How to perform Disaster Recovery in Storage with Private Endpoints?

By: Microtek Learning

1.9k

Perform DR in Storage with Private Endpoints

In today’s rapid growth with cloud-based deployments and moving resources from On-Premises Data Center to Azure across regions makes us think about redundancy. Redundancy of services can we within Data center by choosing the Fault domain and Update domains and can range up to setting up the service in different region.

When you have the same service in 2 region and if you want to fail over how do you do it? Also, when you have dependency such as Private Endpoints connected to the service, how do you achieve failover? 

In this blog, we are going to discuss how to achieve Disaster Recovery in Storage with Private Endpoints.  

Setup:
Microsoft Azure Setup 

 

Setup Details: 

  1. Create a storage account in West Europe with RA-GRS as account type. 
    Step 1 

  1. Create a Private Endpoint in the West Europe region. You need to deploy a VNET first to deploy Private Endpoint. During the creation if Private Endpoint choose the PE blob as the sub-resource type. 
    Step 2 

  1. Create another VNET in North Europe and deploy another Private Endpoint choosing VNET as North Europe. During the creation of Private Endpoint you need to choose the sub-resource type as blob-secondary. 
    Step 3 

  1. A Private DNS Zone gets created in the process of creating Private Endpoint. You should notice 2 A records pointing to Private IP of the Private Endpoint as shown below: 
     

Step 4

  1. To test the failover, you need a VM in the West Europe region. Deploy a VM and RDP to the VM: 
    Step 5 

 

Below are the Nslookup results before failover: 

Primary: 

storagedemodr.blob.core.windows.net. 59 IN CNAME storagedemodr.privatelink.blob.core.windows.net. 

storagedemodr.privatelink.blob.core.windows.net. 59 IN CNAME blob.dub07prdstr13b.store.core.windows.net. 

blob.dub07prdstr13b.store.core.windows.net. 59 IN A 20.38.102.51 

 

Secondary: 

storagedemodr-secondary.blob.core.windows.net. 59 IN CNAME storagedemodr-secondary.privatelink.blob.core.windows.net. 

storagedemodr-secondary.privatelink.blob.core.windows.net. 59 IN CNAME blob.ams20prdstr11a.store.core.windows.net. 

blob.ams20prdstr11a.store.core.windows.net. 59 IN A 20.38.109.4 

 

In Azure VM:  

C:\Users\AzureAdmin>nslookup storagedemodr.blob.core.windows.net 

Server:  UnKnown 

Address:  168.63.129.16 

Non-authoritative answer: 

Name:    storagedemodr.privatelink.blob.core.windows.net 

Address:  10.1.0.4 

Aliases:  storagedemodr.blob.core.windows.net 

 

In order to perform failover, navigate to the Storage Account and choose Geo-redundancy under settings. You can find the “Prepare to failover” option. Click on it to start the failover:  

 

Storage account

 

Nslookup results post failover : 

When you query: storagedemodr.blob.core.windows.net 

storagedemodr.blob.core.windows.net. 59 IN CNAME storagedemodr.privatelink.blob.core.windows.net. 

storagedemodr.privatelink.blob.core.windows.net. 59 IN CNAME blob.ams20prdstr11a.store.core.windows.net. 

blob.ams20prdstr11a.store.core.windows.net. 42 IN A 20.38.109.4 

 

When you query: storagedemodr-secondary.blob.core.windows.net 

blob.core.windows.net. 59 IN SOA prd1.azuredns-cloud.net. msnhst.microsoft.com. 2093536361 900 300 604800 60 

 

Inside VM:  

C:\Users\AzureAdmin\Downloads\PSTools>nslookup storagedemodr.blob.core.windows.net 

Server:  UnKnown 

Address:  168.63.129.16 

Non-authoritative answer: 

Name:    storagedemodr.privatelink.blob.core.windows.net 

Address:  10.1.0.4 

Aliases:  storagedemodr.blob.core.windows.net 

 

As you can see, from inside the VM, it always resolves to 10.1.0.4 which the Private IP of the Private Endpoint in West Europe. But this Private Endpoint will connect to the Storage Account in the North Europe as Azure changes the config in the data path to make sure the Private Endpoint connect to the failed over endpoint. Also, when you failover, the Storage Account becomes LRS and hence the secondary endpoint is no longer active.  

With this you don’t need to make any changes to the DNS part of Private Endpoint as it always points to the active Storage region.  

Hope this blog is useful!! 

Visit our site for more useful blogs.

If you still have any doubt, watch How to perform DR in Storage with Private Endpoints video on our YouTube channel.

Leave a message here