You dont have javascript enabled! Please enable it! Vaulted Backup For Azure Files - Comprehensive Guide - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Vaulted Backup for Azure Files – Comprehensive Guide

8 Min. Read

Are you concerned about data protection and recovery if your storage account is compromised or a malicious actor deletes your file share? Are you obligated to meet compliance standards for retaining backups for an extended period? Yes or Yes?

After a long wait, Azure Backup now supports transferring your Files backups to the Recovery Services vault. In this article, we will show you how to enable vaulted backup for Azure Files and transfer your protected data to the recovery services vault.

Introduction

Azure Backup is an Azure-based service that backs up (or protects) and restores your data in the Microsoft Cloud. It replaces your existing on-premises and off-site backup solution with a reliable, secure, and cost-competitive cloud-based solution.

The Azure Backup team just announced that you can now perform a Vaulted backup for Azure Files (public preview) in addition to the generally available snapshots (backup). Vaulted backup for file shares allows you to create hardened backups of your files and data and store them in the Backup vault, thus helping you protect your data from various adverse data loss scenarios due to corruption and deletions of files and storage accounts. Vaulted backup can be used along with the existing snapshots backup solution and provides a comprehensive, simple, and zero-infrastructure solution to manage the protection of your data at scale.

Using the Vaulted backup solution, backup data are copied and stored in the Backup Vault (transferred outside your storage account) according to the schedule and frequency you defined through the backup policy. This supports long-term retention. Hence, you will get comprehensive protection against accidental deletion and ransomware attacks.

Related: Check how to enable Vaulted Backup for Azure Blob storage.

And guess what? This also protects your Azure File Sync deployment on-premises with the Storage Sync service against malicious actors.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription — If you don’t have an Azure subscription, you can create one here for free.

2) Azure storage V2 account — Follow the instructions to create a general-purpose V2 storage account. Storage accounts with restricted network access aren’t supported.

3) You need a Recovery Services vault and NOT a Backup vault (more on this in the following section).

4) Ensure you have the minimum roles required to perform different backup and restore operations.

5) Supported regions: At the time of this writing, vaulted backup (public preview) for Azure Files is currently available in the following regions: West Central US, Southeast Asia, UK South, East Asia, UK West, and India Central. More regions will be added very soon.

6) At the time of this writing, the cross-region and cross-subscription backups or restore are not supported. Hence, the recovery services vault and the storage account you want to protect should be in the same region and subscription.

Related: Check how Azure Backup Integrates with Azure File Sync.

Create Recovery Services Vault

First, you need to create a Recovery Services vault. A Recovery Services vault functions as a management entity responsible for storing recovery points generated over a period of time. It offers an interface for carrying out backup-related tasks, such as initiating on-demand backups, conducting restores, and establishing backup policies.

1) In the Azure portal, search for the Backup center and then go to the dashboard.

2) On the Overview page, click ‘+ Vault‘ on the top bar.

Add Vault
Add Vault

3)  Next, select ‘Recovery Services vault‘ and click Continue.

Select Recovery Services vault
Select Recovery Services vault

4) On the Create Recovery Services vault pane, you need to enter the following:

  • Subscription: Select your desired subscription to use.
  • Resource group: Use an existing resource group or create a new one.
  • Vault name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription.
  • Region: Select the geographic region for the vault. Please note that to create a vault to help protect any data source, the vault must be in the same region as the storage account.
Create a Recovery Services vault
Create a Recovery Services vault

5) Last, after providing all the details, select Review + Create, and then hit Create to create the Recovery Services vault.

Please note that the Recovery Services vault can take a while to create.

As a side note, Geo-redundant storage is enabled by default for all vaults. If you don’t want redundant storage, then make sure to disable the same under the vault “Properties” > “Backup Configuration” once the vault is created. The storage replication type cannot be changed after protecting your data.

Backup Configuration
Backup Configuration

Create a Backup Policy

The next step is to create a backup policy. A backup policy determines the creation of recovery points and their retention duration in the Backup vault. You can create a backup policy either before configuring backups or during the configuration process.

To create a backup policy, take the following steps:

1) Go to Backup Center and click ‘+Policy’ on the top bar.

Backup Policy
Backup Policy

2) Select the data source type as ‘Azure Files (Azure Storage).’

3) Next, select the Recovery Services vault you created in the previous step to be associated with this policy, then click Continue.

Start: Create a Policy
Start: Create a Policy

4) Next, you need to configure the schedule and retention for your backups. Please make sure to set the backup tier as ‘Vault standard‘ and NOT ‘Snapshot‘, as shown in the figure below.

Create Vault Standard Backup Policy
Create Vault Standard Backup Policy

5) Last, click ‘Create’ when done.

Enable Vaulted Backup

Now, we are ready to enable backup for your file share and transfer the data to the Vault.

1) Go to Backup Center and then navigate to the Overview pane, and click ‘+Backup’.

Enable Vaulted Backup
Enable Vaulted Backup

2) Select Azure Files (Azure Storage) as the data source type, select the Recovery Services vault with which you wish to protect the file shares, and then select Continue.

Configure Backup
Configure Backup

3) Next, click Select to select the storage account that contains the file shares to be backed up. The Select Storage Account pane opens on the right, listing a set of discovered supported storage accounts. They’re either associated with this vault or present in the same region as the vault but not yet associated with any Recovery Services vault.

Select your account from the list of storage accounts discovered and click OK.

As a side note, we recommend that you Enable the Lock to protect your snapshots against accidental deletion of your storage account. Please note that registering a storage account with the recovery services vault might take a minute.

Select Storage Account
Select Storage Account

4) The next step is to select the file shares you want to back up. Click the Add button in the FileShares to Backup section. The Select File Shares context pane opens on the right. You will see all the Azure file shares that can be backed up. Please note that if you recently added your file shares and don’t see them in the list, allow some time for the file shares to appear.

From the Select File Shares list, select one or more file shares you want to back up, and then click OK.

Select File Shares
Select File Shares

5) Then, choose the backup policy you created in the previous section. You can also choose to create a new backup policy by selecting the ‘Create a new policy’ option, and remember that you need to set the backup tier as ‘Vault standard.’

Select Vaulted Backup Policy
Select Vaulted Backup Policy

6) Last, after you make all appropriate selections, select Enable Backup.

The Vaulted backup for Azure Files is a two-step process. First, Azure Backup will take a snapshot of the file share and then transfer data to the recovery services vault.

The initial backup is a complete backup, while the following backups are incremental. Once the backup job is triggered according to the schedule set in the backup policy, the Azure Backup service captures a snapshot of the file share. Subsequently, the data transfer job commences to transfer the data to the vault. The snapshot remains stored in the source storage account based on the configured snapshot retention, while the data within the vault is retained according to the vault retention specified in the backup policy.

If you set up multiple backups per day, the Azure Backup service will capture snapshots according to the schedule defined in the backup policy. However, only the data corresponding to the latest snapshot taken each day will be transferred to the vault. As a result, you will have one recovery point per day stored in the vault standard tier.

At any point in time, you can track the backup sub-tasks under the backup jobs, as shown in the figure below.

Backup jobs
Backup jobs

Perform Restore for Azure Files

Now let’s assume that someone has permanently deleted the backed-up file share or deleted the snapshot corresponding to a recovery point, launch the Azure portal, and take the following steps:

1) Go to the Backup Center > Overview pane, and click on Restore.

Perform Restore
Perform Restore

2) Select Azure Files (Azure Storage) as the data source type, and then under Backup instance, select the file share you wish to restore. In this example, azure-file-share-prod, and then click Continue.

Select Azure File Share
Select Azure File Share

3) Next, in the Restore blade, select the restore point you want to use to recover your data and click OK. Notice that the Recovery tier is ‘Snapshot and Vault-Standard.’

Select restore point
Select restore point

4) Under the Restore Destination section, select an ‘Alternate Location‘ and ensure that the target file share you provide for the restore operation is empty and that you don’t provide any value corresponding to the ‘Folder Name’ option, as shown in the figure below. Next, choose the “Overwrite Existing” option in case of conflicts.

Restore Destination
Restore Destination

5) Last, once you enter all the appropriate values, click Restore. At any point in time, you can track the restore under the backup jobs.

Backup jobs
Backup jobs

As described above, the first step in performing a restore is to select a restore point, and each restore point could have one of the following three recovery tiers associated with it:

1) Snapshot — This means that only a snapshot corresponding to that recovery point is present.

2) Snapshot and vault standard — This means both snapshot and backup data in the vault are present and correspond to that recovery point.

3) Vault — It means the snapshot corresponding to the recovery point has expired and the backup data is only present in the vault.

Based on the Recovery tier, the restore engine determines whether snapshot or vault data is to be used for recovery. If the recovery tier value is ‘Snapshot and Vault-Standard‘, the restore is attempted from the snapshot first. If the snapshot is not present, the Azure Backup service triggers a restore from the data in the vault.

To verify that the restore is triggered from the backup data in the vault and not from the snapshot, you can check the sub-task under the backup jobs, as shown in the figure below.

Restore job
Restore job

Once the restore process is completed, we can verify that the data has been successfully restored to the target Azure file share (azure-file-share-test).

Verify Azure file share restore
Verify Azure file share restore

That’s it, there you have it. Happy Vaulted Backup for Azure file shares!

Vaulted Vs. Snapshot Backup for Azure Files

You may wonder what the difference is between the existing Snapshot Backup and the new Vaulted Backup for Azure Files.

Vaulted backup of Azure Files stores a backup copy of your data in the Recovery Services vault (as opposed to snapshot backup of files, where the backup data is stored in the source storage account itself for data recovery).

The new vaulted Azure Files backup solution allows you to retain your data for up to 99 years (as opposed to the snapshot backup of files, which allows you to retain your data for up to 10 years). However, restoring from older recovery points may lead to a longer recovery time objective (RTO) during the restore operation.

At the time of this writing, the vaulted backup solution can be used to perform restores to a different storage account ONLY (for restoring to the same account, you may use the snapshot backups). The storage account (file share) to which the data is being restored is referred to as the ‘target’ (full-share alternate location recoveries).

Additionally, Item-level recoveries are currently not supported by using backups in the vault, and only one backup per day is transferred to the vault. The Azure Backup team is working to address these limitations.

Related: Check how to Configure Multiple Backups for Azure Files.

In Conclusion

In this article, we showed you how to enable vaulted backup for Azure file shares and perform restore operations in case of data deletion.

The new vaulted backups are transferred to the recovery services vault per the schedule defined and retained as per the retention settings you configured in the backup policy. Hence, you get an off-site backup copy that offers protection against scenarios that could lead to partial or complete data loss.

The vaulted backups enable you to meet compliance and audit requirements by retaining backup data for up to 99 years.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Import Free TAXII Threat Intelligence Feed to Microsoft Sentinel

How to Safely Disable Security Defaults in Microsoft Entra ID: A Step-by-Step Guide

Next

Let us know what you think, or ask a question...