In today’s ever-changing business landscape, disasters such as natural calamities and cyberattacks can disrupt operations without warning. VMware Cloud Disaster Recovery (DR) offers a powerful solution for ensuring business continuity by seamlessly recovering workloads in a cloud-based environment. This field guide provides insights into best practices for configuring and managing networking for disaster recovery (DR) using VMware Cloud on AWS.
Introduction to VMware Cloud DR
The VMware Cloud Disaster Recovery solution is designed to protect critical business applications from outages. This involves replicating workloads from a Protected Site to a Recovery Site hosted in VMware Cloud on AWS. The solution addresses various disaster scenarios, including complete site failures and targeted ransomware attacks. Effective network configuration is crucial to ensure that DR operations run smoothly, both during routine protection and emergency recovery.
Key Networking Considerations
1. Basic Networking Topology
The Protected Site (e.g., on-premises or another cloud) connects to the Recovery Site through VMware’s DRaaS Connector. This connection facilitates data replication to the Scale-out Cloud File System (SCFS), where recovery snapshots are stored. Components such as vCenter, vSphere hosts, and virtual machines rely on a robust network configuration to ensure connectivity.
2. Networking Setup for VMware Cloud on AWS
VMware Cloud DR leverages Software-Defined Data Centers (SDDCs) in AWS to manage cloud-based resources. Organizations can establish secure connectivity using one of the following methods:
- Public Internet Access with SDDC firewall rules (simpler but less secure)
- VPN Connection for encrypted data transfer
- AWS Direct Connect for a dedicated, high-performance connection
Review these options with your network team to determine the best fit for your environment.
3. Segmenting Networks for Disaster Recovery
Each network segment at the Protected Site requires a corresponding segment at the Recovery Site. This allows for seamless failover of virtual machines without disrupting production workloads. Additional segments can be created specifically for testing DR plans without impacting operational services.
Managing Connectivity and Security
Outbound and Inbound Access
To enable secure communication, network administrators configure gateway firewalls using NSX capabilities. Outbound access allows VMs at the Recovery Site to connect to the internet, while inbound access is managed through published VPNs or public IPs for critical workloads.
Inter-Site Connectivity
During partial failovers, applications may require communication between Protected and Recovery sites. VMware recommends using layer 2 VPNs or Direct Connect to facilitate secure inter-site application connectivity.
Ransomware Recovery Isolation
VMware Cloud DR includes features to isolate compromised networks in a Ransomware Recovery Isolated Recovery Environment (IRE). Using NSX Distributed Firewall rules, organizations can ensure that affected VMs remain isolated during recovery operations, preventing further spread of malware.
Testing and IP Remapping
Non-Disruptive Testing
VMware Cloud DR allows for comprehensive testing of recovery plans by using isolated network segments. This ensures that network configurations and failover procedures can be validated without affecting live applications.
IP Address Mapping
For scenarios where static IPs need to change during failover, VMware Cloud DR provides IP remapping capabilities. Administrators can define IP address rules in the recovery plan to ensure consistency across sites.
Conclusion
VMware Cloud Disaster Recovery is a robust solution for safeguarding business operations in the face of unexpected disruptions. Properly configuring and testing the networking components—ranging from connectivity and firewall rules to network segmentation and isolation—is critical to the success of any DR strategy. VMware offers extensive resources to guide organizations through setup and optimization, ensuring maximum uptime and data protection.
