VMware Cloud Disaster Recovery (DR) 解决方案旨在通过在云环境中无缝恢复工作负载，确保业务持续性，应对自然灾害和网络攻击等突发事件。本文深入探讨了使用 VMware Cloud on AWS 配置和管理 DR 网络的最佳实践，包括网络拓扑、安全连接、网络分段、测试和 IP 重新映射，以保障关键业务应用在灾难发生时能够快速恢复。

🌐 基本网络拓扑：VMware Cloud DR 通过 DRaaS Connector 将受保护站点（例如，本地或另一个云）连接到恢复站点，实现数据复制到 Scale-out Cloud File System (SCFS)。这种连接对于 vCenter、vSphere 主机和虚拟机等组件的正常运行至关重要，需要健全的网络配置以确保连接的稳定性。

☁️ VMware Cloud on AWS 网络设置：VMware Cloud DR 利用 AWS 中的软件定义数据中心 (SDDC) 来管理云资源。组织可以通过多种方式建立安全连接，包括：使用 SDDC 防火墙规则的公共互联网访问、用于加密数据传输的 VPN 连接以及用于专用、高性能连接的 AWS Direct Connect。选择合适的连接方式需要与网络团队协作，以满足特定的环境需求。

🛡️ 网络分段与安全：为了实现无缝故障转移，受保护站点的每个网络段都需要在恢复站点中进行相应的设置。管理员需要配置网关防火墙，使用 NSX 功能实现安全通信。对于部分故障转移，建议使用二层 VPN 或 Direct Connect 来实现站点间的安全应用程序连接，并在 Ransomware Recovery Isolated Recovery Environment (IRE) 中隔离受感染的网络。

✅ 测试与 IP 重新映射：VMware Cloud DR 允许通过使用隔离的网络段对恢复计划进行全面测试，确保网络配置和故障转移过程的有效性，而不会影响生产应用程序。对于需要在故障转移期间更改静态 IP 的情况，VMware Cloud DR 提供了 IP 重新映射功能，管理员可以在恢复计划中定义 IP 地址规则，以确保跨站点的一致性。

In today’s ever-changing business landscape, disasters such as natural calamities and cyberattacks can disrupt operations without warning. VMware Cloud Disaster Recovery (DR) offers a powerful solution for ensuring business continuity by seamlessly recovering workloads in a cloud-based environment. This field guide provides insights into best practices for configuring and managing networking for disaster recovery (DR) using VMware Cloud on AWS.

Introduction to VMware Cloud DR

The VMware Cloud Disaster Recovery solution is designed to protect critical business applications from outages. This involves replicating workloads from a Protected Site to a Recovery Site hosted in VMware Cloud on AWS. The solution addresses various disaster scenarios, including complete site failures and targeted ransomware attacks. Effective network configuration is crucial to ensure that DR operations run smoothly, both during routine protection and emergency recovery.

Key Networking Considerations

1. Basic Networking Topology

The Protected Site (e.g., on-premises or another cloud) connects to the Recovery Site through VMware’s DRaaS Connector. This connection facilitates data replication to the Scale-out Cloud File System (SCFS), where recovery snapshots are stored. Components such as vCenter, vSphere hosts, and virtual machines rely on a robust network configuration to ensure connectivity.

2. Networking Setup for VMware Cloud on AWS

VMware Cloud DR leverages Software-Defined Data Centers (SDDCs) in AWS to manage cloud-based resources. Organizations can establish secure connectivity using one of the following methods:

Public Internet Access with SDDC firewall rules (simpler but less secure) VPN Connection for encrypted data transfer AWS Direct Connect for a dedicated, high-performance connection

Review these options with your network team to determine the best fit for your environment.

3. Segmenting Networks for Disaster Recovery

Each network segment at the Protected Site requires a corresponding segment at the Recovery Site. This allows for seamless failover of virtual machines without disrupting production workloads. Additional segments can be created specifically for testing DR plans without impacting operational services.

Managing Connectivity and Security

Outbound and Inbound Access

To enable secure communication, network administrators configure gateway firewalls using NSX capabilities. Outbound access allows VMs at the Recovery Site to connect to the internet, while inbound access is managed through published VPNs or public IPs for critical workloads.

Inter-Site Connectivity

During partial failovers, applications may require communication between Protected and Recovery sites. VMware recommends using layer 2 VPNs or Direct Connect to facilitate secure inter-site application connectivity.

Ransomware Recovery Isolation

VMware Cloud DR includes features to isolate compromised networks in a Ransomware Recovery Isolated Recovery Environment (IRE). Using NSX Distributed Firewall rules, organizations can ensure that affected VMs remain isolated during recovery operations, preventing further spread of malware.

Testing and IP Remapping

Non-Disruptive Testing

VMware Cloud DR allows for comprehensive testing of recovery plans by using isolated network segments. This ensures that network configurations and failover procedures can be validated without affecting live applications.

IP Address Mapping

For scenarios where static IPs need to change during failover, VMware Cloud DR provides IP remapping capabilities. Administrators can define IP address rules in the recovery plan to ensure consistency across sites.

Conclusion

VMware Cloud Disaster Recovery is a robust solution for safeguarding business operations in the face of unexpected disruptions. Properly configuring and testing the networking components—ranging from connectivity and firewall rules to network segmentation and isolation—is critical to the success of any DR strategy. VMware offers extensive resources to guide organizations through setup and optimization, ensuring maximum uptime and data protection.