With the new Dv3 and Ev3 VM sizes Microsoft has released the Nested Virtualization, meaning you can simply have a Hyper-V VM inside an Azure VM. I have created a set of posts to explore the Nested Virtualization functionality. Of course, nested virtualization is only supported in Windows Server 2016.

In this article, we will see how to have Hyper-V replica between two Azure VMs on Azure using Nested Virtualization.

Create Azure VM

Let's get started. First of all, we will need a Dv3 or Ev3 VM and for best Nested Virtualization performance make use of SSD Managed Disks. I created a D4s_v3 Standard (4Cores, 16GB Ram, SSD managed disks) and I attached a 1023GB SSD Data Disk for performance. 

Back To Top


Enable Hyper-V

Now remote desktop to the VM to add the Hyper V Role. From the Server Manager, add Roles and Features and add the Hyper-V role

Since this is a NIC VM select the NIC to create the Virtual Switch



Change the default Store location to the SSD Data Disk, in this case, the E: drive.



Finally, wait for the installation to complete and reboot the VM. After the VM reboots, Remote Desktop and open the Hyper-V manager. Now we have Hyper-V inside an Azure VM.

Back To Top


Create Nested VM on Hyper-V

You can download a Trial Windows Server 2016 from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016 or use your Subscription (MSDN, EA, etc).

I created a VM Called NestedVM01, with 4GB Ram using the Trial Windows Server 2016 ISO


After the VM creation setup the Windows Server 2016 with all defaults and log in.



The first thing to notice is that the Network Interface does not have a valid IP address since Microsoft Azure will not provide one. In order to have the Nested VM to have Network connectivity, we need to use NAT.

First, change the Virtual Switch to “Internal network”



At the Host’s Network interfaces, open the vEthernet NIC and add a static IP, only IP & Mask

Now we will need PowerShell since we cannot configure NAT form the GUI.

Open the PowerShell (still at the Host Azure VM) and run

New-NetNat
  –Name
  NVMNat
  –InternalIPInterfaceAddressPrefix
  192.168.168.0/24

The result:

After that, we can provide the Nested VMs with IPs from the 192.168.168.0/24 range. So log in to the Nested VM and add an IP from the Range and for Default Gateway add the Host’s IP.

Back To Top


Create Replica Server

The next step is to create an identical pair of an Azure VM and a Nested VM to use for replica server. The only requirement is that the two Azure VMs must have network connectivity. As you understand we can have Hyper-V Replica between two Azure VMs at different Azure Regions using VPN.

Next, at both Azure VMs open the 443 port at both the NSG and the Windows Firewall. For more security, we can add the Public IPs of the VMs as Source. Since the VMs are not part of a domain we need to use certificate-based authentication for the Hyper-V Replica. We will use the New-SelfSignedCertificate command to create both certificates.

The certificate process

First, we need to create a root CA certificate, so log in at the first host and run

New-SelfSignedCertificate
-Type
"Custom"
-KeyExportPolicy
"Exportable"
-Subject
"CN=myazurerootca"
-CertStoreLocation
"Cert:\LocalMachine\My"
-KeySpec
"Signature"
-KeyUsage
"CertSign"



Next, using the certificate Thumbprint of the root CA certificate, create two server certificates, one for each Azure VM. To accomplish this run:

New-SelfSignedCertificate
-type
"Custom"
-KeyExportPolicy
"Exportable"
-Subject
"CN=anothertestvm"
-CertStoreLocation
"Cert:\LocalMachine\My"
-KeySpec
"KeyExchange"
-TextExtension
@("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2")
-Signer
"Cert:LocalMachine\My\6A7196D9759FC2F7C49D62E08FA7195310DE5EB7"
-Provider
"Microsoft Enhanced RSA and AES Cryptographic Provider"
 
 
 
  
 
 
 
New-SelfSignedCertificate
-type
"Custom"
-KeyExportPolicy
"Exportable"
-Subject
"CN=anothertestvm2"
-CertStoreLocation
"Cert:\LocalMachine\My"
-KeySpec
"KeyExchange"
-TextExtension
@("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2")
-Signer
"Cert:LocalMachine\My\6A7196D9759FC2F7C49D62E08FA7195310DE5EB7"
-Provider
"Microsoft Enhanced RSA and AES Cryptographic Provider"



The next step is to open the Certificates MMC (Local Computer) and at the Personal container, you will find the three certificates created above.


Right click each certificate and Export it, including the Private key, to a folder


 

Copy the certificates to the second Azure VM and import them. The root CA certificate needs to be imported to he Trust Root Certification Authorities and the other two to the Personal (or just use automatic placement). 


Finally, we need to disable the Certificate revocation check for Replication on both Azure VMs. To do this run the following command on both Azure VMs:

REG
ADD
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication"
/v
DisableCertRevocationCheck
/d
1
/t
REG_DWORD
/f


Back To Top


The Hyper-V Replica process

Let's start creating the Hyper-V Replica. Since Hyper-V Replica uses computer names, we need to use the host file to bind the Public IPs with the computer names. So, at the first Azure VM, open an elevated Notepad, browse to the path “C:\Windows\System32\drivers\etc”, and open the “hosts” file. Enter the Public IP of the second Azure VM following by the computer name. Do the same at the second Azure VM.


After saving the host file, go to the Hyper-V Settings, go to the “Replication Configuration” and check the “Enable this computer as a Replica Server”. Then check the “Use certificate-based Authentication (HTTPS)” and select the certificate created before. Finally, check the “Allow replication from any authenticated servers” and press OK. Do this at both Azure VM Hyper-V Servers.



Next, go to the Hyper-V manager, right-click the Nested VM and choose “Enable Replica”. Enter the name of the second Azure VM and select the certificate.



I just used the defaults at all the next screens and finally press finish to enable the replication.



Once the replication is enabled you will see the "Replication enabled successfully" message and the Status will change to "Sending Initial Replica".

After a very short period of time, the VM will complete the initial sync.