Protect an Azure Trusted Launch VM with Azure Backup

6 Min. Read

Azure Backup ensures your backup data is stored securely by leveraging the built-in security capabilities of the Azure platform role-based access control (RBAC), encryption, and the new enhanced policy that support multiple backups per day and back up trusted launch VMs. In addition, with the new capabilities for soft-delete, Azure Backup protects against any accidental and malicious attempts for deleting your backups.

In this article, we will show you how to protect an Azure Trusted Launch virtual machine with Azure Backup.

Introduction

With a powerful architecture built into Azure, Azure Backup does all this for you in a simple, secure, and cost-effective manner without needing you to worry about anything at all.

Azure offers trusted launch as a seamless way to improve the security of generation 2 VMs. Trusted Launch is now generally available which protects against advanced and persistent attack techniques. The trusted launch is composed of several, coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats.

Microsoft recently announced backup support for trusted launch VM in public preview. This will augment the security and protection of your Windows and Linux virtual machines running on Azure. For the last year, I was actively testing this new capability in order to enhance the protection for trusted launch VM with Azure Backup. Kudos to the Azure Backup team!

Azure Backup now supports the Enhanced policy that is needed to support new Azure offerings such as configuring multiple backups per day and Trusted Launch VM which are supported with enhanced backup policy only.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) You need to have at least one Azure Recovery Services vault is created. Please check the following quick start guide to create and configure a Recovery Services vault.

3) Create a virtual machine with trusted launch enabled. A trusted launch requires the creation of new virtual machines. You can’t enable trusted launch on existing virtual machines that were initially created without it (more on this in the next section).

4) Protect Trusted Launch VM with Azure Backup (more on this in the next section).

5) At the time of this writing, you need to enroll your subscription for backup of Trusted Launch VM, write to the Azure Backup team at askazurebackupteam@microsoft.com.

Create VM with the trusted launch

At the time of this writing, there are some limitations on creating a trusted launch VM such as VM size and OS support, please check the official documentation before you start creating a trusted launch VM.

To create a virtual machine with trusted launch enabled, you could use the Azure Portal, Azure CLI, Azure PowerShell, or JSON/BICEP Template. For the remainder of this article, we will use the Azure Portal.

1) Sign in to the Azure portal.

2) Search for Virtual Machines.

3) Under Services, select Virtual machines.

4) In the Virtual machines page, select Create, and then select Virtual machine.

5) Under Project details, make sure the correct subscription is selected.

6) Under Resource Group, select Create new and type a name for your resource group or select an existing resource group from the dropdown list.

7) Under Instance details, type a name for the virtual machine name and then choose a region. Trusted Launch VM is supported on all public Azure regions.

8) For Security type select Trusted launch virtual machines. This will make two more options appear – Secure boot and virtual TPM (vTPM) as shown in the figure below. Select the appropriate options for your deployment. In this example, we selected both security options.

Trusted launch virtual machines
Trusted launch virtual machines

9) Under Image, select an image from the Recommended Gen 2 images compatible with the Trusted launch. If you don’t see the Gen 2 version of the image you want in the drop-down, select See all images and then change the Security type filter to Trusted Launch.

10) Select a VM size that supports a trusted launch. See the list of supported sizes on this page.

11) Fill in the Administrator account information and then Inbound port rules.

12) At the bottom of the page, select Review + Create.

13) On the Create a virtual machine page, you can see the details about the VM you are about to deploy. Once validation shows as passed, click Create.

Create VM with the trusted launch
Create VM with the trusted launch

Please note that it will take a few minutes for your trusted launch VM to be deployed.

To verify the trusted launch configuration for a virtual machine, you can browse the  Overview page for the VM in the portal. The Properties tab will show the status of Trusted Launch features as shown in the figure below.

Security type
Security type

You can enable or disable Secure Boot and virtual vTPM from the Trusted Launch Security type  in the Configuration page under the Settings section. If the VM is running, you will receive a message that the VM will be restarted.

Protect Azure Trusted Launch VM

Once you enroll your subscription to protect and backup trusted launch VM, take the following steps:

First, we need to create an enhanced policy sub-type and then protect the VM.

1) In the Azure Portal, select a Recovery Services vault to back up the VM.

2) Under Backup, select Backup Policies.

3) Click +Add as shown in the figure below.

Add backup policy
Add backup policy

4) On Select policy type, select Azure Virtual Machine.

5) On Create policy, perform the following actions:

> Policy sub-type: Select Enhanced type as shown in the figure below. By default, the policy type is set to Standard.

Create an enhanced backup policy
Create an enhanced backup policy

> Policy name: (i.e. Trusted-Launch-VM-Backup).

> Backup schedule: You can select frequency as Hourly/Daily/Weekly. By default, the enhanced backup schedule is set to Hourly, with 8:30 AM as the start time, Every 4 hours as the schedule, and 24 Hours as duration. You can choose to modify the settings as needed. At the time of this writing, the Hourly backup frequency is in preview.

> Instant Restore: You can set the retention of recovery snapshot from 1 to 30 days. The default value is set to 7.

> Retention range: The options for retention range are auto-selected based on the backup frequency you choose. The default retention for daily, weekly, monthly, and yearly backup points are set to 180 days, 12 weeks, 60 months, and 10 years respectively. You can customize the values as per the requirement.

6) Once you enter all the details, click Create to create the enhanced backup policy.

Once you create the enhanced backup policy, you can start protecting Azure Trusted Launch VM.

You can enable backup only through the Recovery Services vault or from the VM Manage blade. At the time of this writing, Configurations of Backup, Alerts, and Monitoring for Trusted Launch VM are currently NOT supported through the Backup Center.

1) In the Azure Portal, select a Recovery Services vault to back up the VM.

2) Click +Backup as shown in the figure below.

Backup
Backup

3) On the Backup Goal page, select Azure where your workload is running and then select Virtual machine as default. Under Step: Configure Backup, click Backup.

4) On the Configure Backup page, select Enhanced as policy subtype as shown in the figure below, and then select the backup policy that you created earlier.

Configure Backup
Configure Backup

5) Under the Virtual Machines, select Add as shown in the figure below.

Add Virtual Machines
Add Virtual Machines

6) The Select virtual machines pane will open. Select the Trusted Launch VMs that you created earlier to back up using the enhanced policy. Then select OK.

Select virtual machines
Select virtual machines

> The selected VMs are validated.

> You can only select VMs in the same region as the vault.

> VMs can only be backed up in a single recovery services vault.

7) Last, select Enable backup as shown in the figure below. This deploys the policy to the vault and to the VMs and installs the backup extension on the VM agent running on the Azure VM Trusted Launch.

Enable backup
Enable backup

Once the backup is completed, you can verify the backup status under the Backup items > Azure Virtual Machine, and then select the trusted launch VM.

Backup item status
Backup item status

Restore Azure Trusted Launch VM

To restore a Trusted Launch VM, take the following steps:

1) In the Azure Portal, select a Recovery Services vault to back up the VM.

2) Click Backup items under Protected items and then select Azure Virtual Machine.

3) Choose your trusted launch VM and then select Restore VM as shown in the figure below.

Restore VM
Restore VM

4) Select the desired restore point date and then click OK.

5) On the Restore Virtual Machine page, under Restore Configuration, choose to Create new, and then for Restore Type, choose between creating a new virtual machine or restore disks as shown in the figure below. Replace existing is not supported. At the time of this writing, you can restore a trusted launch VM by creating a new VM, or restoring disk(s) only.

Restore Configuration
Restore Configuration

6) Last, select Restore to kick off the process. The restore will take a few minutes to be completed based on the disk size of the trusted launch VM.

Please note that the virtual TPM (vTPM) state doesn’t persist while you restore a VM from a recovery point. Therefore, scenarios that require vTPM persistence may not work across the backup and restore operation.

A backed-up TVM will restore as a TVM enabled – however, the contents of the vTPM will not be persisted across the source and the restored VMs – for example, if you have a TVM with Bitlocker whose keys are protected by the vTPM and you back up such a VM, that may result in a Bitlocker key recovery when you restore the VM. However, please note that Bitlocker enabled through Azure Disk Encryption (ADE, using AKV based key vaults) will not be affected by lack of vTPM persistence.

That’s it there you have it!

Summary

In this article, we showed you how to protect an Azure Trusted Launch virtual machine with Azure Backup.

Trusted launch allows administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and drivers. By leveraging secure and measured boot, administrators gain insights and confidence in the entire boot chain’s integrity. With the virtual Trusted Platform Module (vTPM), administrators can securely protect keys, certificates, and secrets in the virtual machines. In addition, administrators can monitor and attest to the integrity of virtual machines as well as react to any changes to the attestation policy baseline.

By enabling Azure Backup for Trusted launch virtual machines, you can make sure your secured VMs are protected and can be restored at any point in time.

> Learn more on how to protect critical backup operations with Multi-User Authorization (MUA) for Azure Backup.

> Learn more about the trusted launch and Generation 2 VMs.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Integrate Azure Purview with Microsoft Defender for Cloud

Enable Multiple Backups Per Day for Azure VM

Next

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!