Operational backup for Azure Blobs is a managed, local data protection solution that lets you protect your block blobs from various data loss scenarios like blob corruptions, blob deletions, and accidental deletion. The data is stored locally within the source storage account itself and can be restored to any point in time whenever you need it. This provides a simple, secure, and cost-effective means to protect your blobs.
In this article, I will show you how to protect Azure blobs in an Azure storage account using Azure Backup.
Contents of this Article
Azure Backup is an Azure-based service that you can use to back up (or protect) and restore your data in the Microsoft cloud. Azure Backup replaces your existing on-premises and off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive.
At Microsoft Ignite 2021, the Azure Backup team in coordination with the Azure Storage team announced the public preview of protecting Azure blobs, thus giving you the ability to back up your blobs locally and restore them to a chosen point in time. Azure backup for blobs is built upon the blob service’s point-in-time restore capability to give you a managed experience for protection against various data loss scenarios like blob deletion, blob corruption, and accidental deletion of the storage account.
Azure backup for blobs is also integrated into Backup Center and allows you to manage all backups centrally using backup policies.
To follow this article, you need to have the following:
- Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
- Azure storage v2 account – To create a general-purpose v2 storage account, you can follow the instructions described here.
- You need to have one or more containers – You can follow the instructions here to create a container.
- At the time of this writing, append blobs, page blobs, and premium block blobs are not supported.
- You need a Backup vault and not the Recovery Services vault (check the following section).
Creating a Backup Vault
First, you need to create a backup vault. If you already have a Recovery Services vault, you still need to create a new one because the Backup vaults is a new resource that is used for backing up new supported workloads and is different from the already existing Recovery Services vault.
- In the Azure portal, type Backup vaults in the search box. Under Services, select Backup vaults.
- In the Backup vaults page, select +Add which opens the create Backup vault experience.
- In the Basics tab, select the desired Azure subscription and resource group name.
- Under Instance details, type the Backup vault name and choose the region of your choice.
- Next, choose your Backup storage redundancy (LRS/GRS). Please note that storage redundancy cannot be changed after protecting items into the vault.
- Click Next: Tags > and add any tags as required.
- Finally, select the Review + create button once done, and then click Create.
Granting permissions on storage accounts
Azure backup also protects the storage account (that contains the blobs to be protected) from any accidental deletions by applying a Backup-owned Delete Lock. This requires the Backup vault to have certain permissions on the storage accounts that are being protected. To facilitate this process, the Azure Backup team has created a new role called “Storage Account Backup Contributor“.
To grant permissions to the backup vault on storage accounts that are required to be protected, please follow the steps below:
- In the storage account to be protected, navigate to the Access Control (IAM) tab on the left navigation.
- Click on Add role assignments to assign the “Storage Account Backup Contributor” role.
- In the Add role assignment blade, under Role, choose Storage Account Backup Contributor. Type the name of the Backup vault using which you want to protect the blobs in this storage account and select the same from the search results. Once done, click Save as shown in the figure below.
Please note that you can see the role assignments are reflected on the portal, however, it may take up to 15 minutes, approximately for the permission to take effect!
Enable Backup for Azure Blobs
To enable and configure the Backup of blobs at the storage account level, please follow the steps below.
- Search for Backup Center (preview) in the Azure Portal search bar.
- Navigate to Overview, and then click +Backup as shown in the figure below.
- In the Basics tab, specify Azure Blobs (Azure Storage) as the Datasource type and then select the Backup vault with which you want to associate your storage account(s) as shown in the figure below. Click Next to continue.
- In the Backup Policy tab, you can ‘Select‘ or ‘Create new‘ backup policy that you want to use for the desired Azure Blobs (Azure Storage). You can view the details of the selected policy in the lower part of the screen. The default retention rule is 30 days. At the time of this writing, while creating a backup policy, you can specify retention up to 360 days (1 year). Click Next to continue.
- In the Resources tab, you need to choose the storage accounts for which you want to configure protection for blobs. You can choose multiple storage accounts at once. Azure Backup will validate if the vault has sufficient permissions to allow configuring of backup on the selected storage accounts. Please make sure the vault you have chosen has the required permissions to configure backup on the storage accounts as detailed in the previous section. You need to wait for validations to complete which may take up to 1 minute. Once validations have succeeded, click Next to continue.
- In the Review and configure tab, review the backup policy and click Configure backup. You will see notifications informing about the status of configuring protection and its completion.
Once you enable backup, all the blobs in the specified storage account will be protected using Azure backup.
Restore Azure blobs
At any point in time, you can perform restores within the retention range after backup for Azure blobs is enabled. To initiate a restore, take the following steps:
- Search for Backup Center (preview) in the Azure Portal search bar.
- Navigate to Overview, and then click Restore as shown in the figure below.
- In the Initiate Restore tab, choose Azure Blobs (Azure Storage) as the Datasource type and then select the Backup Instance you want to restore as shown in the figure below. The Backup instance is the storage account name that contains the blobs you want to restore. Click Proceed to continue.
- In the Select recovery point tab, choose the date and time you want to restore your data from. You can also use the slider (Green/Grey) to choose the point in time to restore from.
- The information shown next to the date represents the valid duration from which you can restore your data. Please note that the operational backup for Azure blobs is being continuous which gives you granular control over points to recover data from. The time shown here is your local time. Click Next: Restore parameters > to continue.
- In the Restore parameters tab, choose whether you want to ‘Restore all blobs in the storage account‘ or a subset of blobs using ‘Prefix match‘. When using prefix match, you can specify up to 10 ranges of prefixes or file paths. In the following example, I want to restore the complete contents of the container named container01 (container01 To container01-0). I want also to restore blobs in the lexicographical range blob1 through blob9 of the container named container02. This range restores blobs with names such as blob1, blob11, blob100, blob2, blob3, blob4, blob5, and so on. Because the end of the range is exclusive. In other words, it restores blobs whose names begin with blob8 and blob7 but does not restore blobs whose names begin with blob9. Finally, I want to restore all blobs of the containers named container03 and container04. Because the end of the range is exclusive, this range does not restore container05.
- Click Next: Review + restore button, and then click Restore to initiate the restore process…
- Once the restore process started, you can use the ‘Jobs’ view to track the details and status of restores under Backup Center > Backup Jobs. The status will show ‘In progress’ while the restore is being performed and change to ‘Completed’ when it finishes successfully as shown in the figure below.
How it works…
Once you enable backup for Azure Blobs as detailed in the previous section, you will notice several changes at the storage accounts level.
- The following capabilities are enabled on the storage account. These can be viewed in the Data Protection tab of the storage account as shown in the figure below.
- Versioning for blobs.
- Blob change feed.
- Point in time restore for containers: With retention as specified in the backup policy.
- Soft delete for blobs: With retention as specified in the backup policy +1 day.
- If a point in time and soft delete on the storage account level already had this capability enabled (before you enable backup), then Azure backup ensures that the retention is at least as defined in the backup policy. Therefore, the recovery for each property is set as follows:
- If the retention in the backup policy is greater > than retention originally present in the storage account: The retention on the storage account is modified per the backup policy
- If the retention in the backup policy is lower < than retention originally present in the storage account: The retention on the storage account is left unchanged to the originally set duration.
- A Delete Lock is also enforced on the protected Storage account level similar to protecting Azure files using Azure Backup. The lock is specifically meant to safeguard against cases of accidental deletion of the storage account. This can be viewed under Storage Account > Locks as shown in the figure below.
- The data is maintained locally in the source storage account itself and does not get transferred to the Backup Vault.
- When performing restores, the following steps will take place:
- Blobs will be restored to the same storage account and may result in being overwritten.
- While restore is in progress, blobs in the storage cannot be read or written to.
- Restores are supported for block blobs only, not append blobs and page blobs.
- Azure files backup uses the native snapshot capability while Azure backup for blobs uses the point in time restore capability, however, both solutions retain data within the source storage account to allow local backups.
- There are no backup limits on the container/blobs, the limits are on the duration for which the data can be retained and not on the number of snapshots, however, Azure files backup has 200 snapshots limits on each file share.
In this article, I showed you how to backup and restore Azure Blobs in Azure Storage using Azure Backup.
Azure Backup for blobs uses blob service’s point in time restore capability which in turn records changes taking place on blobs in the storage account. Hence, backups are continuous in nature allowing you to restore to any point in time as long as it lies within the restoration period.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.