Azure Site Recovery Zone-to-Zone Setup

Azure Site Recovery (ASR) Zone-to-Zone Setup Guide

Overview

This guide documents the complete setup process for Azure Site Recovery zone-to-zone replication within the same region (e.g., Canada Central Zone 1 → Zone 2). It includes all prerequisites, common errors, and fixes encountered during implementation.

Prerequisites Checklist

Before enabling replication, ensure the following are configured:

1. Recovery Services Vault Configuration

Enable Managed Identity (Required for Private Endpoints)

Go to Recovery Services vault → Settings → Identity
Under System assigned tab:
1. Set Status to On
Click Save
Note the Object ID - you'll need this for role assignments

Error if not configured:

2. Cache Storage Account Configuration

ASR creates or uses a cache storage account (e.g., lale80asrm26vaasrcache) in the source region/zone.

Required IAM Role Assignments

Assign these roles to the Recovery Services Vault's Managed Identity on the cache storage account:

Role

Purpose

Contributor

Manage storage account resources

Storage Blob Data Contributor

Read/write blob data for replication cache

Table 1: Cache Storage Account Role Assignments

For Premium storage, use Storage Blob Data Owner instead of Storage Blob Data Contributor.

Steps to Assign Roles:

Go to Storage account → Access Control (IAM)
Click + Add → Add role assignment
Select role: Contributor
Assign access to: Managed identity
Select members: Recovery Services vault → Select your vault
Click Review + assign
Repeat for Storage Blob Data Contributor

Error if not configured:

3. Target Resource Group Planning

For zone-to-zone replication in the same region, avoid using the same resource group for source and target.

Recommended Approach:

Source RG: rg-cc-m26 (contains production VM)
Target RG: rg-cc-m26-dr (separate RG for DR resources)

Error if same RG used:

4. Private Endpoint Configuration (If Using Private Connectivity)

Required Private Endpoints:

Recovery Services Vault private endpoint
Automation Account private endpoint (for Mobility Service updates)
Cache Storage Account private endpoint

Private DNS Zones Required:

Service

Private DNS Zone Name

Recovery Services Vault

privatelink.siterecovery.windowsazure.com

Automation Account

privatelink.azure-automation.net

Blob Storage

privatelink.blob.core.windows.net

Table 2: Private DNS Zones for Required Services

Important: Use exact zone names—do not add custom prefixes.

DNS Zone Configuration for Hub-Spoke Networks:

Link Private DNS Zones to Hub VNet (where DNS resolver resides)
Do NOT link to Spoke VNet if using centralized DNS
Ensure Spoke VNet DNS settings point to Hub DNS resolver

Automation Account DNS Records:

Two A records are required in privatelink.azure-automation.net:

<guid>.agentsvc.<region> Private endpoint IP
<guid>.jrds.<region> Private endpoint IP

Example for Canada Central:

136e33e2-0a0d-4bec-bae4-57a8cdba37f5.agentsvc.cc 10.120.10.4
136e33e2-0a0d-4bec-bae4-57a8cdba37f5.jrds.cc 10.120.10.5

Enable Replication Settings

Replication Settings Tab

Setting

Recommended Value

Notes

Target location

Same region, different zone

e.g., Canada Central

Target subscription

Same or different

Cross-subscription supported

Target resource group

Separate DR resource group

Avoid naming conflicts

Failover virtual network

Existing VNet

Same VNet supported for zone-to-zone

Failover subnet

Same subnet allowed

For zone-to-zone in same region

Table 3: Replication Settings Tab

Storage Configuration

Setting

Recommended Value

Notes

Replica managed disk

Premium SSD or same as source

Match source for consistency

Churn for the VM

Normal Churn (54 MB/s)

Use High Churn for write-intensive (100 MB/s)

Cache storage

Auto-created or existing

Must be in source region

Table 4: Storage Configuration Settings

Manage Tab

Setting

Recommended Value

Notes

Replication policy

24-hour-retention-policy

Increase to 72hr+ for ransomware protection

Replication group

Skip for different workloads

Only use for multi-VM app consistency

Update settings

Allow ASR to manage

Automatic Mobility Service updates

Automation account

Auto-created or existing

Required for agent updates

Table 5: Manage Settings Tab

Architecture Overview

Figure 1: Zone-to-Zone Replication Architecture

Post-Configuration Validation

Verify Replication Health

Go to Recovery Services vault Replicated items
Check:
1. Replication health: Healthy
2. Status: Protected
3. RPO: Should be within 5–15 minutes

Test Failover (DR Drill)

Create an isolated test VNet before testing
Go to Replicated items Select VM Test Failover
Select recovery point and test VNet
Validate test VM functionality
Cleanup test failover when complete (required)

Quick Reference: Common Errors and Fixes

Error ID

Error Message

Fix

689

Private endpoint requires managed identity

Enable System Assigned Identity on vault

28143

Vault doesn't have storage account permission

Add Contributor + Storage Blob Data Contributor roles

150138

VM already exists in target resource group

Use separate target RG for DR

DNS errors

Private endpoint not reachable

Verify Private DNS Zone linked to correct VNet

Table 6: Common ASR Errors and Fixes

Failover/Failback Quick Steps

Test Failover

Replicated items VM Test Failover
Select recovery point + test VNet
Validate Cleanup test failover

Production Failover

Replicated items VM Failover
Select recovery point, enable source shutdown
After success Commit

Reprotect (After Failover)

Replicated items VM Re-protect
Wait for synchronization to complete

Failback

Replicated items VM Failover (Zone 2 Zone 1)
Commit Re-protect to restore original DR setup

Additional Notes

Cache storage location: Always in source region/zone (by design)
VM operations during sync: Fully supported, no downtime
Backup + ASR together: Both can run simultaneously without conflict
Retention policy: 24 hours is cost-effective; increase for ransomware protection
Replication group: Only needed for multi-VM application consistency

Document created: November 26, 2025

Based on implementation for: m26-test VM, Canada Central Zone 1 Zone 2