Enabling Replication for OnPremises Virtual Machines (VMWare) using ASR with Private Endpoints

Hi,

We are trying to replicate On-Premises VMWare VMs using Azure Site Recovery with Private Endpoints.

As per this document, https://learn.microsoft.com/en-us/azure/site-recovery/hybrid-how-to-enable-replication-private-endpoints, it has been mentioned that MySQL has to be installed on the configuration server but my question is whether this is applicable for ASR deployment modernised approach?

The next question is, whether ASR appliance has to be joined with Windows AD Domain. Because how does DNS resolution work for Private Endpoints. ?

We have setup conditional forwarders for private links in the Onprem DNS servers to .blob.core.windows.net, siterecovery.windowsazure.com, prod.migration.windowsazure.com ?

Should it be enabled for privatelink.blob.core.windows.net as well ?

Please help.

Thanks

  1. Anandha Chandrasekaran 40 Reputation points

    Hi @Bharath Y P , Thanks for the answer.

    We have setup Custom DNS server in Azure (by deploying secondary DCs in azure - Active-Active between Onprem and Azure) with Conditional Forwarders enabled for

    1. privatelink.blob.core.windows.net
    2. privatelink.siterecovery.windowsazure.com
    3. privatelink.prod.migration.windowsazure.com
    4. blob.core.windows.net
    5. siterecovery.windowsazure.com
    6. prod.migration.windowsazure.com to 168.63.129.16.

    And in on-prem DNS server (DC), we have enabled forwarders just for

    1. blob.core.windows.net
    2. siterecovery.windowsazure.com
    3. prod.migration.windowsazure.com to <the-private-ip-of-custom-dns-server-hosted-in-azure>

    Do we have to enable Custom DNS forwarders for the subdomain

    privatelink.blob.core.windows.net

    privatelink.siterecovery.windowsazure.com

    privatelink.prod.migration.windowsazure.com

    in the on prem DNS servers ?

  2. Bharath Y P 9,730 Reputation points β€’ Microsoft External Staff β€’ Moderator

    Yes, in your design, you should ideally configure the on-prem DNS servers to forward the privatelink.* zones as well. Your current setup is close, but there is an important DNS behavior detail with Azure Private Endpoints.

    When a client resolves: <mystorage>.blob.core.windows.net

    Azure DNS responds with:

    mystorage>.blob.core.windows.net
    CNAME
<mystorage>.privatelink.blob.core.windows.net

    Then the DNS client must resolve: privatelink.blob.core.windows.net to the private endpoint IP.

    Current On-Prem Forwarders

    You currently forward only:

    blob.core.windows.net

    siterecovery.windowsazure.com

    prod.migration.windowsazure.com

    to Azure DNS servers. This works partially because:

    • The initial lookup gets forwarded
    • Azure returns the CNAME chain

    But the second lookup for:  privatelink.blob.core.windows.net may not always resolve correctly unless:

    • Recursion works perfectly,
    • Split-brain DNS behavior is clean,
    • And forwarding chain remains intact.

    In many enterprise environments this becomes inconsistent.

    Microsoft Recommended Practice: On-Prem DNS Conditional Forwarders

    Forward both:

    blob.core.windows.net

    privatelink.blob.core.windows.net

    Similarly:

    siterecovery.windowsazure.com
privatelink.siterecovery.windowsazure.com
 
prod.migration.windowsazure.com
privatelink.prod.migration.windowsazure.com

    toward:

    • Azure DNS Private Resolver OR
    • Azure custom DNS servers OR
    • Azure DCs using 168.63.129.16 upstream

     So in your environment

    You should add these additional conditional forwarders on-prem:

    privatelink.blob.core.windows.net

    privatelink.siterecovery.windowsazure.com

    privatelink.prod.migration.windowsazure.com

    pointing to: <Private IP of Azure DNS/DC servers>

    Your Azure custom DNS design is actually good: Azure DC/DNS > Conditional forwarders > 168.63.129.16 This is a standard Microsoft-supported hybrid pattern.

    Hope this helps, thanks

  3. Bharath Y P 9,730 Reputation points β€’ Microsoft External Staff β€’ Moderator

    Just checking if the information shared was helpful. If so, please consider accepting the answer and giving it an upvote.

    If you have any further questions or need additional clarification, feel free to reach out. Thanks!

  4. Bharath Y P 9,730 Reputation points β€’ Microsoft External Staff β€’ Moderator

    Just checking if the information shared was helpful. If so, please consider accepting the answer and giving it an upvote.

    If you have any further questions or need additional clarification, feel free to reach out. Thanks!

Sign in to comment

2 answers

  1. Bharath Y P 9,730 Reputation points β€’ Microsoft External Staff β€’ Moderator

    Hello Anandha Chandrasekaran, You are trying to configure Azure Site Recovery (ASR) for replicating On-Premises VMware virtual machines to Azure using the modernized ASR deployment approach along with Private Endpoints.

    You have the following concerns:

    • Whether manual MySQL installation is still required for the modernized ASR appliance.
    • Whether the ASR appliance must be joined to Active Directory (AD) for Private Endpoint DNS resolution.
    • Whether your current DNS conditional forwarders are sufficient.
    • Specifically, whether forwarding for: privatelink.blob.core.windows.net

    must also be configured.

    MySQL is NOT required for the Modernized architecture.

    The MySQL installation requirement applies only to the Classic (configuration server) architecture. The note in the Microsoft docs that mentions MySQL is scoped specifically to the classic experience: "While setting up private endpoints to protect VMware and physical machines, you will need to install MySQL on the configuration server manually - this refers to the Classic configuration server setup only."

    https://learn.microsoft.com/en-us/azure/site-recovery/hybrid-how-to-enable-replication-private-endpoints

    The modernized architecture uses an Azure Site Recovery replication appliance, which is a completely different deployment model from the classic configuration server. There is no MySQL component in the modernized appliance β€” it uses Azure-managed backend services instead. The classic experience has also now been retired, so if you are doing a fresh deployment, you should be on the modernized path exclusively, and MySQL is irrelevant. https://learn.microsoft.com/en-us/azure/site-recovery/replication-appliance-support-matrix

    Domain join is NOT required.

    The modernized ASR replication appliance is deployed via an OVF template and registered to the Recovery Services vault using device code flow authentication with Microsoft Entra ID (Azure AD) credentials. It authenticates to Azure using Entra ID, not Windows AD domain credentials. There is no documented requirement to join the appliance to your on-premises AD domain.

    https://learn.microsoft.com/en-us/azure/site-recovery/deploy-vmware-azure-replication-appliance-modernized

    However, DNS resolution from the appliance is critical and this is where your AD DNS infrastructure plays an indirect but important role (see Q3 below).

    DNS Resolution for Private Endpoints- Are Your Conditional Forwarders Correct?

    This is the most important part. Let's break it down.

    How DNS for Private Endpoints Works (On-Premises to Azure)

    When the ASR appliance (on-premises) tries to reach an Azure service via a private endpoint, it needs to resolve the service FQDN to the private IP of the endpoint (not the public IP). The flow is:

    1. ASR appliance queries its configured DNS server (your on-prem AD DNS)
    2. On-prem AD DNS has a conditional forwarder for the relevant zone β†’ forwards to Azure DNS (via Azure DNS Private Resolver inbound endpoint, or via a DNS server in Azure that forwards to 168.63.129.16)
    3. Azure DNS resolves the name from the Private DNS Zone and returns the private IP

    Your Current Conditional Forwarders - What Needs to Change

    You have forwarders set for:

    • blob.core.windows.net
    • siterecovery.windowsazure.com
    • prod.migration.windowsazure.com

    These are incorrect zone names for private endpoint DNS resolution.

    For private endpoints, Azure creates privatelink.* subzones, and the DNS records live in those. The public zone names will return public IPs. You need to configure conditional forwarders for the privatelink.* versions:

    Purpose Correct Conditional Forwarder Zone
    Blob storage (cache/replication) privatelink.blob.core.windows.net
    Blob storage (cache/replication) privatelink.blob.core.windows.net
    ASR service endpoint privatelink.siterecovery.windowsazure.com
    Migration/discovery (modernized) privatelink.prod.migration.windowsazure.com

    For the modernized architecture specifically, you also need a private DNS zone (and corresponding forwarder) for privatelink.prod.migration.windowsazure.com, which is used by Site Recovery to perform discovery of the on-premises environment.

    https://learn.microsoft.com/en-us/azure/site-recovery/hybrid-how-to-enable-replication-private-endpoints

    Should Forwarders Point to privatelink.* Zones? YES.

    To directly answer your question: yes, you need forwarders for privatelink.blob.core.windows.net (and the other privatelink.* zones listed above), not the bare zones. Here is why:

    • When the ASR appliance resolves <storageaccount>.blob.core.windows.net, Azure returns a CNAME β†’ <storageaccount>.privatelink.blob.core.windows.net
    • Your on-prem DNS must then resolve that CNAME, which requires a forwarder for privatelink.blob.core.windows.net
    • Without it, the query falls through to public DNS and returns the public IP β€” which won't be reachable over your VPN/ExpressRoute

    All the public DNS zone names used by Azure services need to be configured as conditional forwarders on your on-premises domain controllers, pointing toward Azure DNS.

    What to Point the Forwarders At

    The forwarders should point to either:

    • The inbound endpoint IP of an Azure DNS Private Resolver (recommended, modern approach), or
    • The IP of a DNS server in Azure (e.g., a DC in Azure VNet) that itself forwards to 168.63.129.16

    Replicating traffic over a site-to-site VPN from an on-premises site to Azure is only supported when using private endpoints, so getting DNS right is essential without proper private IP resolution, the appliance traffic will attempt to go to public endpoints and be blocked.

    Hope this helps. If the information was useful, please consider accepting the answer and upvoting. Feel free to reach out if you need any further assistance. Thank you.

    0 comments No comments
    Sign in to comment

  2. AI answer

    For VMware/physical machines with Azure Site Recovery using private endpoints, the behavior depends on whether the classic (configuration server) or modernized architecture is used.

    1. MySQL requirement and modernized architecture
    • The referenced article describes the classic model that uses a Configuration Server/Process Server on-premises.
    • In that classic model, MySQL is required on the configuration server (as per the document referenced in the context).
    • For the modernized architecture for VMware/physical machines, the document explicitly calls out a separate private DNS zone for:
      • privatelink.prod.migration.windowsazure.com, used by Site Recovery to perform discovery of the on-premises environment.
    • The context provided does not state that MySQL is required for the modernized ASR appliance; it only mentions MySQL in the classic configuration-server scenario. No additional MySQL requirement for the modernized appliance is documented in the provided context.
    1. Domain join requirement for the ASR appliance
    • The context does not state that the ASR appliance (or configuration server) must be joined to an Active Directory domain.
    • DNS integration for private endpoints is handled via Azure Private DNS zones and virtual network links, not by requiring domain join. The key requirement is that the appliance/Process Server/Hyper-V provider can resolve the private endpoint FQDNs to the private IPs.
    1. DNS resolution for private endpoints

    a. Private DNS zones for Site Recovery

    • For on-premises machines using private endpoints, the guidance is:
      • Create a private DNS zone named:
        • privatelink.siterecovery.windowsazure.com
      • If using modernized architecture for VMware/physical machines, also create:
        • privatelink.prod.migration.windowsazure.com
      • Link these private DNS zones to the bypass VNet.
      • Ensure A records are created for each FQDN that appears on the Site Recovery private endpoint:
        • Pattern: {Vault-ID}-asr-pod01-{type}.{target-geo-code}.privatelink.siterecovery.windowsazure.com
      • For modernized VMware/physical protection, also ensure DNS records for privatelink.prod.migration.windowsazure.com as indicated.

    b. Automatic vs manual DNS integration

    • When creating the private endpoint for the vault:
      • If Integrate with private DNS zone is set to Yes, Azure automatically:
        • Creates/links the private DNS zone to the bypass VNet.
        • Adds the required A records for the private endpoint FQDNs.
    • If DNS zones are created manually:
      • Must manually add A records for each FQDN and private IP from the private endpoint.
      • After enabling replication, two additional FQDNs are added to the private endpoint; corresponding A records must also be added.
    1. On-premises DNS configuration and conditional forwarders
    • The document’s pattern for Site Recovery private endpoints is:
      • {Vault-ID}-asr-pod01-{type}.{target-geo-code}.privatelink.siterecovery.windowsazure.com
    • For modernized VMware/physical protection, an additional zone is required:
      • privatelink.prod.migration.windowsazure.com
    • The context does not mention .blob.core.windows.net or privatelink.blob.core.windows.net as required for Site Recovery private endpoints in this scenario.
    • For ASR with private endpoints, the relevant private-link DNS zones in the provided context are:
      • privatelink.siterecovery.windowsazure.com
      • privatelink.prod.migration.windowsazure.com (modernized VMware/physical)
    • Conditional forwarders on on-premises DNS should therefore be configured to forward queries for these private-link zones to the DNS that can resolve the Azure Private DNS zones (typically the DNS in the bypass VNet or a custom DNS server that can reach them).
    1. Summary for the specific questions
    • MySQL on configuration server:
      • Required in the classic configuration-server model as per the referenced article.
      • No MySQL requirement for the modernized VMware/physical ASR appliance is documented in the provided context.
    • Domain join for ASR appliance:
      • Not documented as a requirement in the provided context. DNS resolution is handled via private DNS zones and network links, not by domain membership.
    • DNS/conditional forwarders:
      • For private endpoints, ensure DNS resolution for:
        • privatelink.siterecovery.windowsazure.com
        • privatelink.prod.migration.windowsazure.com (modernized VMware/physical)
      • The context does not state a requirement to forward or configure privatelink.blob.core.windows.net for ASR private endpoints.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer