26 Using N2WS with Azure

Manage the backup and recovery of your Azure resources.
Following are the steps for setup, backup, and recovery of Azure VMs, Disks, and SQL Servers:
  1. 1.
    Before starting, configure N2WS Backup & Recovery according to Configuring N2WS.
  2. 2.
    After the final configuration screen, prepare your Azure Subscription by adding the required permissions and custom IAM role in Azure. See section 26.1.
  3. 3.
    Register the CPM app in Azure. See section 26.2.
  4. 4.
    Create an N2WS account user as usual and configure resource limitations for Azure as described in section 18.3.
  5. 5.
    Assign a custom role to your app. See section 26.3.
  6. 6.
    In N2WS, add an Azure account with the custom N2WS role. See section 26.4.
  7. 7.
    Create a Storage Account Repository for your data objects. See section 26.5.
  8. 8.
    Create an Azure policy in N2WS with Azure backup targets. See section 26.6.
  9. 9.
    Configure Azure Disaster Recovery. See section 26.7.
  10. 10.
    Back up the policy. See section 26.8.
  11. 11.
    Recover from a backup, including file-level recovery. See section 26.9.
You can design a Recovery Scenario to automatically coordinate sequential recoveries for several or all backup target types in a single Azure policy during one recovery session. See section ‎‎24.3.
For Recovery Scenarios, it is important to configure the recovery details for each Azure target.

26.1 Setting Up Your Azure Subscription

N2WS Backup & Recovery needs the following permissions to perform backup and recovery actions.
  1. 2.
    Add your subscription ID value to the subscriptions attribute in the minimal permissions JSON.
{
"properties": {
"roleName": "CPM",
"description": "",
"assignableScopes": [
"/subscriptions/<subscriptionID>"
],
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/snapshots/write",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/snapshots/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/vmSizes/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
2. Log on to the Azure Portal, https://portal.azure.com, and go to your subscription. Select a subscription that you want to use with N2WS Backup & Recovery.
3. Select Access control (IAM), select +Add, and then select Add custom role.
4. Complete the form as follows using N2WSBackupRecoveryRole as the Custom role name, and then select the JSON file saved in step 1. 5. Create the role with the new JSON file.

26.2 Registering Your Azure App

  1. 1.
    In the Azure portal Dashboard section, go to the App registrations service.
  2. 2.
    In the Name box, type CPM-on-Azure and select Register.
3. Select the app. 4. Save the Application (client) ID and Directory (tenant) ID for use when adding the Azure account to N2WS.
5. Select Add a certificate or secret. 6. Select
New client secret. 7. Complete the secret values, and save.

26.3 Assigning the Custom Role to your App

  1. 1.
    In Azure, go to the Subscription service and select your subscription.
  2. 2.
    Select Access control (IAM).
  3. 3.
    Select Add and then select Add role assignment.
  4. 4.
    In the Role list, select your custom role.
  5. 5.
    In the Select list, select the app that you created.
  6. 6.
    Select Save.
  7. 7.
    In the Role assignments tab, verify that the custom role is assigned.
It might take time for Azure to propagate the changes in IAM.

26.4 Adding an Azure Account to N2WS

  1. 1.
    Log on to N2WS using the root username and password used during the N2WS configuration.
  2. 2.
    Select the Accounts tab.
  3. 3.
    If you have a license for Azure cloud, select Azure account in the + New menu.
  4. 4.
    Complete the New Azure Account screen using the App registration view information in the Azure portal as needed.
  • Name - Copy from your App registration name.
  • In the User list, select your username. Or, select
    New to add a new user. See section 18.
  • Directory (tenant) ID – Copy from your App registration.
  • Application (client) ID – Copy from your App registration.
  • Client Secret – Copy from your App registration Certificates & secrets in the App registration view, or set a new secret.
  • Scan Resources - Select to include the current account in tag scans performed by the system. The scan will cover all VMs and disks in all locations.
5. Select Save. The new account appears in the Accounts list as an Azure Cloud account.

26.5 The Storage Account Repository

Storage Account repositories are where backups of SQL servers are stored. Storage Account repositories can also serve as cross-cloud storage for AWS volume snapshots via a Lifecycle policy. For more details, see section 21.
A single Azure Storage Account container can have multiple repositories.

26.5.1 Configuring a Storage Account Repository

  1. 1.
    In N2WS, select the Storage Repositories tab.
  2. 2.
    In the
    New menu, select Storage Account Repository.
  3. 3.
    In the New Storage Account Repository screen, complete the following fields, and select Save when complete.
  • Name - Type a unique name for the new repository, which will also be used as a folder name in the Azure Storage Account container. Only alphanumeric characters and the underscore are allowed.
  • Description - Optional brief description of the contents of the repository.
  • User – Select the user in the list.
  • Account - Select the account that has access to the Storage Account.
  • Subscriptions – Select the subscription that owns the Storage Account.
  • Resource Group – Select the Storage Account’s resource group.
  • Location – Select the Storage Account’s location.
  • Storage Account Name – Select the name of the Storage Account from the list.
  • Immutable Backups - Select to protect data store in the repository from accidental deletion or alteration. When enabled, the N2WS server puts a Lease on every object stored in the Storage Account repository. A leased object cannot be deleted or modified until the Lease is cancelled. You can specify the string that will be used as the Lease (in a UUID format), or let N2WS create one for you.

26.5.2 Deleting a Storage Account Repository

You can delete all snapshots copied to a specific Storage Account repository.
Deleting a repository is not possible when the repository is used by a policy. You must change the policy's repository to a different one before you can delete the Target repository.
  1. 1.
    Select the Storage Repositories tab.
  2. 2.
    Use the Cloud buttons to display the Azure
    repositories.
  3. 3.
    Select the repository to delete.
  4. 4.
    Select Delete.

26.6 Creating an Azure Policy

To back up resources in Azure, create an N2WS Azure policy.
Before saving a policy with an SQL Server backup target, the policy must have a Storage Account Repository. To create a Storage Account Repository, see ‎section 26.5.
  1. 1.
    In N2WS, select the Policies tab.
  2. 2.
    On the
    New menu, select Azure policy.
  3. 3.
    In the New Azure Policy screen, complete the fields:
  • Name – Enter a name for the policy.
  • User – Select from the list. Or, select
    New to add a user. See section 18.
  • Account – Select from the list. Or, select
    New to add an account. See section 26.2.
  • Enabled – Clear to disable the policy.
  • Subscription – Select from the list.
  • Schedules – Optionally, select one or more schedules from the list, or select
    New to add a schedule. See section 4.1.1.
  • Auto Target Removal – Select Yes to automatically remove a non-existing target from the policy.
4. Select the Backup Targets tab. 5. For each resource type to back up, in the Add Backup Targets menu, select a target. The applicable screen opens.
  • For Virtual Machines, see section ‎26.6.2.
  • For SQL Servers and their databases, see section ‎26.6.1.
  • For Azure disks, see section ‎26.6.3.
6. Before completing a policy with SQL Server backup targets, select a Target repository for the policy in the Storage Repository tab, and then select Save.
7. In the Backup Targets tab, review the selected targets, and then select Save.

26.6.1 Adding an SQL Server Target

An SQL Server backup is performed by a worker. The worker parameters for each SQL Server target are configured in the Policy SQL Server and Database Configuration screen, as shown in step 3 below.
Following are possible backup configurations for an SQL Server target:
  • Back up all databases
  • Include or Exclude only pre-selected databases in the backup process
Before selecting individual SQL Servers, it is required to filter by the Location of the target resources using the list in the upper left corner. Filtering by Resource Group is optional.
To add an SQL Server target:
  1. 1.
    In the Add Backup Targets menu, select SQL Servers. The Add SQL Servers table opens.
2. When finished selecting targets, select Add selected. The Backup Targets tab lists the selected targets.
3. To choose which databases to back up for each SQL Server, select a server, and then select
Configure. The Policy SQL Server and Database Configuration screen opens.
4. In the Which Databases list, choose whether to back up All Databases on this server, or select databases, and then choose Include Selected or Exclude Selected.
5. For each database, change Private DNS Zone, SSH Key, Virtual Network, Subnet, Security Group, and Network Access as needed, and then select Apply.
6. In the Storage Repository tab, select the Target repository for the SQL Server backup, and then select Save.

26.6.2 Adding an Azure Virtual Machine

Before selecting individual Virtual Machine targets, it is required to filter by the Location of the target resources using the list in the upper left corner. Filtering by Resource Group is optional.
  1. 1.
    On the Add Backup Targets menu, select Virtual Machines. The Add Virtual Machines table opens.
2. Select the virtual machines for backup, and then select Add selected. The Backup Targets tab lists the selected targets.
3. To choose which disks to back up for each Virtual Machine target, select a machine, and then select
Configure. The Policy Virtual Machine and Disk Configuration screen opens.
4. In the Which Disks list, select the disks to Include or Exclude in the backup. Change additional information as needed, and then select Apply.

26.6.3 Adding an Azure Disk Backup Target

1. In the Add Backup Targets menu, select Disks.
2. Select the Disks to back up, and then select
Configure for each target.
3. Configure disk information, such as Encryption Set. To expand the configuration section for a disk, select the right arrow
. Change the Name to the desired name for the recovered disk, and then select Close.

26.6.4 Enabling Immutable Backups

Enabling Immutable Backups will prevent the unauthorized deletion of Azure VM and disk snapshots. When a policy is enabled for Immutable Backups, a ‘Delete’ lock type is assigned to a disk snapshot until the lock is removed. The lock is removed by N2WS before Cleanup or by user-initiated deletion.
To enable immutable backups:
1. Select the relevant policy.
2. In the More Options tab, select Enable Immutable Backups.
To view the lock type in Azure:
On the Azure console, go to the Snapshot page and select Locks.
The following permissions are required:
o Microsoft.Authorization/locks/read
o Microsoft.Authorization/locks/write
o Microsoft.Authorization/locks/delete

26.7 Configuring Azure DR

The DR operation copies managed disk snapshots to selected locations.
  1. 1.
    In the DR tab, select Enable DR.
  2. 2.
    Complete DR Frequency and DR Timeout.
  3. 3.
    In the Target Locations list, select the DR target locations.

26.7.1 Setting a Tag for Managed Disks with Disk Access

Azure can manage private access disks using a Disk Access resource, which is based on subscription and location. For disk targets using private access, provide a tag with the ID of the Disk Access resource on the selected DR locations.
To provide a Disk Access ID, add a tag to the resource as follows:
Key: ‘cpm_dr_disk_access’ or ‘cpm_dr_disk_access:<LOCATION>’; Value: ‘<Disk Access ID>
  • If disks are attached to a Virtual Machine target and same Disk Access is used for all backed up disks, it is sufficient to add the tag to the Virtual Machine and not each disk.
  • If a single DR location is selected, there is no need for ‘:<LOCATION>’ in the tag key.

26.8 Backing Up an Azure Policy

If the policy has a schedule, the policy will backup automatically according to the schedule.
  1. 1.
    To run a policy as soon as possible, select the policy and select
    Run ASAP in the Policies view.
  2. 2.
    To view the policy progress and backups, select Backup Monitor, and use the Cloud button to display the Azure (
    ) policies. The backup progress is shown in the Status column.

26.9 Recovering from an Azure Backup

Only one VM is recoverable during a recovery operation.
After creating a backup, you can recover it from the Backup Monitor.
After choosing the objects to recover, you can view the recovery process by selecting Recovery Monitor. Use the Cloud buttons to display the Azure (
) recoveries.
In the VM recovery Basic Options, there are Azure options for replicating data to additional locations in order to protect against potential data loss and data unavailability:
  • Availability Zone – A redundant data center (different building, different servers, different power, etc.), within a geographical area that is managed by Azure.
  • Availability Set – A redundant data center (different building, different servers, different power, etc.) that can be launched and fully configured by the customer and managed by the customer.
  • No Redundancy Infrastructure Required – By selecting this option, the customer can choose not to replicate its data to an additional (redundant) location in another zone or set. By choosing this option, the customer would save some money, but in rare cases (usually 11 9s of durability and 99.9% of availability), the customer can experience some degree of data loss and availability.
In the Disk Recovery screen, you may be presented with an option to change the encryption when recovering certain disks.
After choosing the objects to recover, you can view the recovery process by selecting Recovery Monitor. Use the Cloud buttons to display the Azure (
) recoveries.

26.9.1 Recovering a VM and Disks

To recover a VM and/or attached disks:
  1. 1.
    In the Backup Monitor, select the backup and then select
    Recover.
2. To recover a VM, with or without its attached disks, select the VM snapshot that you want to recover from and then select
Recover.
a. In the Virtual Machines tab of the Recover screen, select 1 VM and then select
Recover. The Basic Options tab opens.
b. In the Availability Type list, select one of the following:
  • No Infrastructure Redundancy Required – Select to not replicate data at a redundant location in another zone or set.
  • Availability Zone – Select a zone in the Availability Zone list.
  • Availability Set – Select a set in the Availability Set list.
c. In the Private IP Address box, assign an available IP address or switch the Custom toggle key to Auto assigned. d. In the Disks tab, enter a new Name for each disk. Similar names will cause the recovery to fail. e. Select Recover Virtual Machine.
3. To recover only Disks attached to the VM, select Recover Disks Only. a. In the Disks tab, enter a new Name for each disk. Similar names will cause the recovery to fail. b. See Note in section 26.5 about changing the Encryption Set for certain disks. c. Change other settings as needed. d. Select Recover Disk.

26.9.2 Recovering Independent Disks

To recover from backups with independent disks:
  1. 1.
    Select the backup and then select
    Recover as in step 1 of the VM recovery.
  2. 2.
    In the Independent Disks tab:
    1. 1.
      Enter a new Name for each disk to recover as similar names will cause failure.
    2. 2.
      See Note in section 26.5 about changing the Encryption Set for certain disks.
    3. 3.
      Change other settings as needed.
    4. 4.
      Select Recover Disk.

26.9.3 DR Recovery

When recovering from a backup that includes DR (DR is in Completed state), the same Recover screen opens but with the addition of the Restore to Location drop-down list.
  • Default location is Origin, which will recover all the objects from the original backup. It will perform the same recovery as a policy with no DR.
  • When choosing one of the other regions, the objects are listed and are recovered in the selected location.

26.9.4 Recovering an SQL Server and Databases

You can recover an SQL Server and some or all of its databases or just the SQL databases.
For Recover SQL Databases Only, enable Allow Azure services and resources to access this server.
In the Backup Monitor, select the backup, and then select
Recover.
To recover an SQL Server with some or all its databases:
  1. 1.
    Select the SQL Server snapshot that you want to recover from and then select
    Recover.
2. In the SQL Servers tab of the Recover screen, select 1 SQL Server and then select
Recover. The Basic Options tab opens.
3. In the Server Admin Login and Password boxes, provide the credentials to use in the recovered SQL Server.
4. In the Network tab:
a. Select the Minimum TLS Version in the list.
b. Select Firewall Rules and Virtual Network Rules, or select Deny Pubic Network Access.
5. In the SQL Databases tab, select the databases to recover.
6. In the Worker Options tab, set values to enable communication between the Worker and the SQL Server.
7. Select Recover SQL Server.
To recover SQL Databases only:
  1. 1.
    Select the SQL Server snapshot that you want to recover from and then select
    Recover SQL Databases Only.
  2. 2.
    In the SQL Databases tab, enter a new Name for each database. Similar names will cause the recovery to fail.
3. Change other settings as needed.
4. Select Recover SQL Database.

26.9.5 File-level Recovery from a Snapshot of an Azure Disk or Virtual Machine

When you back up an Azure Virtual Machine or disks, you can recover individual files from the backup without having to recover the entire Virtual Machine or all disks.
To recover individual files from a snapshot of an Azure disk or Virtual Machine:
  1. 1.
    Complete the steps required to configure a worker to be launched in the account, subscription, and location of the source snapshot. See section 22.
  2. 2.
    In the Backup Monitor, select the backup, and then select
    Recover.
  3. 3.
    To explore files from an entire virtual machine, go to the Virtual Machine tab, select the virtual machine, and then select Explore Disks Files.
  4. 4.
    To explore files from one or more disks belonging to a virtual machine, go to the Virtual Machine tab, select the virtual machine, then select Recover Disks Only. Select one or more disks, and then select Explore Disks.
  5. 5.
    To explore files from an independent disk, go to the Independent Disks tab, select the disk, and then select Explore Disks.
  6. 6.
    If multiple backups of the chosen target exist, you will be prompted to select the number of different backups to explore. Select the desired number, and then select Start Session.