With Azure File Sync, you can centralize your files in Azure and then install a sync agent on Windows Server on-premises or in Azure (IaaS VM) to provide fast local access to your cloud files. Your local server and Azure are constantly syncing, so you have one centralized location for your files with multi-site access powered by fast local caches and cloud tiering. Cloud tiering enables frequently accessed files to be cached locally such that the full file content is present on the server, whereas less frequently accessed files are tiered to the cloud. The tiered files (AFS reparse points) will be recalled on-demand when a user or application accesses them on the local server. This is obviously desirable for those files that you are not using very often but you still want them to be around.
If the file server becomes unavailable for any reason in your datacenter or branch office, you just need to install the Azure File Sync agent on another server or virtual machine, and your users and applications can access the file again within minutes.
One of the great features of Azure File Sync is the integration with the Azure Backup service. Azure Backup is an Azure-based service that you can use to back up (or protect) and restore your data in the Microsoft cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive.
For more information about Azure Backup, I highly recommend checking the free Azure Backup Deep Dive – Whitepaper.
In the first blog of this 3 part series, I will share with you how Azure Backup integrates with Azure File Sync, and then in the next blog post, I will share with you the new features and improvements that are coming for Azure Backup and Azure Files (Sync) at Microsoft Ignite 2019/2020.
Azure Backup and Azure File Sync
The integration between Azure Backup and Azure File Sync helps you protect your data in the cloud without worrying about on-premises backup solutions, this is the value proposition of this integration which will reduce maintaining backup storage on-premises and minimize operational overhead.
Azure Backup and Azure File Sync are hybrid solutions that are built on top of the Azure Platform as a Service (PaaS) and Azure Files. Azure Backup integration with Azure File Sync is based on Azure Storage and File Share which is one of the fundamental components when deploying Azure File Sync.
A cloud endpoint from the Azure File Sync perspective is an Azure File Share which is part of a sync group. The entire Azure file share syncs and an Azure file share can be a member of only one cloud endpoint. Therefore, an Azure file share can be a member of only one sync group at a time. If you add an Azure file share that has an existing set of files as a cloud endpoint to a sync group, the existing files are merged with any other files that are already on other endpoints in the sync group.
The high-level deployment architecture of Azure Files (Sync) with multi-sites access with Azure Backup looks like in the following diagram. Please note that there is NO backup infrastructure to maintain.
From the Azure Backup perspective, we have the Azure Backup Service running in the same Azure region as the Azure Storage Sync Service as well as the Azure File Share which is Switzerland North in this example. Then we have Policy Management which is responsible for orchestrating the snapshots and backup retention.
When you enable Azure Backup for Azure File Share, what will happen is the following:
- You create or select an existing Recovery Services Vaults.
- You enable backup and select Azure File Share.
- Then you select the right Azure storage account where the Azure File Share(s) reside. You can select only one storage account, then the Azure Backup service will register that storage account with the Recovery Services Vaults (please note that no backup is transferred to the Recovery Services Vaults, more on that in a bit).
- The next step is to select one or more File Share(s) which you want to protect.
- Last, you can choose or create a new backup policy (as of today, you can create daily backup up to a maximum of 180 days through the Azure portal, more on about the long-term retention at the end of this article).
When Azure Backup starts taking backup while at the same time the Sync is going on between on-premises and Azure, the backup will be inconsistent, then what will happen to take a consistent backup is the following:
- The Azure Backup Service will make a call to the Storage Sync Service using the Native APIs.
- The call will request to pause the sync for a bit.
- Then it will take a snapshot.
Now the important point is, the Snapshot (Backup) for Azure Files is stored within the same Azure Storage account, the snapshot is NOT transferred to the Recovery Services Vaults as we have with Azure VM backup today, so what would happen if you deleted the share?
The backup will be deleted as well, and you cannot recover your data!!! The good news is that an upcoming announcement at Microsoft Ignite 2019 is expected to provide protection against accidental deletion of file share(s), and the backup transfer of the data to Recovery Services Vaults is expected by mid-2020 which will add an extra layer of protection.
As of writing this article, enabling Azure Backup alone for Azure File Shares gives you only 1 copy in the snapshot (Azure File Share). Please remember that Azure File Sync alone is NOT a backup solution, if your data gets encrypted by Ransomware or deleted on-premises, Azure File Sync will be happy to sync your corrupted data to Azure as well. However, when you enable Azure Backup you can effectively go back point in time without worrying about cleaning on-premises resources, reinstalling a backup software, and restoring. In addition, you get prioritized access to the data in the share via SMB connection to the Azure File Share directly.
As of today, if you need to achieve the 3, 2, 1 backup policy, then you need to keep your existing backup on-premises, then integrate Azure Backup with Azure File Share. If you want to get the highest level of protection that Ransomware/Malware attack doesn’t stand a chance, then you can follow this approach which depends on your existing backup application. For example, if you are using System Center Data Protection Manager (SCDPM) or Microsoft Azure Backup Server (MABS), what you can do is the following:
- Protect your File server on-premises with SCDPM or MABS (short-term) – 1st Copy.
- Connect/register your existing SCDPM or MABS server to Azure Recovery Services Vault and start taking backups (long-term). The backup will be stored in a dedicated Recovery Services Vaults. You can use Local-Redundant Storage (LRS) – 2nd Copy or Geo-Redundant Storage (GRS) – 3rd Copy.
- Last, install the Azure File Sync agent and enable Azure Backup for Azure File Share – 4th Copy. As of today, the Azure Portal experience gives you only up to 180 days of daily backup. To learn more about how to enable long-term backup up to 10 years for Azure File Shares, please check the following article.
With this approach, yes you will pay double the storage cost in Azure as noted in Points 2 and 3 above, but better safe than sorry!
What about the value proposition that I mentioned in the beginning of this article (no backup infrastructure to maintain on-premises)? read on…
The 3, 2, 1 backup policy will be achievable using only Azure Backup integration with Azure Files (Sync) once the backups are transferred to the Recovery Services Vaults which is coming in mid-2020. But until then, you can use the approach described above with MABS/SCDPM.
This is the current architecture of Azure Backup integration with Azure Files (Sync), I highly recommend you to add the following Ignite session, Microsoft Azure Backup: Deep dive into Azure’s built-in data protection solution which is scheduled on November 7th, 2019. The Azure Backup team will show and discuss at Ignite the improvements which are coming to Azure Backup and Azure Files (Sync).
Last but not least, I want to thank Saurabh Sensharma, Program Manager at Microsoft Azure Backup team for his help and support in reviewing this blog.
Azure File Sync extends on-premises file servers into Azure by providing cloud benefits while maintaining performance and compatibility. Azure File Sync provides:
- Multi-site access – provide write access to the same data across Windows servers and Azure Files.
- Cloud tiering – store only recently accessed data on local servers.
- Integrates with Azure backup – no need to back up your data on-premises.
- Fast disaster recovery – restore file metadata immediately and recall data as needed.
By integrating Azure Backup with Azure File Sync, you will save a lot of storage management and reduce operational and licensing costs.
Stay tuned for Part II where I will discuss the new features and improvements which are coming to Azure Backup and Azure Files (Sync) very soon.
I hope you find this quick guide useful. To learn more about Azure File Sync, please check the following articles.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.