In this article, I will show you how to back up and restore Azure managed disks with the Azure Backup service.
Azure Disk Backup offers several advantages given it is an agent-less and crash-consistent solution that uses incremental snapshots: With Azure disk backup, you can do:
- More frequent and quick backups without interrupting the virtual machine.
- Does not affect the performance of the production application.
- No security concerns as it does not require running custom scripts or installing agents.
- Cost-effective solution to backup specific disk as compared to backing up an entire virtual machine.
Azure Backup is an Azure-based service that you can use to back up (or protect) and restore your data in the Microsoft cloud. Azure Backup replaces your existing on-premises and off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive.
On January 18, 2021, the Azure Backup team in coordination with the Azure Storage team announced the public preview of protecting Azure managed disk, thus giving you the ability to automate the back up of your Azure disks and restore them to a chosen point in time by leveraging snapshot lifecycle management. You can easily manage the disk snapshots with zero infrastructure cost and without the need for custom scripting or any management overhead. This is a crash-consistent backup solution that takes backup of a managed disk using incremental snapshots with support for multiple backups per day. Moreover, it is an agent-less solution; and does not impact production application performance. It supports backup and restores of both OS and Data disks (including Shared disk), regardless of whether or not they are currently attached to a running Azure Virtual machine.
Azure backup for Azure managed disk is also integrated into Backup Center which allows you to manage all backups centrally using backup policies.
Azure disk backup scenarios
With the Azure Disk backup solution, you can benefit from the following use-cases:
- You need frequent backups per day without impacting your application.
- Your applications are running on cluster scenario – both Windows Server Failover Clustering (WSFC) and Linux clusters that are writing to Shared Disk.
- You need agent-less backup due to security or performance concerns on the application.
- Your application consistent backup of VM is not feasible as Line of Business (LOB) applications do not support Volume Shadow Copy Service (VSS).
In this article, I will show you how to back up and restore Azure managed disks with Azure Backup from the Azure Portal.
To follow this article, you need to have the following:
- Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
- One or more managed disks regardless of whether or not are attached to a running Azure virtual machine.
- You need a Backup vault and not the Recovery Services vault (check the following section).
- You need to create a dedicated resource group in your subscription to store the disk snapshots.
- Backup permissions:
- Assign Disk Backup Reader role to Backup Vault’s managed identity on the source disk(s) that is to be backed up (check the following section).
- Assign Disk Snapshot Contributor role to Backup Vault’s managed identity on the resource group where backups will be created and managed by the Azure Backup service (check the following section).
- Restore permissions:
- Assign Disk Restore Operator role to Backup Vault’s managed identity on the Resource group where the disk is to be restored (check the following section).
At the time of this writing, Azure Disk Backup is available only in the West Central US region, and you need to fill this form to sign-up for public preview.
Creating a Backup Vault
First, you need to create a backup vault. If you already have a Recovery Services vault, you still need to create a new one because the Backup vaults is a new resource that is used for backing up new supported workloads and is different from the already existing Recovery Services vault.
- In the Azure portal, type Backup vaults in the search box. Under Services, select Backup vaults.
- In the Backup vaults page, select +Add which opens the create Backup vault experience.
- In the Basics tab, select the desired Azure subscription and resource group name.
- Under Instance details, type the Backup vault name and choose the region of your choice.
- Next, choose your Backup storage redundancy (LRS/GRS). Please note that storage redundancy cannot be changed after protecting items into the vault.
- Click Next: Tags > and add any tags as required.
- Finally, select the Review + create button once done, and then click Create.
Creating a Backup Policy
In this step, we need to create a backup policy.
- In the Backup vault that you created in the previous step, go to Backup policies and then select +Add.
- In the Basics tab, provide ‘Policy name‘, select ‘Datasource type‘ as Azure Disk. The vault name is already prepopulated with the selected vault properties.
- In the Backup policy tab, select the backup schedule frequency based on your business requirements. Azure Disk Backup offers multiple backups per day. If you require more frequent backups, choose Hourly backup frequency with the ability to take a backup every 4, 6, 8, or 12 hours interval.
- In the same Backup Policy tab, select the retention settings that meet your business Recovery Point Objective (RPO) requirement. The default retention rule is set to 7 days and it can be modified to change the retention duration, however, it cannot be deleted. You can also add a new retention rule by selecting Add retention rule as shown in the figure below.
- Additionally, you can choose the first successful backup taken daily or weekly, and you can provide retention duration up to which the backups are to be retained in the data stores before they are deleted. This option is useful to retain specific backups of the day or week for a longer duration of time whereas all other frequent backups can be retained for a shorter duration.
- Once the backup policy creation is completed, select Review + create and then click Create.
To use Azure disk backup, you need to assign the backup vault’s managed identity on the source disk, as well as on the resource group where snapshots are created and managed. Backup Vault uses Managed Identity to access other Azure resources. A system assigned managed identity is restricted to one per resource and is tied to the lifecycle of this resource.
To assign managed identity on the managed disk and on resource group, take the following steps:
- Go to the disk which needs to be backed up.
- Go to Access control (IAM) and select Add role assignments.
- On the right context blade, select Disk Backup Reader in the Role dropdown list, select backup vault’s managed identity and click Save. You can type the backup vault name to search and select the vault’s managed identity. Please note that you need to repeat the same steps if you have more than one disk to be backed up.
- The next step is, to assign the Disk Snapshot Contributor role of the Backup Vault’s managed identity on the Resource group where backups will be created and managed by the Azure Backup service. The disk snapshots are stored in a resource group within your subscription. You need to allow Azure Backup service to create, store and manage snapshots, so you need to provide permissions to the backup vault. It’s recommended to create a dedicated resource group to store the snapshots for every subscription you have, and please do not use the same resource group where the source disk(s) reside. Additionally, you cannot use the same resource group across subscriptions.
- Go to the Resource group (in my example, I have created a dedicated resource group called RG-AzureBackup-DiskSnapshots) which is in the same subscription of the source disk to be backed up. Go to Access control (IAM) and select Add role assignments. On the right context blade, select Disk Snapshot Contributor in the Role dropdown list, select backup vault’s managed identity (You can type the backup vault name to search and select the vault’s managed identity) and then click Save.
- To verify that backup vault managed identity has the right set of permissions on the source disk and resource group that serves as snapshot datastore. Go to the Backup vault that you created in the previous step, then browse to Identity under Manage, and select Azure role assignments as shown in the figure below.
- Verify the Role, resource name, and resource type are correctly reflected as shown in the figure below.
Please note that you can see the role assignments are reflected on the portal, however, it may take up to 15 minutes, approximately for the permission to be applied on backup vault’s managed identity.
Configure Azure Disk Backup
Once the permissions are granted, we need to configure the backup.
- Go to Backup vault – > overview and select +Backup to start configuring backup of the disk(s).
- In the Basics tab, select Azure Disk as Datasource type as shown in the figure below. At the time of this writing, Azure Disk Backup supports operational backup of the managed disk that does not copy/transfer the backups to Backup vault storage. Hence the backup storage redundancy setting of the Backup vault does not apply to the recovery points. Click Next to continue.
- In the Backup policy tab, choose the backup policy that you created in the previous step. Click Next to continue.
- In the DataSources tab, click on Select on the right context blade, then select the disk(s) to be backed up as shown in the figure below, then click Select (# items).
- Next, you need to select the Resource Group that you created to store the snapshots, and then click ‘Validate‘. This is the resource group where Azure Backup will create and manage the incremental snapshots for which backup vault managed identity is assigned with the required role permissions. Once the validations have succeeded, click Next to continue.
- In the final step, select Configure backup to configure the backup of the selected disk(s).
- If you don’t want to wait for the backup schedule to take place, you can run an on-demand backup. Switch to the Backup Vault, and then click on any backup instance (disk name) as shown in the figure below.
- In the backup instance page, you will find ‘Essentials‘ information including the Source disk name, the snapshot resource group where incremental snapshots are stored, backup vault, and policy. The Jobs status showing a summary of backup and restore operations and their status in the last 7 days. You can also see the list of ‘Restore Points‘ for the selected time period. Click on ‘Backup Now‘ to select the retention period.
- Next, select one of the retention rules associated with this backup policy. This retention rule will determine the retention duration of this on-demand backup only. Click Backup Now to initiate a backup.
Restore Azure Disk
In this section, I will show you how to restore Azure Managed Disk using Azure Backup.
At the time of this writing, you cannot restore and replace an existing source disk from where the backups were taken. This is known as Original-Location Recovery (OLR). You can only restore from the recovery point to create a new disk either in the same resource group of the source disk from where the backups were taken or in any other resource group. This is known as Alternate-Location Recovery (ALR).
As noted previously, the backup vault uses Managed Identity to access other Azure resources. To restore Azure disk from backup, the Backup vault’s managed identity requires a set of permissions on the resource group where the disk is to be restored.
The following permissions are required before you perform the restore operation:
- You need to assign the Disk Restore Operator role to Backup Vault’s managed identity on the Resource group where the disk is to be restored by Azure Backup service. Please note that you can choose the same resource group of the source disk from where the backups were taken or to any other resource group within the same or different subscription.
- Go to the Resource group where the disk is to be restored (in my example, I have a resource group called rg-restore-disks). Go to Access control (IAM) and select Add role assignments. On the right context blade, select Disk Restore Operator in the Role dropdown list, then select backup vault’s managed identity and click Save. You can type the backup vault name to select the vault’s managed identity.
- To verify that backup vault managed identity has the right set of role assignments on the resource group where the disk is to be restored. You can go to Backup vault – > Identity and select Azure role assignments. Then verify the Disk Restore Operator role, resource name, and resource type are correctly reflected as shown in the figure below.
Once the permissions are granted, follow the steps below to perform the restore operation:
- In the Azure portal, you can go to the Backup center or to the Backup vault where you configured backup for the disk, select Backup instances under the Manage section. From the list of backup instances, select the disk name for which you want to perform the restore operation as shown in the figure below.
- In the backup instance screen, select the restore point which you want to use to perform the restore operation and click Restore as shown in the figure below.
- In the Restore workflow, review the Select recovery point tab information and then click Next: Restore parameters >.
- In the Restore parameters tab, select Target subscription and Target resource group where you want to restore the backup to. Then provide the name of the disk to be restored. Please note that the disk name must start with a letter, and can contain only letters, numbers, or hyphens. Click Next: Review + restore >.
- Once the validation is successful which might take few minutes to complete before you can trigger the restore operation. Click Restore to initiate restore operation. Please note that restore will create a new disk from the selected recovery point in the Target resource group provided during a restore operation.
- You can track the restore operation by going to the Backup Vault | Backup instances under the Manage section. Then select the disk name that you restored. You can see the Jobs dashboard with operation and status for the past 7 days. To view the status of all restore/backup operations, click on View all to show ongoing and past jobs of this backup instance.
- You can browse to the target resource group where you restored the backup, and verify that the disk is restored and available to use.
- Now to use the restored disk on an existing virtual machine, you will have to perform additional steps. If the restored disk is a data disk, then you can attach an existing disk to a virtual machine, and if the restore disk is OS disk, then you can Swap the OS disk of a virtual machine from the Azure portal under Virtual machine blade – > Disks menu in the Settings section as shown in the figure below.
It is recommended that you revoke and remove the Disk Restore Operator role assignment for the Backup vault managed identity on the target resource group after successful completion of the restore operation.
How it works…
Azure Backup and restore for Azure Managed Disks work as follows:
- The first step is to create a Backup Vault. The vault gives you a consolidated view of the backups configured across different workloads.
- Next, you create a Backup Policy that allows you to configure the backup frequency and retention duration.
- Backup Vault uses Managed Identity to access other Azure resources. To enable backup of the managed disk and to restore from the previous backup, the Backup vault’s managed identity requires a set of permissions on the source disk, on the resource group where snapshots are created, managed, and the target resource group where you want to restore the backup. You can grant permissions to the managed identity by using Azure role-based access control (Azure RBAC). Managed identity is a service principal of a special type that may only be used with Azure resources.
- Next, you enable backup from the Backup vault, you assign a backup policy, select the managed disk that you want to protect, and provide a resource group where the snapshots are to be stored and managed. Azure Backup automatically triggers scheduled backup jobs that create an incremental snapshot of the disk as per the backup frequency and older snapshots are deleted as per retention duration specified by the backup policy. You can also trigger an on-demand backup as needed.
- Once you configure the backup of a managed disk, a backup instance with the disk name will be created within the backup vault. Using the backup instance, you can find the health of backup operations, trigger an on-demand backup, and perform restore operations. You can also view the health of backups across multiple vaults and backup instances using the Backup Center that provides a single pane of glass view.
- A storage account will be created on the resource group where snapshots are created to store disk metadata like Tags, Disk Encryption Set Id, and other properties during backups. These are used to apply when Disk is created during Restore.
- During the restore process, you simply select the recovery point from which you want to restore the disk. Then you provide the resource group where the restored disk is to be created from the snapshot. Azure Backup provides an instant restore experience as the snapshots are stored locally in your subscription.
- At the time of this writing, Azure Disk Backup supports operational backup of the managed disk and does not transfer or copy the backups to Backup vault storage. Refer to the support matrix for a detailed list of supported & unsupported scenarios and region availability.
In this article, I showed you how to back up and restore Azure managed disks with the Azure Backup service.
Azure Disk Backup leverages incremental snapshot of managed disk. Incremental snapshots are a cost-effective, point-in-time backup of managed disks that are billed for the delta changes to disk since the last snapshot and are always stored on the most cost-effective storage (Standard HDD storage) irrespective of the storage type of the parent disks. The first snapshot of the disk will occupy the used size of the disk and consecutive incremental snapshots store only the delta changes to the disk since the last snapshot.
To learn more about Azure Disk Backup, check the official documentation.
For information on region availability, supported scenarios, and limitations, please check the support matrix here.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.