Enable Vaulted Backup for Azure Blob Storage – Comprehensive Guide

The Vaulted backup solution for Azure Blobs offers you protection against a wide variety of scenarios that could lead to accidental or malicious data loss. So, you can enable scheduled backups for Azure Blob using Azure Backup to ensure business continuity and recovery from inadvertent or malicious deletion or ransomware attacks.

In this article, we will show you how to enable vaulted backup for Azure Blob Storage and transfer your protected data to the backup vault.

Introduction

Azure Backup is an Azure-based service that you can use to back up (or protect) and restores your data in the Microsoft Cloud. Azure Backup replaces your existing on-premises and off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive.

The Azure Backup team just announced that you can perform now a Vaulted backup of blobs (public preview) in addition to the generally available operational backups. Vaulted backup for blobs allows you to create hardened backups of your blob data and store them in the Backup vault, thus helping you protect your data from various adverse data loss scenarios due to corruption and deletions of blobs and storage accounts. Vaulted backup can be used along with the existing operational backup solution, and provides a comprehensive, simple, and zero-infrastructure solution to manage the protection of your blob data at scale.

By using the Vaulted backup solution, the backup data are copied and stored in the Backup Vault (transferred outside of your storage account) as per the schedule and frequency defined by you through the backup policy and supports long-term retention. Hence, you will get comprehensive protection against accidental deletion and ransomware attacks.

Vaulted backup for blobs is integrated into Backup Center and allows you to manage all backups centrally using backup policies. The Vaulted backup for blobs is also built on top of the Backup Vault and not the Recovery Services vault.

A Backup Vault is a management entity that stores recovery points created over time and provides an interface to perform backup-related operations. These include taking on-demand backups (in addition to scheduled ones), performing restores, and creating backup policies.

Vaulted Vs Operational Backup of Blobs

You may ask what is the difference between the existing Operational Backup and the new Vaulted Backup for blobs.

Vaulted backup of blobs stores a backup copy of your block blob data in the Backup vault (as opposed to operational backup of blobs, where the backup data is stored in the source storage account itself for operational recovery). You can enable operational backup and vaulted backup (or both) of blobs on a storage account, independent of each other using the same backup policy.

The new vaulted blob backup solution allows you to retain your data for up to 10 years (as opposed to the operational backup of blobs, where you can retain your data for up to 1 year). However, restoring from older recovery points may lead to a longer recovery time objective (RTO) during the restore operation.

At the time of this writing, the vaulted backup solution can be used to perform restores to a different storage account ONLY (for restoring to the same account, you may use the operational backups). The storage account to which the data is being restored is referred to as the ‘target’ storage account.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Azure storage V2 account – To create a general-purpose v2 storage account, you can follow the instructions described here.

• You need to have one or more containers – You can follow the instructions here to create a container. If the storage account does not contain any containers or if no containers are selected, you might see an error while configuring the backup.
• You can only configure backup for up to 100 containers with Vaulted Backup – If your storage account contains more than 100 containers, you would necessarily need to select 100 or fewer containers.

3) When stopping the protection (vaulted backup) on a storage account, it does not delete the Object Replication policy created on the storage account. In such cases, the Object Replication policy must have to be manually deleted.

4) Hierarchical Namespace (HNS) enabled storage accounts are NOT supported. This includes ADLS Gen2 accounts, accounts using NFS 3.0, and SFTP protocols for blobs.

5) At the time of this writing, only 1 backup can be performed per day (scheduled and on-demand backups included). Any attempts to perform more backups in a day will result in failure.

6) At the time of this writing, cool and archived blobs are currently not supported. Hopefully, this will change when Vaulted Backup reaches GA.

7) You need a Backup vault and not a Recovery Services vault (more on this in the following section).

8) Supported regions: At the time of this writing, vaulted backup (public preview) for blobs is currently available in the following regions: France Central, Canada Central, Canada East, US East, South Central US, Germany West Central, Germany North, Australia Central, Australia Central 2, India South, India West, Korea Central, and Korea South. More regions will be added soon.

Creating a Backup Vault

First, you need to create a backup vault. If you already have a Recovery Services vault, you still need to create a new one because the Backup vault is a new resource that is used for backing up new supported workloads and is different from the already existing Recovery Services vault.

1) In the Azure portal, type Backup Vaults in the search box. Under Services, select Backup Vaults.

2) In the Backup Vaults page, select +Create which opens the Create Backup vault experience.

3) In the Basics tab, select the desired Azure subscription and resource group name.

4) Under Instance details, type the Backup vault name and choose the region of your choice.

5) Next, choose your Backup storage redundancy (LRS/GRS). Please note that storage redundancy cannot be changed after protecting items in the vault.

6) Click Next: Tags > and add any tags as required.

7) Finally, select the Review + Create button once done, and then click Create.

Granting permissions on storage accounts

Azure backup also protects the storage account (that contains the blobs to be protected) from any accidental deletions by applying a Backup-owned Delete Lock. This requires the Backup vault to have certain permissions on the storage accounts that are being protected. To facilitate this process, the Azure Backup team has created a new role called “Storage Account Backup Contributor“.

To grant permissions to the backup vault on storage accounts that are required to be protected, please follow the steps below:

1) In the storage account to be protected using Vaulted Backup, navigate to the Access Control (IAM) tab on the left navigation.

2) Click on Add role assignments to assign the “Storage Account Backup Contributor” role.

3) In the Add role assignment blade, under Role, choose Storage Account Backup Contributor. Type the name of the Backup vault that you created in the previous step and select the same from the search results. Once done, click Review + assign as shown in the figure below.

Please note that you can see the role assignments are reflected on the portal, however, it may take up to 10 minutes approximately for the permission to take effect!

Creating a Backup Policy

First, we need to create a backup policy.

A backup policy defines when and how often your recovery points get created, and for how long they are retained in the Backup vault. You can use a single backup policy for your vaulted as well as operational backup, alternatively, you can also use it to perform just one of the operational or vaulted backups. You can create a backup policy either before configuring backups for storage accounts or while configuring backups.

To create a backup policy, follow the steps below:

1) Launch the Azure portal and go to Backup Center, and click ‘+Policy’ on the top bar as shown in the figure below. This takes you to the create policy experience.

2) Next, select the Datasource type as ‘Azure Blobs (Azure Storage)’ as shown in the figure below, and then click ‘Continue’.

3) In the ‘Basics’ tab, provide a name for the policy and select the Backup vault that you created in the previous step to be associated with this policy. You can view details of the selected vault in this tab as well. Once done, click ‘Next: Schedule + retention’.

4) In the ‘Schedule + retention’ tab, provide the backup details regarding the data store and the schedule and retention for these data stores, as applicable.

• If you wish to use this policy for vaulted backups, operational backups, or both by checking the corresponding checkboxes.
• For Vaulted backups: You need to choose the frequency of backups between Daily and Weekly, and then specify the time when the backup recovery points need to be created. You can edit the default retention rule (using the edit button on the right) or add new retention rule(s) to specify the recovery points using a grandparent-parent-child notation (Daily, Weekly,  Monthly, or Yearly).

5) Finally, proceed to ‘Review and create’, and click ‘Create’ when done.

Configure Backup for Azure Blobs

The next step is to enable and configure vaulted backup for blobs. You can configure backup for one or more storage accounts in an Azure region at once if you wish to back them up to the same vault using a single backup policy.

Follow the steps below to configure backup for storage accounts:

1) Launch the Azure portal and go to Backup Center by searching for ‘Backup Center’ in the search bar.

2) Navigate to the ‘Overview‘ blade and click ‘+Backup‘.

3) In the ‘Start: Configure Backup‘ tab, choose Azure Blobs (Azure Storage) as the Datasource type as shown in the figure below, and then click ‘Continue’.

4) In the ‘Basics‘ tab, specify Azure Blobs (Azure Storage) as the Datasource type and select the Backup vault that you want to associate your storage accounts with. You can view details of the selected vault in the blade as shown in the figure below. Click ‘Next’ to continue.

5) Next, select the backup policy that you want to use for the specified retention. You can view the details of the selected backup policy in the blade as shown in the figure below. You can also create a new backup policy if needed. Once done, click ‘Next’ to continue.

6) In the ‘Datasources’ tab, Add the storage account(s) you wish to back up. You can add multiple storage accounts in the region to back up using the selected policy. You can use the search box and filters to narrow your search if required.

7) When you select the storage account(s), behind the scene, the backup center does the following validations (backup readiness) to ensure all prerequisites are met:

• Validates that the Backup vault has the required permissions to configure backup (The ‘Storage account backup contributor’ role on all of the selected storage accounts).
• If you do not have permission to assign roles, you can also use the ‘Download role assignment template’ button as shown in the figure below to download a shareable JSON template to assign roles for the selected storage accounts. The role assignments may take up to 10 minutes to take effect.
• Validates that the number of containers to be backed up is less than 1,000. By default, all containers are selected, however, you can exclude (change) containers that you don’t want to backup.
• As noted in the prerequisites section, the storage account(s) to be backed up must contain at least 1 container. If the chosen storage account does not contain any containers or if no containers are selected, you will see an error while configuring the backup.

8) Once done, click ‘Next’ to continue.

Finally, review the backup details in the ‘Review + configure’ tab and then click ‘Configure backup’ to initiate the backup operation.

You’ll receive notifications about the status of configuring protection and its completion.

That’s it there you have it!

Conclusion

In this article, we showed you how to enable vaulted backup for Azure Blob Storage. The new vaulted solution for Azure Blob transfers data to the Backup Vault and supports long-term retention to meet your compliance requirements. Hence, you get comprehensive protection against accidental deletion and ransomware attacks.

The operational backup and the new vaulted backup solutions are independent of each other and can be used together.

Once you enable Vaulted backup for Azure Blobs on backed-up storage account(s), you would see object replication rules getting created under the ‘Object replication’ blade (Other accounts) as shown in the figure below.

Vaulted backup for blobs can help you to perform backups that are isolated from production workloads, and allow recovery even in case of storage account deletions. With long-term retention of backup data for up to 10 years, alternate location recovery to a storage account(s) other than the source storage account(s), and central management of backups.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-