VMs, despite the Azure Portal defaulting to Trusted Launch when deploying virtual machines. This limitation has caused issues for customers who build environments with the default Trusted Launch setting, only to discover that ASR cannot be enabled. As a result, the entire environment often needs to be rebuilt.

When creating a VM, Trusted Launch is set as the default option, which prevents the use of services like ASR for disaster recovery. I would argue that Standard Launch should be the default setting, as it allows for later conversion to Trusted Launch if needed.





If you are setting up disaster recovery (DR) replication with Trusted Launch VMs, you may encounter the following error during the replication stage




 

How to Change Azure VM from Trusted Launch to Standard Launch without losing existing data.

                    Follow the steps below to change your Azure VM from Trusted Launch to Standard Launch with minimal downtime and without losing data, thereby avoiding the need to rebuild VMs from scratch.

 1.      Create a snapshot of the existing VM

 


  2.  Create managed Disk from Snapshot



3.  Copy/export managed disk to Storage Account, Blob Container

 To export the managed disk to storage, find the following Azure PowerShell Script

===========================================================

#Provide the subscription Id of the subscription where the managed disk is created

 $subscriptionId = "xxxxxx-xxxx-xxxxxxxx"

 #Provide the name of your resource group where managed is created

$resourceGroupName ="xxxxxxxxxxxxxxx"

#Provide the managed disk name

$diskName = "xxxxxxxxxxxxxx"

#Provide Shared Access Signature (SAS) expiry duration in seconds e.g. 3600.

#Know more about SAS here: https://docs.microsoft.com/en-us/Az.Storage/storage-dotnet-shared-access-signature-part-1

$sasExpiryDuration = "3600"

#Provide storage account name where you want to copy the underlying VHD of the managed disk.

$storageAccountName = "xxxxxxxxxxx"

#Name of the storage container where the downloaded VHD will be stored

$storageContainerName = "xxxxxxxxxxx"

#Provide the key of the storage account where you want to copy the VHD of the managed disk.

$storageAccountKey = ‘< storage key >'

#Provide the name of the destination VHD file to which the VHD of the managed disk will be copied.

$destinationVHDFileName = "xxxxxxxxxxxx.vhd"

#Set the value to 1 to use AzCopy tool to download the data. This is the recommended option for faster copy.

#Download AzCopy v10 from the link here: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

#Ensure that AzCopy is downloaded in the same folder as this file

#If you set the value to 0 then Start-AzStorageBlobCopy will be used. Azure storage will asynchronously copy the data.

$useAzCopy = 0

# Set the context to the subscription Id where the managed disk is created

Select-AzSubscription -SubscriptionId $SubscriptionId

#Generate the SAS for the managed disk

$sas = Grant-AzDiskAccess -ResourceGroupName $ResourceGroupName -DiskName $diskName -DurationInSecond $sasExpiryDuration -Access Read

#Create the context of the storage account where the underlying VHD of the managed disk will be copied

$destinationContext = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

#Copy the VHD of the managed disk to the storage account

$copyjob = Start-AzStorageBlobCopy -AbsoluteUri $sas.AccessSAS -DestContainer $storageContainerName -DestContext $destinationContext -DestBlob $destinationVHDFileName

# check the status of copy 

$copyjob | Get-AzStorageBlobCopyState
==========================================================================

4. Newly exported .VHD disk files under the Storage Account Blob container.


Sample Script


5.      Create a managed disk from the .VHD file (Storage Blob Container)

          Storage type – Storage Blob
                        Storage path – Storage Account -- Blob -- .VHD file
                        Security type – Standard                     

 


5.     6. Take screenshots of the existing VM ( Network / SKU / Disk layout / NIC / IP address)
7. Shutdown the existing Original VM
8.  Delete VM (exclude OS disk and NIC interface, used for further reference in case needed)
9.  Create a New VM with the existing VM name from the newly created managed disk (created from Storage Blob)

10.   Make sure the newly created VM is up and login with existing local credentials
11.   Shutdown the VM
12.  Swap NIC Cards

 Attach Old Network Interface Card


 Once old NIC attach & confirm existing IP, then detach the present NIC

 

13. Power on the VM, make sure the server is booted with the existing IP and the security type is Standard.
14.  Login with domain credentials and validate VM is working as expected without loose data.
15.  Clean up resources which are created for this activity.

Result :-

Now VM is ready to set ASR for Disaster Recovery

 


Comments

Post a Comment

Popular posts from this blog

Azure Application Insights - Java Performance Monitoring

-
Image
Configure and monitor JMX metrics for your Java application using Azure Application Insights.                    JMX (Java Management Extensions) metrics are a set of performance and resource utilization data points that can be collected from a Java application. JMX provides a standardized way to manage and monitor applications, system objects, devices, and service-oriented networks. JMX metrics typically include: Memory Usage : Information about heap and non-heap memory usage. Garbage Collection : Data on the frequency and duration of garbage collection. Thread Usage : Details on the number of active, idle, and blocked threads. Class Loading : Metrics on the number of loaded, unloaded, and total classes in the JVM. CPU Usage : Information on the CPU usage by the JVM process. Custom Metrics : Application-specific metrics that can be defined by the developer, such as request counts, error rates, and transaction times. ...
Read more

Azure Storage Mover

-
Image
  Azure Storage Mover Azure Storage Mover is a new, fully managed migration service that enables you to migrate your files and folders to Azure Storage while minimizing downtime for your workload. Storage Mover can use for different migration scenarios such as lift-and-shift , and for cloud migrations that you have to repeat occasionally. A single storage mover resource deployed to your subscription can be used to manage migrations for your source shares located in different parts of the world. Azure Storage Mover is a hybrid cloud service. Hybrid services have both a cloud service component and an infrastructure component. The service administrator runs the infrastructure component in their corporate environment.    The current Azure Storage Mover release supports only certain, specific source-target pair migration path scenarios. The following table identifies the currently supported source-to-destination scenarios: When migrating data from a source endpoint using the...
Read more