Automate Azure Stack Infrastructure Backup Configuration With Certificate

7 Min. Read

Introduction

Yesterday, Microsoft released Azure Stack 1902 update which is the second update release for this year. This update includes improvements, new features, and fixes. You can check what’s new in Azure Stack 1902 update here

Starting with Azure Stack 1807 update, Microsoft added automatic infrastructure backup. This feature was one of the great enhancement added to Azure Stack because, in the previous releases, infrastructure backup was a manual task (on-demand backup). When Azure Stack 1807 update was released, I have developed an automated tool to Configure Automatic Infrastructure Backup With PowerShell. So instead of going every time to the Azure Stack Administrator portal to configure Infrastructure backup, you can use this tool to automate the entire process.

Starting with Azure Stack 1901 update and above, Microsoft has deprecated the encryption key that was used previously to encrypt backup data and replaced it with public key only certificate (.CER). This is for a good reason because encrypting backup data using certificates is more secure than encryption keys. You can read about Azure Stack 1901 changes here.

Please note that Azure Stack still supports encryption key only if the key is configured before updating to 1901. Microsoft stated that backward compatibility mode will continue for three releases only. After that, encryption keys will no longer be supported.

So it’s time to start moving to certificate-based encryption.

In this blog, I will show you how to leverage the new Azure Stack PowerShell module for infrastructure backup to enable automatic backups based on Azure Stack version 1901 and above.

Certificate for Azure Stack Infrastructure Backup

What you need to know about Azure Stack backup certificate is the following:

  1. The certificate is only used for transport of keys, not to establish secure authenticated communication.
    • Microsoft does not need to verify the root or trust for this cert so a Self-Signed is enough.
    • External internet access is not required so no change in requirements compare to encryption keys.
  2. Why Self-Signed cert is enough?
    • Microsoft uses the public key (exported in the .CER file) to encrypt the backups.
    • Microsoft uses the private key (exported in the .PFX file) during cloud recovery to decrypt the backups.
  3. These certificates are not managed internally so secret rotation will not make any changes to this cert.
    • If you need to change the cert because the private key was compromised for some reason, then you simply create a new self-signed cert and provide the new (.CER) to Azure Stack. All existing backups remain encrypted using the previous public key. All new backups will use the new public key.

For more information about Azure Stack Infrastructure Backup Service best practices, please check the following article.

Enable Infrastructure Backup

Now before you start enabling automatic backup, make sure that you update to version 1.7.0 of the Azure Stack admin PowerShell cmdlets, this is a requirement now that you are on 1901 update and above. You can run the following PowerShell command to install Azure Stack PowerShell module version 1.7.0.

If infrastructure backup was configured before updating to 1901, you can use version 1.6.0 of the Admin PowerShell to set and view the encryption key. Please note that Azure Stack PowerShell module version 1.6.0 will not allow you to update from encryption key to a certificate file. Please refer to Install Azure Stack PowerShell for more information on installing the correct version of the module.

# Azure Stack 1901 or later:
Install-Module AzureRM -RequiredVersion 2.4.0
Install-Module -Name AzureStack -RequiredVersion 1.7.0

I have updated my previous PowerShell tool to support Azure Stack version 1901 and above that will help me to automate and enable Azure Stack Infrastructure Backup. So instead of going every time to the Azure Stack Admin portal and configure backup, I developed that tool to automate the entire process. The script will connect to Azure Stack admin endpoint, verify the backup share is accessible, generate Self-Signed certificate, and then configure the backup. Finally, it will upload the PFX format of the certificate including the private key and password to Azure Key Vault for additional security.

Configuring Azure Stack Infrastructure backup is very important, but the certificate should be stored in a secure location (for example, Azure Key Vault certificate). The CER format of the certificate is used to encrypt data. The PFX format including the password must be used during cloud recovery deployment of Azure Stack to decrypt backup data. Otherwise, Azure Stack recovery is kind of, well, impossible later.

You can run the script in two different scenarios as follows:

EXAMPLE -1-

.\Enable-AzureStackBackup.ps1 -SharePath [\\ServerIP\Share] -ShareCred [user@domain.com] -AzureCred [user@tenant.com] -BackupKeyVault [Azure-Vault-Name] -Verbose

This example will enable Azure Stack Backup to the specified Share Path with the default backup frequency 12 hours and retention 7 days, and finally enable Automatic Infrastructure Backups. As part of enabling Azure Stack backup, the PFX format of the certificate including the private key and password will be saved in your Azure Key Vault for additional security.

EXAMPLE -2-

.\Enable-AzureStackBackup.ps1 -SharePath [\\ServerIP\Share] -ShareCred [user@domain.com] -AzureCred [user@tenant.com] -BackupKeyVault [Azure-Vault-Name] -Frequency [4-12] -Retention [2-14] -Verbose

This example will enable Azure Stack Backup to the specified Share Path including backup frequency and retention days that you specify, and finally enable Automatic Infrastructure Backups. As part of enabling Azure Stack backup, the PFX format of the certificate including the private key and password will be saved in your Azure Key Vault for additional security.

Here is a screenshot showing you how to use this tool.

Automate Azure Stack Infrastructure Backup Configuration With Certificate 2

Once the script is completed, you will see that the PFX format of the certificate is uploaded to Azure Key Vault under Certificates as shown in the following screenshot:

Automate Azure Stack Infrastructure Backup Configuration With Certificate 3

And the password for the PFX certificate is saved under Secrets.

Automate Azure Stack Infrastructure Backup Configuration With Certificate 4

PowerShell Code

The complete script is detailed below to automate the entire process:

<#
.SYNOPSIS
Enable Azure Stack Backup version 1901 and above.

.DESCRIPTION
Configure Azure Stack Infrastructure Backup with PowerShell for version 1901 and above.

.NOTES
File Name : Enable-AzureStackBackup.ps1
Author    : Charbel Nemnom
Version   : 1.5
Date      : 17-August-2018
Update    : 06-March-2019
Requires  : PowerShell Version 5.1 or above
Module    : Azure Stack Version 1.7.0
Version   : Azure Stack version 1901 and above

.LINK
To provide feedback or for further assistance please visit:
Cover Page
.EXAMPLE .\Enable-AzureStackBackup.ps1 -SharePath [\\ServerIP\Share] -ShareCred [user@domain.com] -AzureCred [user@tenant.com] -BackupKeyVault [Azure-Vault-Name] -Verbose This example will enable Azure Stack Backup to the specified Share Path with the default backup frequency 12 hours and retention 7 days, and finally enable Automatic Backups. As part of enabling Azure Stack backup, the PFX format of the certificate including the private key and password will be saved in your Azure Key Vault for additional security. .EXAMPLE .\Enable-AzureStackBackup.ps1 -SharePath [\\ServerIP\Share] -ShareCred [user@domain.com] -AzureCred [user@tenant.com] -BackupKeyVault [Azure-Vault-Name] -Frequency [4-12] -Retention [2-14] -Verbose This example will enable Azure Stack Backup to the specified Share Path including backup frequency and retention days that you specify, and finally enable Automatic Backups. As part of enabling Azure Stack backup, the PFX format of the certificate including the private key and password will be saved in your Azure Key Vault for additional security. #> [CmdletBinding()] Param ( [Parameter(Position=0, Mandatory=$true, HelpMessage = 'Please Provide UNC path to an SMB file Share')] [Alias('Path')] [String]$SharePath, [Parameter(Position=1, Mandatory=$true, HelpMessage='Specify Backup Share Credentials')] [Alias('BackupCred')] [PSCredential]$ShareCred = (Get-Credential), [Parameter(Position=2, Mandatory=$True, HelpMessage='Specify AzureStack / Azure Credentials')] [Alias('Cred')] [PSCredential]$AzureCred, [Parameter(Position=3, Mandatory=$true, HelpMessage='Specify Azure Key Vault DNS Name')] [Alias('KeyVault')] [String]$BackupKeyVault, [Parameter(Position=4, Mandatory=$false, HelpMessage='Specify Backup Frequency in Hours, valid range: 4-12 hours, default 12')] [Alias('Hours')] [ValidateRange(4,12)] [Int]$Frequency = 12, [Parameter(Position=5, Mandatory=$false, HelpMessage='Specify Backup Retention Period in Days, valid range: 2-14 days, default 7')] [Alias('Days')] [ValidateRange(2,14)] [Int]$Retention = 7 ) Function Install-AzureRM { Set-PSRepository -Name PSGallery -Installation Trusted -Verbose:$false Install-Module AzureRM -RequiredVersion 2.4.0 -Confirm:$false -Verbose:$false } Function Install-AzureStack { Set-PSRepository -Name PSGallery -Installation Trusted -Verbose:$false Install-Module -Name AzureStack -RequiredVersion 1.7.0 -Confirm:$false -Verbose:$false } #! Check Azure Stack Connection Try { Write-Verbose "Connecting to Azure Stack..." Add-AzureRmEnvironment –Name ‘AzureStackAdmin’ -ArmEndpoint ‘https://adminmanagement.local.azurestack.external’ | Out-Null Login-AzureRmAccount –EnvironmentName ‘AzureStackAdmin’ -Credential $AzureCred -ErrorAction Stop | Out-Null } Catch { Write-Warning "Cannot connect to Azure Stack environment. Please check your credentials. Exiting!" Break } if(!(Test-Path -Path $SharePath)){ Write-Verbose "Share path is not reachable, Please Provide a correct UNC to an SMB file Share!" Break } #! Check AzureRM PowerShell Module Try { Import-Module -Name AzureRM -RequiredVersion 2.4.0 -ErrorAction Stop -Verbose:$false | Out-Null Write-Verbose "Importing Azure RM PowerShell Module..." } Catch { Write-Warning "Azure RM PowerShell Module requies update..." Write-Verbose "Installing the Azure RM Module version 2.4.0" Install-AzureRM } #! Check Azure Stack PowerShell Module Try { Import-Module -Name AzureStack -RequiredVersion 1.7.0 -ErrorAction Stop -Verbose:$false | Out-Null Write-Verbose "Importing Azure Stack PowerShell Module..." } Catch { Write-Warning "Azure Stack PowerShell Module requies update..." Write-Verbose "Installing Azure Stack PowerShell Module version 1.7.0" Install-AzureStack } Write-Verbose "Generating Self-Signed Backup Certificate..." $cert = New-SelfSignedCertificate ` -DnsName "$env:userdnsdomain" ` -CertStoreLocation "cert:\LocalMachine\My" Write-Verbose "Create local directory at $ENV:USERPROFILE\Documents\Certs" New-Item -Path "$ENV:USERPROFILE\Documents\" -Name "Certs" -ItemType "Directory" -Force | Out-Null Write-Verbose "Exporting CER Self-Signed Backup Certificate Public Key..." $CertPath = Export-Certificate -Cert $cert -FilePath "$ENV:USERPROFILE\Documents\Certs\AzsInfraBkpCertPublic.cer" Try { Write-Verbose "Enable Azure Stack Infrastructure Backup..." Set-AzsBackupConfiguration -Path $sharepath -Username $ShareCred.UserName -Password $ShareCred.Password ` -BackupFrequencyInHours $Frequency -BackupRetentionPeriodInDays $Retention -EncryptionCertPath $CertPath.PSChildName -IsBackupSchedulerEnabled $true } Catch { Write-Warning "$_ Exiting!" Break } #! Check Azure Cloud Connection Try { Write-Verbose "Connecting to Azure Cloud..." Login-AzureRmAccount -Environment AzureCloud -Credential $AzureCred -ErrorAction Stop | Out-Null } Catch { Write-Warning "Cannot connect to Azure environment. Please check your credentials. Exiting!" Break } #! Exporting PFX Self-Signed Backup Certificate Write-Verbose "Generate Password for PFX Certificate Private Key..." $Password = (New-Guid).Guid $SecurePassword = ConvertTo-SecureString -String "$Password" -Force -AsPlainText Write-Verbose "Exporting PFX Self-Signed Backup Certificate with Private Key..." Export-PfxCertificate -Cert $cert -FilePath "$ENV:USERPROFILE\Documents\Certs\AzsInfraBkpCertPrivate.pfx" -Password $SecurePassword | Out-Null #! Upload Azure Stack Backup Certificate and Password to Azure Key Vault Try { Write-Verbose "Adding Azure Stack Backup Certificate to Azure Key Vault" Set-AzureKeyVaultSecret -VaultName $BackupKeyVault -Name 'AzureStack-InfraBackup-Password-Certificate' -SecretValue $SecurePassword -ErrorAction Stop | Out-Null Import-AzureKeyVaultCertificate -VaultName $BackupKeyVault -Name "AzureStack-InfraBackup-PrivateKey-Certificate" ` -FilePath "$ENV:USERPROFILE\Documents\Certs\AzsInfraBkpCertPrivate.pfx" -Password $SecurePassword -ErrorAction Stop | Out-Null Write-Verbose "Delete the certificate from the local machine..." Get-ChildItem -Path "$ENV:USERPROFILE\Documents\Certs\" | Remove-Item -Force Write-Verbose "Delete the certificate from the local certificate store..." Get-ChildItem -Path cert:\localMachine\my\ | Where-Object {$_.Subject -eq "CN=$env:userdnsdomain"} | Remove-Item -Force } Catch { Write-Warning "$_ Exiting!" Break }

Summary

Azure Stack Infrastructure Backup is designed to internalize the complexity of backing up and restoring data for infrastructure services, ensuring Azure Stack operators can focus on managing the solution and maintaining an SLA to end-users. And with this tool, it becomes even faster to configure Infrastructure backup and save the certificate in Azure Key Vault.

Storing the backup data to an external share is required to avoid storing backups on the same system. The external share gives you the flexibility to determine where to store the data based on your existing company BC/DR policy. And most important is to store the PFX format of the certificate with the password as well as the public and private keys in a safe place such as Azure Key Vault. Otherwise, Azure Stack recovery is kind of, well, impossible later.

Roadmap

I am planning to improve this tool in the future. This is still version 1.5. If you have any feedback or changes that everyone should receive, please feel free to leave a comment below.

Until then… Stay protected with Azure Stack Infrastructure Backup!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Previous

Automate Backup For Azure VMs Using PowerShell For Azure Backup

Automate The Activation Of Windows Server 2019 Virtual Machines With PowerShell

Next

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!