Cloud Services

Running vCloud Hybrid Service – Disaster Recovery Supporting Infrastructure

by Chris Colotti

With the new release of VMware vCloud Hybrid Service – Disaster Recovery there is one common question that people keep asking me, and that is “Where do I run needed supporting infrastructure like Active Director, DNS, and other things I need?”

You may, or may not, have seen your Disaster Recovery resources are not “Always-On.” What I mean is you are getting them via a subscription that is only holding replicated placeholders on storage until you fail them over. The machines are not using compute and memory until a failure or test failover occurs. In addition, the default leases on the machines is 30 days. This means you cannot stand up a real-time running machine in this offering to hose something like Active Directory and/or DNS and what I refer to in presentations as ‘Infrastructure’ machines. There is a way to solve this challenge, and as with all things cloud, you need to think outside the box.

The fact is most people that do Disaster Recovery today using traditional means run these ‘Infrastructure’ machines hot and always on in the DR site. I’ve almost never seen a Domain Controller get replicated usually because the DR site has a different IP address range. Instead it’s treated as simply another “site” in active directory and certain applications and resources are just running there waiting for failed over machines to use them. This is not always the case, but it’s what I have seen and what I set up when I was an administrator. This being said, there are a few options for solving the need for these running machines outside your vCHS-DR specific subscription.

  • Option #1 – Connect a VPN from a physical to your vCHS-DR resources.
  • Option #2 – Cross Connect to a Cage in a vCHS Data Center where those resources may already be running
  • Option #3 – Purchase a vCHS Virtual Private Cloud or Dedicated Cloud to run them and setup a cloud-to-cloud VPN.

VPN from a Physical Site Option

This option really only works if you have more than one physical site. The obvious reason is if you connect to the primary site you are protecting and it goes down, you are left without the infrastructure you initially needed. Instead if you have two sites and you are only protecting one, you can leverage the other for these resources. Below is this example in a diagram.

02 - Image_1

Cross Connect to a Cage

vCloud Hybrid Service has an add-on option of cross-connect, which is the ability to wire from your vCHS resources directly to a cage you own in the same data center where vCHS is hosted. I’d suspect in most cases if you have a cage, that infrastructure is already connected back to your physical data center and you’ve setup basic resources there you could leverage.

02 - Image_3

The downside here is that today cross connect is not yet available in all vCHS data centers so you’d have a limited list of choices. However, when it becomes widely available, you will have many more options and this will be a very viable solution.

Cloud to Cloud VPN with a Virtual Private Cloud or Dedicated Cloud

The last option is very good especially if you are already considering additional Infrastructure as a Service resources with vCHS. This option is also good if you will be connecting your new standard vCHS resources back to your on premises data center and creating basic services in the cloud to support your deployed applications. Once you have these you are already setup to simply configure a cloud-to-cloud VPN.


This is in fact the setup I used in the tutorial video series located on the tutorials page. The benefit of this is you can run these resources in any vCHS location and connect them together as well as back to on premises. The idea is you need these resources additionally for new applications. This is part of your initial Hybrid Cloud data center extensibility.

Network Considerations

You do have to think about the networking considerations when configuring these VPN connections and things like Active Directory Sites and Services.

  1. For VPN the endpoint networks cannot be the same.
  2. You should define the networks in vCHS-DR as a new “Site” and assign the proper domain controller.
  3. Ensure that your VPN mappings also have the right vCNS Edge Gateway firewall rules for traffic to pass.

In the end, you can solve this problem in more than one way. The intent here is not to give the step-by-step configuration since each setup will be different, but you can see in the diagrams I have tried to show some level of detail on the networking so you can get the basic idea. Hopefully this overview has helped answer your questions and you will decide to give vCloud Hybrid Service Disaster Recovery a try.

Chris is a Principal Technical Marketing Architect with the vCloud Hybrid Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud Hybrid Service solutions and architectures for vSphere customers wishing to migrate to the VMware Hybrid Cloud Service. Chris is also a VMware Certified Design Expert, (VCDX #37).


5 comments have been added so far

  1. Chris,

    In EMEA we only have a single VCHS location at the moment (UK). If I subscribe to a vPC and also the RasS offering, the chances are that they will both be physically located in the same datacenter.

    Is this correct?

    If so, I guess there’s little value in purchasing a DR solution for your VCHS cloud as a site disaster would take both down.

    However, I can see the value in an on-prem to Cloud DR service.

    1. Stuart when you purchase either a VPC or Diaster Recovery you choose which region you want each one in. Therefore you can make your DR site US based and the VPC UK based or vice versa. There is no set assignment you pick 🙂

      1. If only America wasn’t 3,500 miles away and latency wasn’t an issue I’d agree with you.

        I’m not saying it wouldn’t work but I suspect there would be some significant degradation in performance.

        Anyway, thanks for the clarification.

Leave a Reply

Your email address will not be published. Required fields are marked *