Azure Backup - jasper-zanjani/azure GitHub Wiki
A Recovery Services Vault is a resource used to centrally manage backing up and recovering Azure resources, and the centerpiece of any backup strategy.
- A Backup protection policy defines how a backup plan is implemented. These are most easily created through the Portal.
- A vault can only back up data from other resources that exist in its region.
Azure Backup can backup on-prem servers, cloud-based VMs, and virtualized workloads like SQL Server and Sharepoint. However Azure SQL databases are already backed up by an automatic service by default. AZ-103 p. 159
- On-prem machines can be backed up using several agents AZ-103 p. 162
- MARS Agent
- System Center Data Protection Manager (DPM) or Microsoft Azure Backup Server (MABS) can be used as backup servers. The backup server can then be backed up to a Recovery Services vault
- Azure VMs can be backed up
- Directly using an extension on the Azure VM Agent, which comes preinstalled on Marketplace images
- Specific files and folders on a VM can be backed up by running the MARS agent
- To the MABS running in Azure, which can then be backed up to a Recovery Services vault
Storage accounts can be backed up, but not blob storage. Blob storage is already replicated locally, which provides fault-tolerance. Instead, you can use snapshots.
Microsoft Azure Recovery Services (MARS) agent is for Windows machines only, but can be installed on VMs on other cloud providers like AWS.
MARS can be configured to protect the entire system, volumes, or individual files and folders.
The Microsoft Azure Virtual Machine Agent (VM Agent) manages VM interaction with the Azure Fabric Controller and comes preinstalled with Windows images from the Marketplace. It can also be installed on a custom image.
VM Agent supports the VMSnapshot extension, which is added when backups are enabled. This extension takes a snapshot of the storage at the block level and sends it to the RSV configured. For Windows VMs, this extension leverable the Volume Shadow Copy service.
When installed, the Get-AzVM command exposes a ProvisionVMAgent property with a boolean value under OSProfile.WindowsConfiguration.
The Microsoft Azure Linux Agent (waagent) manage VM interaction with the Azure Fabric Controller on Linux VMs. MS Docs
There appear to be resources that house items to be protected that can be enumerated.
Log Analytics workspaces must be located in the same region as the Recovery Services vault in order to store Backup reports.
Azure Backup pre-checks complete with various statuses that indicate potential problems
- Passed: VM configuration is conducive for successful backups
- Warning: Issues that might lead to backup failures
- Critical: Issues that will lead to backup failures
New-AzRecoveryServicesVault -Name $n -ResourceGroupName $g -Location $laz backup vault create --name $n --resource-group $g --Location $lThis requires MFA to be enabled.
Enable multi-factor authentication for the Recovery services vault by going to the vault in the Portal, then Properties > Security settings: Update > Choose Yes in the dropdown. An option to generate a security PIN will appear in this same blade.
Sources:
Download the executable (for Windows VMs) or PowerShell script (for Linux VMs). A Python script is generated when downloading to a Linux machine.
Sources
A Log Analytics workspace must exist.
- Turn on diagnostics in the Recovery Services vault
- Select Archive to a storage account (NOT Send to Log Analytics), providing a storage account to store information needed for report.
- Select
AzureBackupReportunder log section, which will collect all needed data models and information for the backup report. - Connect to Azure Backup in PowerBI using a service content pack.
Sources:
$SchPol = Get-AzRecoveryServicesBackupSchedulePolicyObject -WorkloadType "AzureVM"
$SchPol.ScheduleRunTimes.Clear()
$Dt = Get-Date
$SchPol.ScheduleRunTimes.Add($Dt.ToUniversalTime())
$RetPol = Get-AzRecoveryServicesBackupRetentionPolicyObject -WorkloadType "AzureVM"
$RetPol.DailySchedule.DurationCountInDays = 365
New-AzRecoveryServicesBackupProtectionPolicy -Name "NewPolicy" -WorkloadType AzureVM -RetentionPolicy $RetPol -SchedulePolicy $SchPol$policy = Get-AzRecoveryServicesBackupProtectionPolicy -Name "DefaultPolicy"
Enable-AzRecoveryServicesBackupProtection -ResourceGroupName $g -Name $n -Policy $policyaz backup protection enable-for-vm -g $g -v $v --vm vm --policy-name DefaultPolicyThe Azure CLI command is set for GRS by default. This can be modified with the following command:
az backup vault backup-properties set -n $v -g $g --backup-storage-redundancy "LocallyRedundant"Sources:
$backupcontainer = Get-AzRecoveryServicesBackupContainer `
-ContainerType "AzureVM" `
-FriendlyName "myVM"
$item = Get-AzRecoveryServicesBackupItem `
-Container $backupcontainer `
-WorkloadType "AzureVM"
Backup-AzRecoveryServicesBackupItem -Item $item--container-name/-c appears to accept the name of the VM itself.
az backup protection backup-now -g myResourceGroup -n myRecoveryServicesVault --container-name myVM \
--item-name myVM \
--retain-until 18-10-2017
--backup-management-type AzureIaasVM-BackupManagementType accepts the following values
AzureVMMARSAzureWorkloadAzureStorage
-ContainerType accepts:
AzureVMWindowsAzureSQLAzureStorageAzureVMAppContainer
$v = Get-AzRecoveryServicesVault -ResourceGroupName $rg -Name vault
Get-AzRecoveryServicesBackupContainer -ContainerType Windows -BackupManagementType MARS -VaultId $v.IDThis returns a list of JSON objects.
--backup-management-type accepts the following values:
AzureIaasVMAzureStorageAzureWorkload
az backup container list -g $g -v $v --backup-management-type AzureIaasVMPreserve only the "name" attribute of the first item, which itself is a semicolon-delimited string of values. (Start backup now)
az backup container list -g $g -v $v --backup-management-type AzureIaasVM --query [0].name-
AZ-103:
2.4 -
AZ-104:
5.2 -
Back up a VM - Azure CLI, PowerShell