Tag Archives: Azure Backup

New Security Features in Azure Backup

Recently Microsoft has introduced new security capabilities to Azure Backup which allows you to secure your backups against any data compromise and attacks. These features are now built into the recovery services vault and you can enable and start using them within a matter of 5 minutes.

Prevention

For critical operations such as  delete backup data, change passphrase, Azure Backup now allows you to use an additional authentication layer where you need to provide a  Security PIN which is available only for users with valid azure credentials to access the backup vaults.

Alerting

You can now configure email notifications to be sent for specified users for operations that have an impact on the availability of the backup data .

Recovery

You can configure Azure backup to retain deleted backup data for 14 days where you can recover the deleted data using the recovery points. When enabled, this will always maintain more than one recovery point so that there will be enough recovery points from which you can recover the deleted data.

How do I enable security features in Azure Backup?

These security features are now built into the recovery services vault where you can enable all of them with a single click.

1-enable-azure-backup-security

Following are the requirements and considerations that you should be aware of when you enable these new security features.

  • The minimum MAB agent version should be 2.0.9052 or you should upgrade to this agent version immediately after you have enabled these features.
  • If you are using Azure Backup Server the minimum MAB agent version should be 2.0.9052 with Azure Backup Server upgrade 1
  • Currently these settings won’t work with Data Protection Manager and will only be enabled with future Update Roll-ups.
  • Currently these settings won’t work with IaaS VM Backups.
  • Enabling these settings is a one-time action which is irreversible.

Testing new security features

In below video I’m trying to change the passphrase of my Azure Backup agent and save it. Note that here I will have to provide a Security PIN in order to proceed or otherwise the operations fails. 

Next I’m going to setup backup alerts for my recovery services vault. Once I create an alert subscription I’m going to delete my previous backup schedule. Here I will have the chance of restoring the data within 14 days after deletion.

Backup ARM VMs in Azure | Tips & tricks

As you already know Microsoft Azure Fabric is now in version 2 which is sometimes referred to as Azure Resource Manager (ARM) deployment model. Most of the services from old Azure Service Management model are now available in the new model (the new portal) and today we are going to see how we can backup VMs deployed using ARM deployment model using a Azure Recovery Services Vault.

Note that you may notice another two services in your Azure subscription called Backup vaults & Site Recovery vaults which are redundant and has no use. (They are just placeholders which will be removed soon I assume)

Backup ARM VMs (1)

Essentially following scenarios are supported in a new Recovery Services vault. If you are using premium storage accounts for your VMs  keep in mind that it is only supported in a public preview and not generally available as of yet.

  • Azure Resource Manager VMs
  • Classic VMs

The process can be done in few easy steps.

Creating a Recovery Services Vault

A Recovery Services vault holds all the backups and recovery points of the VMs that are being protected along with the backup policy applied to that vault.  One important thing to keep in mind is that Recovery Services Vaults are geo specific, meaning if you need to backup a VM in one region the target vault should reside in the same region as well.

In the Hub menu, click Browse and then search for Recovery Services. I’ve already added it as a favorite by clicking the star right next. Then select Recovery Services vault and click Add.

Backup-ARM-VMs-2.png

Provide a name, select the target Azure subscription, create a new resource group or select an existing one and finally select the region for your Recovery Services vault.

Backup-ARM-VMs-3.png

Next you can select the storage replication option. The default is Geo-redundant storage and if you want a cheaper (but not durable as Geo-redundant) option you can opt out for locally-redundant storage.  Click the All Settings option in your vault dashboard to get started.

Backup-ARM-VMs-4.png

Select a Backup Target

You need to discover your Azure ARM VMs first before they are added to a recovery services vault. This will identify the VMs that can be protected by your recovery services vault.

Backup-ARM-VMs-5.png

Define a Backup Policy

A backup policy defines how frequent the VMs are protected and when the recovery points are created along with the retention range for those recovery points. You can edit the default policy to fit to your needs or create new policy here. You can choose between a daily or weekly schedule to backup your VMs.

Backup-ARM-VMs-6.png

Next select the desired VMs that you wish to backup and finally click Enable Backup.

Backup-ARM-VMs-7.png

Backup-ARM-VMs-8.png

Start the Initial Backup

By default the first scheduled backup is the initial backup. If you want to manually force the first backup it is also possible. In the vault dashboard click Azure Virtual Machines and right click on the desired VM and select Backup Now.

Backup-ARM-VMs-9.png

You can see the backup job progress by clicking All Settings > Jobs > Backup Jobs as below from the vault dashboard.

Backup-ARM-VMs-10.png

When you further expand the backup job you can see the status of each task running underneath.

Backup-ARM-VMs-11.png

Backup Azure IaaS VMs with Azure Backup

We have an exciting update this week with Azure Backup. Now you can directly backup your Azure VMs to Azure Backup vaults easily. This is something that customers were asking for sometime. Let’s take a look at what are the considerations you are going to take into account if you are using this new feature.

  • Backup with no impact to production workloads
  • You do not need to shutdown the VMs
  • Provides application level consistency for Windows operating systems
  • Provides file system level consistency for Linux Operating systems

Backup Procedure

  • Create a backup vault in the same region as your VMs. Currently this feature supports within a single region. But I expect them to make it a geo-enabled feature as keeping the backup in the same data center seems little odd.Azure VM Backup 1
  • Discover the VMs that you need to backup first. For that expand the backup vault > Registered Items > Click DiscoverAzure VM Backup 2

Azure VM Backup 3

  • The next step is to register your VMs in the backup vault. Click the Register button as in the above picture. Keep in mind the VM should be running for the registration to be successfully completed.Azure VM Backup 4
  • Once registration is done click Protect to start protection. Here you need to select the VMs that you need to backup and create a backup policy for the same. You can select a backup frequency as well as a retention range that suits your backup requirement.Azure VM Backup 5

Azure VM Backup 6

  • Remember you can add only one backup policy per VM. Also the maximum retention period is 30 days and you only have backup time slots that are predefined with 30 minute intervals.

Performing a Backup

If you want to perform an adhoc backup out of the backup policy in the Protected Items tab of the backup vault select Backup Now. You can even stop protecting the VM by clicking Stop Protection icon.Azure VM Backup 7

Restore from a backup

  • Go to the Protected Items tab and click Restore. This opens the Restore an Item wizard.Azure VM Backup 10
  • In the Select a recovery point page you can select a restore point from available list of restore points.Azure VM Backup 11
  • In the Select restore instance page you need to specify where you want to restore the VM. This is an alternate location with new VM name, can be a different cloud service and a different Virtual Network. It’s up to you to select those parameters but you might need a new cloud service and a new network if you want to test the back up isolated first.Azure VM Backup 12

Monitor Backup Progress

You can monitor the backup progress in the Jobs page. This is important as you may need to know if a backup operation has failed or server registration has failed.Azure VM Backup 8

If I drill down through my existing adhoc backup I can see the task sequence there.

Azure VM Backup 9As you can see the word PREVIEW in this service (some pages) I wouldn’t be doing this on production but it’s still worth a try.

 

Azure Backup now supports x64 versions of Windows Client OS

If you are running Windows 7 SP1, Windows 8 or Windows 8.1 x64 version I have some good news for you. Microsoft Azure backup is now supported in these versions of Client OS. Microsoft will be dynamically updating the capabilities to provide more integration with Client OS.

Let’s see some need-to-knows about Azure Backup on your device.

  1. Backup is incremental over https
  2. There are two options for backup. Option 1 you can register one device per backup vault where you can create 25 backup vaults per subscription.
  3. Option 2 you can register up to 50 devices in a single vault. Each of these have different pass-phrase used for encryption & decryption.
  4. If your laptop is running on battery scheduled backups are automatically skipped until you plugged in to A/C.

Prerequisites

  • Install KB3015072
  • Download and Install Azure Backup Agent from Azure Portal.

Quick News | Azure Backup on Windows Server 2008

For those who were worried about not being able to backup their workloads in Server 2008 to the cloud, I have some good news. Windows Server 2008 had been added to the list of supported OS for Azure Back up. Here is the support matrix for same. There is no support for 32 bit OS but if you are using a 32 bit server OS it’s high time to migrate to a newer version of 64 bit architecture.

Operating  System Workload Supported Technologies to be used
Windows Server 2008 (64-bit)  Files and Folders Azure Backup
Files and Folders,Hyper-V Virtual Machines,MS-SQL databases System Center Data Protection Manager with Azure Backup

Additionally you’ll need to meet below per-requisites to install the Azure agent.

You can download the new backup agent from here.

Azure Backup Agent Installation failure in Windows Server 2008 R2 SP1

Recently I had to conduct a POC for a customer on Azure Backup Service. They provided a physical server with Windows Server 2008 R2 SP1 installed. When I tried to install the backup agent I noticed that a strange error happened all the time  and the installtion has aborted.

“Unable to execute the embedded application to complete the installation.”

Now the funny thing is being a Microsoft techie for years I forgot to check .NET per-requisites and all. But in this case I found that there are two updates that needs to be in place prior installation of backup agent in this OS workload.

Microsoft .NET Framework 4
http://www.microsoft.com/en-us/download/details.aspx?id=17851

Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package MFC Security Update
http://www.microsoft.com/en-us/download/details.aspx?id=26368

.NET Framework 4 is a must. I only had to install the MFC Update for Visual C++ SP1 redistributable. But being said that there are three additional per-requisites to be made before you install.

  • Windows PowerShell 3.0 – In the wizard it will say that this will be installed. But trust me it doesn’t. I strongly recommend you do this manually prior agent installation.
  • Microsoft.NET Framework 4 Client Profile – This is not a cumulative update. So should be installed separately.
  • Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package – This should be installed prior installing MFC update. If you are on w2k8 R2 SP1 it’s already there.

If any one interested in the source here is the TechNet Article that helped me to rectify this issue.