Restore Azure cross-region snapshot copy
Cloud Snapshot Manager enables you to create copies of Azure snapshots in remote or cross-regions so that you can quickly recover VMs in other regions.
About this task
The snapshot is created in the same region as the resource, and then copied to one or more regions as configured in the policy. The simple one-click restore is not available when restoring an Azure VM to a different region. In the Restore Snapshot page of Cloud Snapshot Manager, the parameters to configure vary depending on whether the source snapshot is encrypted or not.
To restore a snapshot to a new region, first Search snapshots for snapshots with the region criteria set to the region in which you want to restore. Then find the required snapshot and select Restore.
In the Restore Snapshot page displayed, click Advanced Recovery, select a new network, and provide security information (the Security Group field is mandatory) . Some of the fields are optional. Select the storage account if you require diagnostic reports. The availability set, if required, has to be configured before the VM is restored. Click Restore to complete the restore process.
 | NOTE: While restoring Azure VMs,
Cloud Snapshot Manager preserves the VM settings, Proximity Placement Group, Advanced VM Extensions, System Assigned Managed Identity, and Ultra Disk Compatibility on Disks if specified in the Azure portal. The settings are preserved only for Azure snapshots that are taken after the April 2021 release.
|
- Disk level encryption (Managed Disk Server Side Encryption (SSE) with Customer Managed Keys)
- Operating System (OS) level encryption (Azure Disk Encryption (ADE)).
- Let the disk remain decrypted
- Encrypt the disk by setting the disk encryption set. A disk encryption set stores key vaults and secrets. The disk encryption set must be created or available in the target region. In the Restore Snapshot page of Cloud Snapshot Manager, select this disk encryption set as shown in the following figure to encrypt the restored VM:
For more information about Azure disk level encryption (SSE), see Azure documentation.
If the source VM snapshot has been encrypted using OS level encryption (ADE), before you restore the snapshot, copy the key and the secret that is used for VM encryption in the source region to a key vault in the target region. Use any existing key vault or create a one to copy to.
At the time of VM restore, in the Restore Snapshot page of Cloud Snapshot Manager, provide the target region key vault, key(optional), and secret as shown in the following figure so that the restored VM can start successfully:
| NOTE: Include
Cloud Snapshot Manager's public IP address range, within the key vault's network firewall IP address range. Raise a ticket with
Cloud Snapshot Manager support to get this public IP address range.
|
As per ADE settings, the key is optional. If the key is provided on the source VM ADE settings, it must be provided at the time of restore too. To copy the keys and the secret to the target region, from the Azure portal, take the backup of the configured key or secret and restore it to the target region key vault. The tags of the secret version help to identify which secret version is used in the ADE encryption.
After you copy the key vault key and secrets to the target region key vault, ensure that you give get and list access permissions to the Cloud Snapshot Manager cloud account through the Access policies tab (Azure portal) of the target key vault. For more information about the permissions that are required to list key vaults, keys, and secrets, see Restore from a snapshot.
For more information about ADE, see Azure documentation.
| NOTE: There is a cost that is involved for Azure data transfers cloud service, that is, if you transfer data from one region to another region or over the internet. For more information, see
https://azure.microsoft.com/en-us/pricing/details/bandwidth/.
|