Backup Azure File Shares Snapshots to a Separate Storage Account for Disaster Recovery

6 min read

In this article, I will show you how to protect and copy Azure file shares snapshots from one storage account to another and overcome the Geo DR challenges.

Introduction

Azure Files offers shared storage for applications using the standard SMB 3.0 protocol. Microsoft Azure virtual machines and cloud services can share file data across application components via mounted shares, and on-premises applications can access file data in a share via the File storage API.

Applications running on Azure virtual machines can mount a File storage share to access file data, just as a desktop application would mount a typical SMB share. Any number of Azure virtual machines or roles can mount and access the File Storage share simultaneously.

Microsoft also introduced Azure File Sync service which allows you to centralize your file shares in Azure Files, whilst maintaining the compatibility of an on-premises file server with all the flexibility and performance benefits that provide.  For more information about Azure File Sync and how to get started, please check the following step-by-step guide.

On May 27, 2020, the Azure Backup team in coordination with the Azure Files team announced the general availability of the long-awaited feature “Soft Delete” to protect your file share(s) from accidental deletion and malicious actor. However, the snapshots for Azure Files are stored within the same Azure Storage account. In other words, the snapshots are NOT transferred to the Recovery Services Vaults as we have with Azure IaaS/SQL VM backup today.

What if your organization’s policy dedicates to have a disaster recovery for the exiting Azure file shares to be stored in another region?

Backup Overview of Azure File Shares

At the time of this writing, when you configure Azure Backup for Azure File Share, what will happen is the following:

  1. You create or select an existing Recovery Services Vaults.
  2. You enable backup and select Azure File Share.
  3. Then you select the source Azure storage account where the Azure File share(s) reside. Then the storage account will be registered with the Recovery Services Vaults. No backup is transferred from the storage account to the Recovery Services Vaults which is known as hardening.
  4. The next step is to select one or more file share(s) which you want to protect.
  5. Azure Backup enables “Soft Delete” on the storage account with the default retention period of 14 days.
  6. Last but not least, you can choose or create a new backup policy (daily, weekly, monthly, or yearly backup up to 10 years only through the Azure Portal).
  7. Finally, when each backup job runs, the Azure Backup service will ensure that the soft delete is always turned on.

At the moment you can take storage snapshots of the Azure file share but they remain bound to the same storage account, which is quite risky from a disaster recovery point of view.

The user’s voice is very active to add this capability by transferring the snapshots to a recovery services vault and/or to a different storage account.

In this article, I will show you how to protect and copy Azure file shares snapshots from one storage account to another by leveraging AzCopy sync to overcome the Geo DR challenges.

Prerequisites

The prerequisites are very simple as follows:

  • Download AzCopy V10.5.1 from here, or jump into Azure Cloud Shell session, AzCopy is included as part of the Cloud Shell. Please make sure you are using the latest AzCopy version otherwise the process will fail.
  • You need to have two different storage accounts either in the same region, same subscription, or in different regions and subscriptions. From a disaster recovery perspective, it’s more likely to have the second storage account in a different region.
  • You also need to have one or more Azure file shares created in each storage account.
  • Download Microsoft Azure Storage Explorer from here if you don’t have it yet, I will use it to create the Shared Access Signature (SAS) tokens. You can also generate SAS tokens using the Azure Portal, as well as using PowerShell. As a side note, SAS is more secure than the storage account keys. One of the main reasons is with SAS, you can ACL the IPs that can access the account, you can control the permissions on the account in a more granular fashion, and when the token will expire, as well as which service you want to have access to (Blobs, Files, Queues, Tables). Please note that SAS tokens are signed with your key, so regenerating your storage account key should invalidate the SAS token as well, keep that in mind!

Sync Snapshots Between Azure File Shares

Assuming you have some files in your file share. Once you are ready, take the following steps:

In this example, I have the following snapshots created on the first Azure File Share named (afs-atp-asc). I will copy the following snapshot name: 2020-07-31T14:55:42.0000000Z

Backup Azure File Shares Snapshots to a Separate Storage Account for Disaster Recovery 1

In the second storage account, I have a file share named (geo-dr-afs), and I don’t have any files yet as shown in the below figure.

Backup Azure File Shares Snapshots to a Separate Storage Account for Disaster Recovery 2

  • The next step is to sync a specific (snapshot) from the source storage account/file share to another storage account/file share with the SAS key (the key has been intentionally changed in this example). The full syntax is as follow:
azcopy sync "https://SourceStorageAcc.file.core.windows.net/afs-atp-asc?snapshot=2020-07-31T14:55:42.0000000Z;sv=2019-12-12&xxxx=xxxxxxxxxB0RmdZuw6jXE%3D" "https://TargetStorageAcc.file.core.windows.net/geo-dr-afs/?sv=2019-12-12&ss=xxxxxxxse=2021-07-31T23:07:39Z&xxxx-07-1&sig=xxxxx3D"

This command will copy the snapshot including all the files from the source file share and sync the contents to the destination Azure file share in the second storage account.

The output will show the total number of files at the Source, Destination and the Total Number of Copy Transfers Completed which are 49 files, as well as the time in Minutes (1.6) for ~ 5GiB (the SAS key has been intentionally obscured in this demo).

Open the second file share in the second storage account and verify that all the files are synced over.

Backup Azure File Shares Snapshots to a Separate Storage Account for Disaster Recovery 3

  • The next step is to take a snapshot of the second file share, this will result in consistent snapshots (identical) at the source and target file shares.

Backup Azure File Shares Snapshots to a Separate Storage Account for Disaster Recovery 4

Finally, you need to repeat the same process described above to sync and replicate more snapshots.

Summary

By using AzCopy sync, you can do differential snapshot copies to another storage account (file share). The workflow as follows:

  1. Take a snapshot of the source file share.
  2. Copy the snapshot to the target file share using AzCopy sync.
  3. Take a snapshot of the target file share. The result is both snapshots are the same.
  4. Finally, repeat steps (1->3) to replicate more snapshots.

Please note that synchronization is one-way. In other words, you choose which of the two endpoints is the source and which one is the destination.

By using this approach, you get Geo DR file share in another Azure region, as well as maintaining the same recovery time objective (RTO) as the primary file share with snapshot consistency.

To prevent accidental deletions on the source file share, please make sure to enable the new soft delete feature on your Azure file shares as described here.

AzCopy Sync will only transfer new files and the files that changed, and can also remove deleted files from the target file share. For more information about AzCopy Sync syntax with additional parameters, please check the following document from Microsoft.

How to automate…

As described in this article, this is a manual approach and not so efficient to scale. As of today, if you want to have a quick DR of your Azure File Shares, then AzCopy sync is the way to go.

Stay tuned for the next article where I will describe how to automate the entire process!

That’s it there you have it.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 578 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.