For better control and security, it is recommended to specify the list of authenticated servers that can replicate rather than allowing replication traffic from any authenticated server. While enabling a Replica server, there are two sets of inputs which are required – Authentication and Authorization.
When allowing replication from specific servers, each entry in the list is called an “authorization entry”. An authorization entry contains:
· Server(s) that are allowed to replicate (Primary Server)
· Default location where the Replica virtual hard disk files is to be created (Storage Location)
· Tag to group a set of such allowed primary servers into a trust zone (Security Tag).
The primary server can be one of the following:
· A single server identified by the Fully Qualified Domain Name (FQDN) (e.g., R2.constoso.com)
· FQDN using wild-card (*.advertisement.contoso.com). Wild-card is supported only in the first octet, e.g., “*.advertisement.*”, but not “advertisement*”
· If the primary server is part of a cluster, you should specify the FQDN of the CAP (Client Access Point) of the Hyper-V Replica Broker of the primary side cluster. This allows you to add or remove nodes from the primary cluster without having to change the authorization entry in the Replica server.
The storage location specifies the folder where the virtual hard disk files for the Replica virtual machines will be created. If the Replica server is part of a cluster, then only a CSV or SMB file path can be provided.
If the storage location for an authorization entry is changed after a replica VM has been created, only subsequent replica VMs will be created in the new location.
A security tag needs to be specified for each authorization entry. A group of primary servers, with the same security tag can be considered to be part of a “trust zone”.
How is this useful? Hyper-V Replica allows replication to continue seamlessly when virtual machines are migrated either on the primary server/cluster or Replica server/cluster. Hence the replication traffic for a given Replica virtual machine cannot be tied only to the server that enabled replication of the virtual machine.
For the Replica server to allow replication traffic for a Replica virtual machine from a set of primary servers (the servers amongst which the primary virtual machine can move), those set of primary servers should be grouped into the same trust zone i,e the same security tag.
The security tag can be used for another scenario – in the above picture, servers in “Trust Zone 2” (say, security tag “TZ-2”) will be able to send replication traffic for Replica virtual machines that were created by any of the servers in that trust zone. A server in “Trust Zone 2” will not be able to send replication traffic for a Replica virtual machine that was created by a server in “Trust Zone 1” (say, security tag “TZ-1”). This will ensure that in case a server from trust zone 2 gets compromised, the attacker cannot use replication to tamper the Replica virtual machine belonging to “Trust Zone 1”.
Security tag is a plain text, and can be created on the fly. No meta-data needs to be created for the same.
To add a new authorization entry
New-VMReplicationAuthorizationEntry -AllowedPrimaryServer <Server to be authorized> -ReplicaStorageLocation <Location where Replica files should be created> -SecurityTag <Tag>
New-VMReplicationAuthorizationEntry -AllowedPrimaryServer *.constoso.com -ReplicaStorageLocation E:\Replica -SecurityTag Finance
To remove an existing authorization entry
Remove-VMReplicationAuthorizationEntry -AllowedPrimaryServer <authorized primary server>
Remove-VMReplicationAuthorizationEntry -AllowedPrimaryServer *.constoso.com
To add authorization entries, the “AllowAnyServer” property on the server should be set to FALSE.
Set-VMReplicationServer -AllowAnyServer $FALSE
To query the current authorization entries, use the following cmdlet: