Automate Azure VMs Restore with Azure Backup

10 Min. Read

This article will demonstrate how to automate Azure VMs restore with Azure Backup, so you can schedule it to perform restore at regular intervals in case you want to test your application, or you want to restore in a secondary region for both Business Continuity and Disaster Recovery (BCDR) drills and outage scenarios.

Introduction

Azure Backup ensures your backup data is stored securely by leveraging the built-in security capabilities of the Azure platform role-based access control (RBAC) and encryption. In addition, with the new capabilities for soft-delete, Azure Backup protects against any accidental and malicious attempts for deleting your backups.

With a powerful architecture built into Azure, Azure Backup does all this for you in a simple, secure, and cost-effective manner without needing you to worry about anything at all.

When you start planning to restore an Azure VM, there are several restore options that you can choose from:

> Create a new VM: This gives you the possibility to quickly create and get a basic VM up and running from a restore point.

> Restore disk: With this option, you can restore a VM disk, which can then be used to create a new VM.

> Replace existing VM: You can restore a disk, and then use it to replace a disk on the existing VM.

> Cross Region Restore: This option can be used to restore Azure VMs in the secondary region, which is an Azure paired region (E.g. North Europe => West Europe). By using Cross Region Restore, you can conduct drills when there’s an audit or compliance requirement, and restore the data if there’s a disaster in the primary region (check the prerequisites section for more details).

Restoring an Azure VM through the Azure Portal is straightforward. But what if you want to restore the VM for compliance and audit reasons, or if there’s a disaster in the primary region? for example, you have a business continuity plan that dictates to restore your important servers to a secondary region at the end of every day, week or month.

Now, of course, you can log in to the Azure Portal and restore manually the VM by clicking “Restore VM” or “Restore to Secondary Region” as shown in the figure below which is part of your business continuity plan. However, this is not so efficient…

Azure Backup - Restore to Secondary Region
Azure Backup – Restore to Secondary Region

Azure Automation to the rescue!

In this article, I will share with you how to automate the restore for Azure VMs using PowerShell so you can schedule it to restore in the secondary region at regular intervals in case you want to have an additional copy of your VM ready if a disaster strike.

> To learn more on how to automate the backup for Azure VM, check the following step-by-step guide.

Azure Site Recovery

Before we dive into the technical details of the solution and configuration, I want to pause for a second, step back, and discuss the Azure Site Recovery (ASR) service.

Now you may be asking, why we don’t use the ASR service instead of Cross Region Restore which supports native VM replication to a secondary region of your choice, or between Availability Zones. Well, glad you asked, here is my ASR experience:

1) You may have a Windows or Linux guest OS that is NOT supported for replication by ASR, and you still need the VM to be available in case of an outage in the primary region.

2) The pricing for Site Recovery service is more expensive than Azure Backup. For ASR you pay $25/month per VM instance protected, you also pay charges for Azure Storage, storage transactions, and data transfer, the storage price is separate. However, with Azure Backup Cross Region Restore, you pay $0.0569 per GB for read-access geo-redundant storage (RA-GRS) replication and you pay for the protected instance which depends on the VM size ($5 for < or = 50 GB and $10 > 50 GB and < or = 500 GB). For both services, you still need to pay the recovered virtual machine (compute charges) when it’s running. You could do a quick calculation and see the difference.

3) Please remember that Site Recovery is a replication service, so if your VM in the primary region gets corrupted, it will be corrupted in the secondary region as well. The Azure Backup service keeps your data safe and recoverable.

Both solutions have their pros and cons for each use case, they can be used independently or to complement each other.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Azure Resource Group (RG).

3) You need to have at least one Azure Recovery Services vault is created. Please check the following quick start guide to create and configure a Recovery Services vault.

4) You need to configure the Recovery Services vault with Geo-redundant storage (GRS) redundancy including the option to configure the Cross-Region Restore feature as shown in the figure below. Please note that if you enable cross-region-restore, Microsoft will auto-upgrade your backup storage from GRS to read-access geo-redundant storage (RA-GRS). The price for GRS is $0.0448 per GB, and the price for RA-GRS is $0.0569 per GB. So just keep in mind the pricing implication. Additionally, at the time of this writing, the secondary region Recovery Point Objective (RPO) is up to 12 hours from the primary region, even though read-access geo-redundant storage (RA-GRS) replication is 15 minutes, so you lose 12 hours of data with this RPO.

Cross-Region Restore
Cross-Region Restore

5) You need to have a storage account to be used for the staging process. Please note that the storage account location should be in the same location as the Recovery Services vault (Cross-Region). In other words, if your Recovery Services vault is created in North Europe for example, and you enabled Cross Region Restore feature, then the storage account staging location should be created in West Europe (paired region) to be able to perform Cross Region Restore, otherwise, you will receive an ambiguous error message such as:

Restore-AzRecoveryServicesBackupItem: Storage account location should be same as vault location.

To create a General Purpose v2 (GPv2) storage account, you can follow the instructions described here. Please make sure to disable soft delete for blobs and containers which are turned on by default with 7 days retention under “Data protection” as shown in the figure below. As part of the restore automation process, we delete the old container/blob and keep the most recent one to optimize storage cost (more on this in the next section).

Storage account | Data protection
Storage account | Data protection

6) Last, the Azure roles needed to restore in the second region are the same as those in the primary region. To perform the restore operation on the secondary region, you need to have the Backup Admins or Application Admins.

Get started

First, we need to create an Azure automation resource with a Managed Identity. Microsoft recommends using Managed Identities for the Automation accounts instead of using Run As accounts. Managed identity would be more secure and offers ease of use since it doesn’t require any credentials to be stored. Azure Automation support for Managed Identities is now generally available.

Create an Automation Account

When you create an Automation Account, it creates a new service principal user in Azure Active Directory (Azure AD) by default. Next, you must assign the appropriate (Azure RBAC) role to allow access to Azure Backup for the service principal at the subscription or at the management group level. In this example, I have assigned the Azure Contributor role to the service principal at the management group level. Always keep in mind to use the principle of least privilege when assigning permissions.

Resource Group - Contributor RBAC Role
Resource Group – Contributor RBAC Role

Using a managed identity instead of the Automation Run As account makes management simpler. You don’t have to renew the certificate used by the Automation Run As account. Additionally, you don’t have to specify the Run As connection object in your runbook code. You can access resources using your Automation account’s managed identity from a runbook without creating certificates, connections, Run As accounts, etc.

Open the Azure portal, click All services found in the upper left-hand corner. In the list of resources, type Automation. As you begin typing, the list filters based on your input. Select Automation Accounts.

Click +Add. Enter the automation account name, choose the right subscription, resource group, location, and then click Create.

Modules

In your list of Automation Accounts, select the account that you created in the previous step. Then from your automation account, select Modules under Shared Resources.

The good news is, starting in September 2021, automation accounts will now have Az modules by default installed. You don’t need to import the modules from the gallery as we used to do in the past. Please note that you can also update the modules to the latest Az version from the modules blade as shown in the figure below.

Update Az Modules
Update Az Modules

The most common PowerShell modules are provided by default in each Automation account. See the Default modules imported on this page. As the Azure team updates the Azure modules regularly, changes can occur with the included cmdlets.

Create PowerShell Runbook

In this step, you can create multiple Runbooks based on which VM you want to restore to a secondary region. PowerShell Runbooks are based on Windows PowerShell. You directly edit the code of the Runbook using the text editor in the Azure portal. You can also use any offline text editor such as Visual Studio Code and import the Runbook into Azure Automation.

From your automation account, select Runbooks under Process Automation. Click the ‘+ Create a runbook‘ button to open the Create a runbook blade as shown in the figure below.

Create a runbook
Create a runbook

In this example, we will create a Runbook to restore a protected VM from a specific Azure subscription to a secondary region. You can also be creative as much as you want and cover multiple Azure VMs, etc.

Edit the Runbook

Once you have the Runbook created, you need to edit the Runbook, then write or add the script to choose which Azure VM you want to restore the disks to the secondary region. Of course, you can create scripts that suit your environment.

As mentioned earlier, in this example, we will restore the most recent recovery point for a specified VM to a secondary region, the VM is running and protected in North Europe, and we will restore it to West Europe. We only restore the disks and we don’t create a new VM, when we restore the disks, Microsoft provides you with the JSON template to quickly redeploy the VM with identical configuration as the primary VM.

Once, the restore is completed, we’ll delete the old storage container for cost optimization and keep the most recent container, and then delete the blob (.VHD) files for cost optimization and keep only the JSON templates to create a new VM if needed. Last, we’ll also remove the old managed Azure disks in the specified resource group and keep the current and most recent disks.

The automation script is as follows:

<#
.DESCRIPTION
A Runbook example that continuously restores disks for the desired VM to a secondary region
for both Business Continuity and Disaster Recovery (BCDR) drills and outage scenarios.
The VM is protected by Azure Backup with read-access geo-redundant storage (RA-GRS) replication.

.NOTES
Filename : AzureBackup-CrossRegionRestore
Author   : Charbel Nemnom
Version  : 1.0
Date     : 01-November-2021
Updated  : 02-November-2021

.LINK
To provide feedback or for further assistance please visit:
https://charbelnemnom.com 
#>

Param (
    [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]
    [String] $AzureSubscriptionId,
    [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]
    [String] $resourceGroupName,
    [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]
    [String] $recoveryServicesVaultName,    
    [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]
    [String] $vmName,
    [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]
    [String] $storageAccountName
)

# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave -Scope Process

# Connect to Azure with system-assigned managed identity (automation account)
Connect-AzAccount -Identity

# Set Azure Subscription context
Set-AzContext -Subscription $AzureSubscriptionId

# Set Azure Recovery Services Vault context
$targetVault = Get-AzRecoveryServicesVault -ResourceGroupName $resourceGroupName -Name $recoveryServicesVaultName 
$namedContainer = Get-AzRecoveryServicesBackupContainer -ContainerType "AzureVM" -Status "Registered" -FriendlyName $vmName -VaultId $targetVault.ID
$backupitem = Get-AzRecoveryServicesBackupItem -Container $namedContainer  -WorkloadType "AzureVM" -VaultId $targetVault.ID

# Get the latest and most recent recovery point
$rp=Get-AzRecoveryServicesBackupRecoveryPoint -UseSecondaryRegion -Item $backupitem -VaultId $targetVault.ID
$rp=$rp[0]

# Restore all the disks to a secondary (paired) region
$restorejob=Restore-AzRecoveryServicesBackupItem -RecoveryPoint $rp[0] -StorageAccountName $storageAccountName `
 -StorageAccountResourceGroupName $resourceGroupName -TargetResourceGroupName $resourceGroupName `
 -VaultId $targetVault.ID -VaultLocation $targetVault.Location -RestoreToSecondaryRegion

# Wait for the recovery job to be completed
$joblist = Get-AzRecoveryServicesBackupJob –Status "InProgress" -UseSecondaryRegion -VaultId $targetVault.ID
$joblist[0]
Wait-AzRecoveryServicesBackupJob -Job $joblist[0] -Timeout 43200 -VaultId $targetVault.ID

# Get the storage account context
$storageAcc=Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName
$ctx=$storageAcc.Context

# Remove old storage container for cost optimization and keep the most recent one
if ((Get-AzStorageContainer -Name $vmName* -Context $ctx).count -ne 1) {
    $date=Get-date -Format dd-MMM-yy
    Get-AzStorageContainer -Name $vmName* -Context $ctx | Where-Object {$_.LastModified -lt "$date"} | Remove-AzStorageContainer -Confirm:$false -Force
}

# Remove blob (.VHD) files for cost optimization and keep JSON templates to create a new VM if needed
$container=Get-AzStorageContainer -Name $vmName* -Context $ctx
$blobs=Get-AzStorageBlob -Container $container.name -Blob $vmName* -Context $ctx
foreach ($blob in $blobs) {
    Remove-AzStorageBlob -Container $container.name -Blob $blob.name -Context $ctx
}

# Remove old managed Azure disks for cost optimization and keep current disks
Get-AzResource -ResourceGroupName $resourceGroupName | Where-Object {$_.Name -like "$vmname*" -and $_.Tags.Values -ne $joblist[0].JobId} | Remove-AzResource -Force

Write-Output ("")

Once done, click “Save” the script in the CMDLETS pane as shown in the figure below.

Azure Backup - Cross Region Restore Runbook
Azure Backup – Cross Region Restore Runbook

Then test the script using the “Test pane” to verify it’s working as intended before you publish it.

Once the test is completed successfully, publish the Runbook by clicking Publish. This is a very important step.

Schedule the Runbook

In the final step, you need to schedule the Runbook to run based on your desired time to restore the VM to a secondary region.

Within the same Runbook that you created in the previous step, select Schedules and then click + Add schedule.

So, if you need to schedule the Runbook to run/restore it daily, then you need to create the following schedule with Recur every 1 Day with Set expiration to No and then click “Create“. You can also run it on-demand if you wish to do so.

Add recurring schedule
Add recurring schedule

While scheduling the Runbook, you can configure and pass the required parameters for the PowerShell Script.

In this example, we need to specify the Azure Subscription ID, Resource Group Name, Storage Account Name, Azure Recovery Services vault, and the Virtual Machine Name that you want to restore to a secondary region. The sample script takes those parameters as input.

Once done, click OK twice.

Test the Runbook

In this section, we will test the Runbook and request on-demand Cross Region Restore to an Azure VM. This scenario simulates when an application or user adds or modifies files directly in Azure blob storage, and then copies the data to the Azure file share automatically.

Browse to the recently created Runbook, and on the overview page click the “Start” button. Enter the required parameters as input and then click “OK“.

The job will kick in, now depending on your VM size, the job will take some time to complete, in this example, it took around 20 minutes. You will see the output and logs under the “Output” to verify that the copy job finished successfully as shown in the figure below.

Cross-Region Restore job completed
Cross-Region Restore job completed

You can also monitor the success or failure of these schedules using the “Jobs” page of Runbooks under Resources.

You can see the next run schedule using the “Schedules” page, in my example, the Runbook will run every day at 7:00 AM, and so forth…

Monitor runbook jobs and schedules
Monitor runbook jobs and schedules

That’s it there you have it!

This is version 1.0, if you have any feedback or changes that everyone should receive, please feel free to leave a comment below.

Summary

In this article, I showed you how to automate Azure VMs restore with Azure Backup, so you can schedule it to perform restore at regular intervals in case you want to test your application, or you want to restore in a secondary region for both Business Continuity and Disaster Recovery (BCDR) drills and outage scenarios.

> Learn more on how to protect critical backup operations with Multi-User Authorization (MUA) for Azure Backup.

Do you want to learn more about Azure Storage including Azure Blobs and Azure File Shares? Make sure to check my recently published online course here: Azure Storage Essential Training.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Configure Multiple Backups for Azure Files

Renew Let’s Encrypt Certificate using Cloudflare as a CDN

Next

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!