Azure Backup for VMs and Files

Introduction

In today's cloud-centric world, safeguarding critical data is paramount for business continuity and operational resilience. Azure Backup is Microsoft's native, highly scalable, and cost-effective data protection solution, designed to protect your data in Azure, on-premises, and other clouds. This article will focus specifically on leveraging Azure Backup to protect Azure Virtual Machines (VMs) and Azure Files shares, two foundational services within the Azure ecosystem.

This guide is intended for cloud architects, IT administrators, and DevOps engineers responsible for designing, implementing, and managing backup and disaster recovery (BCDR) strategies within Microsoft Azure. We will delve into the core concepts, implementation steps, and best practices to ensure your virtual machines and file shares are resilient against data loss scenarios, whether due to accidental deletion, corruption, or cyberattacks.

Why this matters

Effective backup strategies are not merely a technical checkbox; they are a critical component of a robust business continuity and disaster recovery (BCDR) plan, directly impacting compliance, cost, risk, and productivity. Without reliable backups, data loss can lead to significant financial penalties, reputational damage, and extended periods of operational downtime.

For compliance, many industry regulations (e.g., GDPR, HIPAA, PCI DSS) mandate strict data retention and recovery objectives. Azure Backup helps achieve these by providing configurable backup policies and long-term retention options. From a cost perspective, Azure Backup offers a pay-as-you-go model, often proving more cost-effective than managing complex on-premises backup infrastructure. By minimizing recovery times and ensuring data availability, Azure Backup significantly reduces the business risk associated with data loss, ultimately boosting productivity by allowing organizations to quickly restore operations after an incident.

Key concepts

• Recovery Services Vault (RSV): The primary management entity in Azure Backup. It's a logical container that stores backup data for various Azure services and on-premises workloads. It also houses backup policies and recovery points.
• Backup Policy: Defines when backups are taken (frequency), how many are kept (retention range), and whether long-term retention is enabled.
• Recovery Point (Snapshot): A copy of your data at a specific point in time. For Azure VMs, this typically involves a snapshot of all disks attached to the VM. For Azure Files, it's a snapshot of the file share.
• Instant Restore: For Azure VMs, this capability leverages snapshots stored in the recovery services vault for quick restore operations, reducing recovery time objectives (RTOs).
• Cross-Region Restore (CRR): Allows you to restore Azure VMs to a paired Azure region, enhancing disaster recovery capabilities.
• Soft Delete: A security feature that helps protect backup data from accidental or malicious deletion by retaining deleted backups for a specified period (e.g., 14 days by default), during which they can be recovered.
• MAB Agent (Microsoft Azure Backup Agent): Used for backing up files, folders, system state, and DPM/MABS (Microsoft Azure Backup Server) on-premises. While not directly used for Azure VMs, it's critical for hybrid file and folder backups to an RSV.

Step-by-step implementation

Here's an example of implementing Azure Backup for an Azure VM and an Azure File Share using the Azure Portal and Azure CLI.

1. Create a Recovery Services Vault:

Navigate to the Azure portal. Search for "Recovery Services vaults." Click "Create recovery services vault." Provide a Subscription, Resource Group, Vault name, and Region. Click "Review + create," then "Create."

1. Configure Backup for an Azure VM:

Once the vault is deployed, open it. Under "Getting Started," click "Backup." For "Where is your workload running?", select "Azure." For "What do you want to back up?", select "Virtual machine." Click "Backup." Select an existing backup policy or create a new one. A default policy is often sufficient initially (e.g., daily backup, 30-day retention). Select Virtual Machines to back up. Choose the VMs you wish to protect from the list. Click "Enable backup."

1. Configure Backup for an Azure File Share:

In your Recovery Services vault, navigate to "Backup" again. For "Where is your workload running?", select "Azure." For "What do you want to back up?", select "Azure FileShare." Click "Backup." Select Storage Account: Choose the storage account containing the file shares you want to protect. Select File Shares: Click "Click here to choose" and select the specific file shares. Select a backup policy: Similar to VMs, choose an existing policy or create a new one. Remember that Azure File Share backups are snapshot-based and typically focus on point-in-time recovery. Click "Enable backup."

1. Initiate an On-Demand Backup (Optional):

For an Azure VM: In your RSV, navigate to "Backup items" > "Azure Virtual Machine." Select the VM and click "Backup now." For an Azure File Share: In your RSV, navigate to "Backup items" > "Azure Storage (Azure Files)." Select the file share and click "Backup now."

1. Azure CLI for VM Backup Configuration:

# Create a Recovery Services Vault (if not already done)
az backup vault create --resource-group ZunairTechRG --name ZunairTechRSV --location eastus

# Get the existing default policy for VMs
policy_name=$(az backup policy list --resource-group ZunairTechRG --vault-name ZunairTechRSV --backup-management-type AzureIaasVM --query "[?contains(name, 'DefaultPolicy')].name" -o tsv)

# Enable backup for a specific Azure VM using the default policy
# Replace 'YourVMName' and 'YourVMResourceGroup' with actual values
az backup protection enable-for-vm --resource-group YourVMResourceGroup --vault-name ZunairTechRSV --vm YourVMName --policy-name "$policy_name" --boot-diagnostics-storage-account /subscriptions/<subscriptionId>/resourceGroups/<resourcegroupname>/providers/Microsoft.Storage/storageAccounts/<storagename>

# Trigger an on-demand backup for the VM
az backup protection backup-now --resource-group ZunairTechRG --vault-name ZunairTechRSV --item-name YourVMName --container-name YourVMName --retention-eth '30-12-2023' --backup-management-type AzureIaasVM

Example configuration

Here's an Azure Resource Manager (ARM) template snippet for deploying a Recovery Services Vault with a basic VM backup policy.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vaultName": {
      "type": "string",
      "defaultValue": "ZunairTechRSV01",
      "metadata": {
        "description": "Name of the Recovery Services Vault."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for the Recovery Services Vault."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.RecoveryServices/vaults",
      "apiVersion": "2023-01-01",
      "name": "[parameters('vaultName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard"
      },
      "properties": {
        "publicNetworkAccess": "Enabled",
        "softDeleteFeatureState": "Enabled"
      }
    },
    {
      "type": "Microsoft.RecoveryServices/vaults/backupPolicies",
      "apiVersion": "2023-01-01",
      "name": "[concat(parameters('vaultName'), '/ZunairTechVMPolicy')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.RecoveryServices/vaults', parameters('vaultName'))]"
      ],
      "properties": {
        "policyType": "V2",
        "backupManagementType": "AzureIaasVM",
        "workLoadType": "AzureIaasVM",
        "schedulePolicy": {
          "schedulePolicyType": "SimpleSchedulePolicy",
          "scheduleRunFrequency": "Daily",
          "scheduleRunTimes": [
            "2023-01-01T02:00:00Z"
          ],
          "scheduleWeeklyFrequency": 0
        },
        "retentionPolicy": {
          "retentionPolicyType": "LongTermRetentionPolicy",
          "dailySchedule": {
            "retentionTimes": [
              "2023-01-01T02:00:00Z"
            ],
            "retentionDuration": {
              "count": 30,
              "durationType": "Days"
            }
          }
        },
        "instantRpRetentionRangeInDays": 5
      }
    }
  ]
}

Common pitfalls

• Confusing Backup Management Types: Attempting to back up Azure VMs using the MAB agent meant for on-premises servers or incorrectly configuring backup for file shares in a VM instead of the Azure File Share service.
• Inadequate Retention Policies: Setting retention policies that are too short to meet compliance requirements or too long, leading to unnecessary storage costs.
• Lack of Testing: Failing to regularly perform test restores. A backup is only as good as its ability to restore data effectively.
• Resource Group/Subscription Permissions: Insufficient permissions for the Azure Backup service to interact with VMs, storage accounts, or other resources, causing backup failures.
• Network Connectivity Issues: For hybrid scenarios or specific VM configurations, network access to Azure storage endpoints might be restricted, preventing backups or restores.
• Ignoring Soft Delete: Disabling soft delete or not understanding its implications, potentially leading to immediate and irreversible data loss if a backup is maliciously deleted.

Best practices

• Centralize with Recovery Services Vaults: Utilize a minimal number of Recovery Services vaults, ideally one per region per subscription, to simplify management and monitoring, aligned with the Management and Governance pillar of the Azure Well-Architected Framework.
• Implement Role-Based Access Control (RBAC): Apply the principle of least privilege by assigning appropriate RBAC roles (e.g., Backup Contributor, Backup Reader) to users and service principals managing backups, in line with Zero Trust principles.
• Enable Cross-Region Restore (CRR): For critical workloads, enable CRR to protect against regional outages, enhancing your disaster recovery posture as advised by the Reliability pillar of the Well-Architected Framework.
• Regularly Test Restores: Schedule periodic test restores of VMs and file shares to validate backup integrity, recovery time objectives (RTOs), and the restoration process itself. Document these tests.
• Leverage Soft Delete: Always keep soft delete enabled on Recovery Services vaults to provide an additional layer of protection against accidental or malicious backup deletion.
• Monitor Backup Jobs and Alerts: Configure Azure Monitor alerts for failed backup jobs, missing protection, and other critical backup-related events to ensure timely intervention.
• Automate Backup Configuration: Use Azure Policy, ARM templates, Bicep, or PowerShell/Azure CLI scripts to enforce backup policies and ensure consistent protection across your environment, promoting Infrastructure as Code principles.

Further reading

• About Azure VM backup
• Back up Azure File shares
• Restore Azure VMs
• Security features to help protect your hybrid backups
• Azure Well-Architected Framework - Reliability