Azure Site Recovery support for Azure trusted launch virtual machines

Trusted launch protects against advanced and persistent attack techniques. It is composed of several coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats. To deploy an Azure trusted launch VM, follow these steps.

Support matrix

Find the support matrix for Azure trusted launch virtual machines with Azure Site Recovery:

• Operating system: Support for Windows OS is generally available. Linux OS is currently in Public preview. Learn more on supported Linux distributions and kernels.

• Region: Available in all Azure Site Recovery supported regions.

  Important

  Linux OS isn't supported yet for recovery services vault in UAE North region.

  Note

  For Azure Government regions, both source and target location should either be in US Gov regions or both should be in US DoD regions. Setting source location of US Gov regions and target location of US DoD regions or vice versa isn't supported.

• Private endpoints: Azure trusted virtual machines can be protected using private endpoint configured recovery services vault

• Migration: Migration of Azure Site Recovery protected existing Generation 1 Azure VMs to trusted VMs and Generation 2 Azure virtual machines to trusted VMs isn't supported. Learn more about migration of Generation 2 Azure VMs.

• Disk Network Access: Azure Site Recovery creates disks (replica and target disks) with public access enabled by default. To disable public access for these disks follow these steps.

• Boot integrity monitoring: Replication of Boot integrity monitoring state isn't supported. If you want to use it, enable it explicitly on the failed over virtual machine.

• Shared disks: Trusted virtual machines with attached shared disks are currently supported only for Windows OS.

• Scenario: Available only for Azure-to-Azure scenario.

• Create a new VM flow: Enabling Management > Site Recovery option in Create a new Virtual machine flow is currently supported for Windows OS only. Linux OS is not yet supported.

• VM creation time: Only Linux Trusted VMs created after 1-Apr-2024 are supported. Linux Trusted VMs created prior to this date are not supported.

Supported Linux distributions and kernels

Note

Support for Linux OS is currently in Public preview.

The following Linux distributions and kernels are supported for trusted launch virtual machines:

Following are the distros supported in Public preview:

• Ubuntu: 18.04, 20.04, 22.04, 24.04
• RHEL: 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 8.10, 9.0, 9.1, 9.2, 9.3, 9.4
• SUSE 15: SP3, SP4, SP5, SP6
• Alma Linux: 8.10, 9.4
• Debian: 12

Azure Site Recovery supports the same kernels for Azure Trusted VMs as for Azure Standard VMs across the listed Linux distributions. For SUSE, however, Azure Site Recovery support only the following kernels for Azure Trusted launch VMs, provided these kernels are also supported for Azure Standard VMs by Azure Site Recovery:

• SUSE 15 SP3: 5.3.18-150300.59.179.1 and later
• SUSE 15 SP4: 5.14.21-150400.24.141.1 and later
• SUSE 15 SP5: 5.14.21-150500.55.83.1 and later
• SUSE 15 SP6: 6.4.0-150600.23.25.1 and later

Azure Site Recovery for trusted VMs

You can follow the same steps for Azure Site Recovery with trusted virtual machines as for Azure Site Recovery with standard Azure virtual machines.

• To configure Azure Site Recovery on trusted virtual machines to another region, follow these steps. To enable replication to another zone within the same region, follow these steps.
• To failover and failback trusted virtual machines, follow these steps.

Migrate Azure Site Recovery protected Azure Generation 2 VM to trusted VM

Azure Generation 2 VMs protected by Azure Site Recovery cannot be migrated to trusted launch. While the portal blocks this migration, other channels like PowerShell and CLI do not. Before proceeding, review the migration prerequisites and plan accordingly. If you still wish to migrate your Generation 2 Azure VM protected by Azure Site Recovery to Trusted Launch, follow these steps:

1. Disable Azure Site Recovery replication.
2. Uninstall Azure Site Recovery agent from the VM. To do this, follow these steps:
   1. On the Azure portal, go to the virtual machine.
   2. Select Settings > Extensions.
   3. Select Site Recovery extension.
   4. Select Uninstall.
   5. Uninstall Azure Site Recovery mobility service using these commands.
3. Trigger the migration of Generation 2 VM to trusted launch VM.

Note

After migrating the virtual machine, the existing protection is disabled, deleting the existing recovery points. The migrated virtual machine is no longer protected by Azure Site Recovery. You must re-enable Azure Site Recovery protection on the trusted virtual machine, if needed.

Next steps

To learn more about trusted virtual machines, see trusted launch for Azure virtual machines.