Yesterday, Microsoft released Azure Stack 1902 update which is the second update release for this year. This update includes improvements, new features, and fixes. You can check what’s new in Azure Stack 1902 update here
Starting with Azure Stack 1807 update, Microsoft added automatic infrastructure backup. This feature was one of the great enhancement added to Azure Stack because, in the previous releases, infrastructure backup was a manual task (on-demand backup). When Azure Stack 1807 update was released, I have developed an automated tool to Configure Automatic Infrastructure Backup With PowerShell. So instead of going every time to the Azure Stack Administrator portal to configure Infrastructure backup, you can use this tool to automate the entire process.
Starting with Azure Stack 1901 update and above, Microsoft has deprecated the encryption key that was used previously to encrypt backup data and replaced it with public key only certificate (.CER). This is for a good reason because encrypting backup data using certificates is more secure than encryption keys. You can read about Azure Stack 1901 changes here.
Please note that Azure Stack still supports encryption key only if the key is configured before updating to 1901. Microsoft stated that backward compatibility mode will continue for three releases only. After that, encryption keys will no longer be supported.
So it’s time to start moving to certificate-based encryption.
In this blog, I will show you how to leverage the new Azure Stack PowerShell module for infrastructure backup to enable automatic backups based on Azure Stack version 1901 and above.
Certificate for Azure Stack Infrastructure Backup
What you need to know about Azure Stack backup certificate is the following:
- The certificate is only used for transport of keys, not to establish secure authenticated communication.
- Microsoft does not need to verify the root or trust for this cert so a Self-Signed is enough.
- External internet access is not required so no change in requirements compare to encryption keys.
- Why Self-Signed cert is enough?
- Microsoft uses the public key (exported in the .CER file) to encrypt the backups.
- Microsoft uses the private key (exported in the .PFX file) during cloud recovery to decrypt the backups.
- These certificates are not managed internally so secret rotation will not make any changes to this cert.
- If you need to change the cert because the private key was compromised for some reason, then you simply create a new self-signed cert and provide the new (.CER) to Azure Stack. All existing backups remain encrypted using the previous public key. All new backups will use the new public key.
For more information about Azure Stack Infrastructure Backup Service best practices, please check the following article.
Enable Infrastructure Backup
Now before you start enabling automatic backup, make sure that you update to version 1.7.0 of the Azure Stack admin PowerShell cmdlets, this is a requirement now that you are on 1901 update and above. You can run the following PowerShell command to install Azure Stack PowerShell module version 1.7.0.
If infrastructure backup was configured before updating to 1901, you can use version 1.6.0 of the Admin PowerShell to set and view the encryption key. Please note that Azure Stack PowerShell module version 1.6.0 will not allow you to update from encryption key to a certificate file. Please refer to Install Azure Stack PowerShell for more information on installing the correct version of the module.
# Azure Stack 1901 or later: Install-Module AzureRM -RequiredVersion 2.4.0 Install-Module -Name AzureStack -RequiredVersion 1.7.0
I have updated my previous PowerShell tool to support Azure Stack version 1901 and above that will help me to automate and enable Azure Stack Infrastructure Backup. So instead of going every time to the Azure Stack Admin portal and configure backup, I developed that tool to automate the entire process. The script will connect to Azure Stack admin endpoint, verify the backup share is accessible, generate Self-Signed certificate, and then configure the backup. Finally, it will upload the PFX format of the certificate including the private key and password to Azure Key Vault for additional security.
Configuring Azure Stack Infrastructure backup is very important, but the certificate should be stored in a secure location (for example, Azure Key Vault certificate). The CER format of the certificate is used to encrypt data. The PFX format including the password must be used during cloud recovery deployment of Azure Stack to decrypt backup data. Otherwise, Azure Stack recovery is kind of, well, impossible later.
You can run the script in two different scenarios as follows:
.\Enable-AzureStackBackup.ps1 -SharePath [\\ServerIP\Share] -ShareCred [firstname.lastname@example.org] -AzureCred [email@example.com] -BackupKeyVault [Azure-Vault-Name] -Verbose
This example will enable Azure Stack Backup to the specified Share Path with the default backup frequency 12 hours and retention 7 days, and finally enable Automatic Infrastructure Backups. As part of enabling Azure Stack backup, the PFX format of the certificate including the private key and password will be saved in your Azure Key Vault for additional security.
.\Enable-AzureStackBackup.ps1 -SharePath [\\ServerIP\Share] -ShareCred [firstname.lastname@example.org] -AzureCred [email@example.com] -BackupKeyVault [Azure-Vault-Name] -Frequency [4-12] -Retention [2-14] -Verbose
This example will enable Azure Stack Backup to the specified Share Path including backup frequency and retention days that you specify, and finally enable Automatic Infrastructure Backups. As part of enabling Azure Stack backup, the PFX format of the certificate including the private key and password will be saved in your Azure Key Vault for additional security.
Here is a screenshot showing you how to use this tool.
Once the script is completed, you will see that the PFX format of the certificate is uploaded to Azure Key Vault under Certificates as shown in the following screenshot:
And the password for the PFX certificate is saved under Secrets.
The complete script is detailed below to automate the entire process:
<# .SYNOPSIS Enable Azure Stack Backup version 1901 and above. .DESCRIPTION Configure Azure Stack Infrastructure Backup with PowerShell for version 1901 and above. .NOTES File Name : Enable-AzureStackBackup.ps1 Author : Charbel Nemnom Version : 1.5 Date : 17-August-2018 Update : 06-March-2019 Requires : PowerShell Version 5.1 or above Module : Azure Stack Version 1.7.0 Version : Azure Stack version 1901 and above .LINK To provide feedback or for further assistance please visit:
Azure Stack Infrastructure Backup is designed to internalize the complexity of backing up and restoring data for infrastructure services, ensuring Azure Stack operators can focus on managing the solution and maintaining an SLA to end-users. And with this tool, it becomes even faster to configure Infrastructure backup and save the certificate in Azure Key Vault.
Storing the backup data to an external share is required to avoid storing backups on the same system. The external share gives you the flexibility to determine where to store the data based on your existing company BC/DR policy. And most important is to store the PFX format of the certificate with the password as well as the public and private keys in a safe place such as Azure Key Vault. Otherwise, Azure Stack recovery is kind of, well, impossible later.
I am planning to improve this tool in the future. This is still version 1.5. If you have any feedback or changes that everyone should receive, please feel free to leave a comment below.
Until then… Stay protected with Azure Stack Infrastructure Backup!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.