Data protection in today’s world is becoming more critical than ever. With the increasing amounts of data in this all-connected world comes more data that needs to be protected. According to various reports, data protection is listed as one of the top 5 priorities that IT leaders and businesses continue to have in today’s world.
In this blog post, we will share with you how to enable Azure Backup on VMs using Azure Policy at scale, so you can auto-protect and enforce backup on existing or on newly deployed virtual machines.
Table of Contents
With Azure Backup, Microsoft has taken a cloud-first approach by building it as a multi-tenanted platform as a service (PaaS) to deliver backup as a service (BaaS). It is architected to support the full spectrum of born-in-the-cloud applications (IaaS, PaaS, and SaaS), fully delivers on all the cloud promises as well as transforms both admin personas into higher-leveraged roles in a cloud transformed IT world of backup.
Azure Backup has first-class support for IaaS including SQL and SAP workloads running on Azure as IaaS VM, as well as supporting backup of SQL PaaS for long-term retention needs. This also includes support for Azure Files and Azure File Sync and soon other Azure PaaS artifacts.
Azure Policy is basically a set of rules or a particular workflow which we would like all the resources of a particular resource group, subscription, or management group to follow, it can be as simple as assigning a “Tag” to any resource that is created within the resource group.
Microsoft has released several Azure Policies to auto-enable backup on IaaS virtual machines for different scenarios. This basically lets you create a policy for your management group, subscription, or resource group, and as you deploy any VM, the policy ensures that the VM gets auto-protected by Azure Backup and enables the backup for the schedule and the retention you defined. You can also auto-enable backup for existing VMs in the chosen scope.
In this article, I will show you how to enable Azure Policy to support Azure Backup. This will ensure that backup of virtual machines is automatically enabled as soon as a VM is deployed in a specific resource group.
To follow this article, you need to have the following:
1) An Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
2) Azure Resource Group (RG) obviously.
3) At least one Azure Recovery Services vault is created. Please check the following quick start guide to create and configure a Recovery Services vault.
4) At least one Azure Backup policy is created. Please check the following guide on how to automate the creation of Azure Backup protection policies.
5) At least one Azure virtual machine is deployed in the desired RG. Please check the following quick start guide to create a Windows virtual machine.
For the purpose of this article, I’ll be configuring backup on VMs without any given “Tag” to an existing recovery services vault in the same region. You can also choose a different Azure Policy definition to configure backup on VMs to a new recovery services vault, and with or without a given “Tag”.
Assuming you have all the prerequisites in place, take now the following steps:
Enable Azure Backup with Azure Policy
Open the Azure Portal, click “All services” and then search for “Backup Center“, then select “Azure policies for backup” under Policy and compliance on the left-hand side of the blade.
Backup Center is a single unified management experience in Azure. It enables enterprises to govern, monitor, operate, and analyze backups at scale. With this solution, you can perform most of the key backup management operations without being limited to the scope of an individual vault.
Next, select the desired policy for your scenario. In this example, I will choose ‘Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location‘. Click on “Assign” on top of the page. The Assign policy blade will open which lets you author a policy.
The first step is to define the scope where the policy applies. A scope can be a management group, subscription, or resource group. But depending on the supported scenario that you choose, you can only scope the policy to either a management group or a subscription, however, all policies can be scoped to a resource group. As shown in the figure below, I will set the scope to a resource group that I have created (You select the subscription first, and then the desired resource group).
Next, you can give it any custom assignment name and description you want. In this example, I will call it ‘Azure Backup Policy for West Europe VMs‘, and give it a description ‘I am creating an Azure Policy to backup all my West Europe VMs‘. By default, the ‘Policy enforcement‘ is set to Enabled. Click Next to continue.
On the Parameters tab, you need to specify a couple of parameters for the Azure Backup policy as follows:
- Location: You need to specify the location (Azure region) of your deployed VMs that you want to protect. In this example, I choose ‘West Europe’.
- Backup Policy: You need to specify the id of the Azure backup policy to configure the backup of the virtual machines. The selected Azure backup policy should be of type Azure virtual machine. This policy needs to be in a vault that is present in the location chosen above. Click on the ellipsis (…) next to the Backup Policy and then choose the existing ‘Recovery Services vault‘ and the ‘Recovery Services backup policy‘ that you created as part of the prerequisites.
- Exclusion Tag Name (optional): As an optional parameter, you can set the ‘Name‘ of the tag to use for excluding VMs from the scope of this policy. This should be used along with the ‘Exclusion Tag Value‘ parameter below. In this example, I don’t want to exclude any VM.
- Exclusion Tag Value (optional): Similar to the ‘Exclusion Tag Name‘ parameter above, you can set the value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the ‘Exclusion Tag Name‘ parameter above. In this example, I don’t want to exclude any VM.
- Effect: The default is set to ‘deployIfNotExists‘, you can set it to ‘disabled‘ in case you want to disable this policy, or you can audit if the backup is enabled for your VMs by specifying the ‘auditIfNotExists‘ parameter. In this example, I’ll leave it as default.
Click Next to continue to the Remediation tab. So what remediation means is, by default, the assignment only takes effect for the newly created resources. The existing resources can be updated via a remediation task after the policy is assigned. Select ‘Create a remediation task‘ as shown in the figure below. What this means is if there are any VMs that are already present in my resource group, I can create a remediation task and this would ensure that all those existing VMs, the backup policy is enforced on them as well.
The next thing that we have is to create a Managed identity, it is advised that managed identity is to be created in a region which is different than your source region because in scenarios where a disaster strikes, your source region, and even more Identity will go down. In this example, I would pick ‘North Europe’ for my managed identity location.
The purpose of this managed identity is to manage the virtual machines and backup resources. So what we are doing here, is basically creating a managed identity with Virtual Machine Contributor, and Backup Contributor permissions. This identity has access to backup your virtual machines to the specified Recovery Services vault. By doing this, all the management of backup resources and enabling backup of your VMs will be automatically managed by Azure Backup.
Now clicking on Next, you can set up a custom non-compliance message. This will reflect in case any of your existing VM is not protected by Azure Backup for whatsoever reason. So for example, I can set up a message (Non-compliant VM for Azure Backup. Please remediate.).
Click Next to continue. Finally, you can validate all the entries that you have entered and then click on ‘Create‘.
Once the assignment is created, it will take around 30 minutes to take effect.
Verify Azure Backup Policy enforcement
In this section, we will verify how the policy enforcement looks after its enabled.
I already have a couple of VMs that I have created using this policy which is assigned on the scope of my resource group.
Navigate to the resource group where the VMs are created, and then click on ‘Policies‘ on the left blade under Settings as shown in the figure below.
You can see all the policies that are existing in this resource group including the policy that I created in the previous section ‘Azure Backup Policy for West Europe VMs‘.
If you click on the policy, you will see all the VMs which are Compliant and Non-compliant state. This is basically the monitoring pane for the policy. You can see that all my VMs are in a compliant state, it is in ‘West Europe’ and is protected by Azure Backup as shown in the figure below.
You can select any compliant VM and then click on ‘View Resource‘. The VM blade will open where you can navigate to the ‘Backup ‘ page under Operations on the left-hand side. You can see that the VM is protected by Azure Backup and in a healthy state as shown in the figure below.
What if you have existing VMs deployed in that resource group before you assign the Backup policy? Remember the assignment only takes effect for the newly created resources (VMs). The existing VMs can be protected via a remediation task after the policy is assigned.
So during an evaluation cycle, the policy definition with a “DeployIfNotExists” effect that matches resources, is marked as non-compliant, however, after the policy finishes its evaluation, the backup will be auto-enabled on existing VMs as well. Because we selected to create a remediation task when assigning the policy definition as described in the previous section.
That’s it there you have it!
Azure Backup is a cloud-based backup solution that is part of a broad service presented to customers through Azure Recovery Services Vaults. Though cloud-native and platform as a service (PaaS), it is also possible to use Azure Backup on-premises as well as in the cloud. Azure Backup can replace your existing on-premises and off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive.
Azure Backup is simple to configure and use, offering consistent copies with security features and management controls via the Azure portal.
- Learn more on how Azure Backup Integrates with Azure File Sync – Part I
- Learn more on how Azure Backup Integrates with Azure File Sync – Part II
- Learn more on how to enable Azure Site Recovery (ASR) on VMs using Azure Policy
I hope this article gave you a broad overview of how to auto-enable Azure Backup with Azure Policy to help you minimize operations overhead, and increase data protection against security threats and ransomware attacks.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.