26 Using N2WS with Azure

Manage the backup and recovery of your Azure resources.

Following are the steps for setup, backup, and recovery of Azure VMs, Disks, and SQL Servers:

  1. Before starting, configure N2WS Backup & Recovery according to section 2.

  2. After the final configuration screen, prepare your Azure Subscription by adding the required permissions and custom IAM role in Azure. See section 26.1.

  3. Register the CPM app in Azure. See section 26.2.

  4. Create an N2WS account user as usual and configure resource limitations for Azure as described in section 18.3.

  5. Assign a custom role to your app. See section 26.3.

  6. In N2WS, add an Azure account with the custom N2WS role. See section 26.4.

  7. Create a Storage Account Repository for your data objects. See section 26.5.

  8. Create an Azure policy in N2WS with Azure backup targets. See section 26.6.

  9. Configure Azure Disaster Recovery. See section 26.7.

  10. Back up the policy. See section 26.8.

  11. Recover from a backup, including file-level recovery. See section 26.9.

You can design a Recovery Scenario to automatically coordinate sequential recoveries for several or all backup target types in a single Azure policy during one recovery session. See section ‎‎24.3.

For Recovery Scenarios, it is important to configure the recovery details for each VM and SQL Server target.

26.1 Setting Up Your Azure Subscription

N2WS Backup & Recovery needs the following permissions to perform backup and recovery actions.

  1. Add your subscription ID value to the subscriptions attribute in the minimal permissions JSON.

    "properties": {
        "roleName": "CPM",
        "description": "",
        "assignableScopes": [
        "permissions": [
                "actions": [
                "notActions": [],
                "dataActions": [],
                "notDataActions": []

4. Complete the form as follows using N2WSBackupRecoveryRole as the Custom role name, and then select the JSON file saved in step 1. 5. Create the role with the new JSON file.

26.2 Registering Your Azure App

  1. In the Azure portal Dashboard section, go to the App registrations service.

  2. In the Name box, type CPM-on-Azure and select Register.

3. Select the app. 4. Save the Application (client) ID and Directory (tenant) ID for use when adding the Azure account to N2WS.

26.3 Assigning the Custom Role to your App

  1. In Azure, go to the Subscription service and select your subscription.

  2. Select Access control (IAM).

  3. Select Add and then select Add role assignment.

  4. In the Role list, select your custom role.

  5. In the Select list, select the app that you created.

  6. Select Save.

  7. In the Role assignments tab, verify that the custom role is assigned.

It might take time for Azure to propagate the changes in IAM.

26.4 Adding an Azure Account to N2WS

  1. Log on to N2WS using the root username and password used during the N2WS configuration.

  2. Select the Accounts tab.

  3. Complete the New Azure Account screen using the App registration view information in the Azure portal as needed.

  • Name - Copy from your App registration name.

  • Directory (tenant) ID – Copy from your App registration.

  • Application (client) ID – Copy from your App registration.

  • Client Secret – Copy from your App registration Certificates & secrets in the App registration view, or set a new secret.

  • Scan Resources - Select to include the current account in tag scans performed by the system. The scan will cover all VMs and disks in all locations.

5. Select Save. The new account appears in the Accounts list as an Azure Cloud account.

26.5 The Storage Account Repository

Storage Account repositories are where backups of SQL servers are stored. Storage Account repositories can also serve as cross-cloud storage for AWS volume snapshots via a Lifecycle policy. For more details, see section 21.

A single Azure Storage Account container can have multiple repositories.

26.5.1 Configuring a Storage Account Repository

  1. In N2WS, select the Storage Repositories tab.

  2. In the New Storage Account Repository screen, complete the following fields, and select Save when complete.

  • Name - Type a unique name for the new repository, which will also be used as a folder name in the Azure Storage Account container. Only alphanumeric characters and the underscore are allowed.

  • Description - Optional brief description of the contents of the repository.

  • User – Select the user in the list.

  • Account - Select the account that has access to the Storage Account.

  • Subscriptions – Select the subscription that owns the Storage Account.

  • Resource Group – Select the Storage Account’s resource group.

  • Location – Select the Storage Account’s location.

  • Storage Account Name – Select the name of the Storage Account from the list.

  • Immutable Backups - Select to protect data store in the repository from accidental deletion or alteration. When enabled, the N2WS server puts a Lease on every object stored in the Storage Account repository. A leased object cannot be deleted or modified until the Lease is cancelled. You can specify the string that will be used as the Lease (in a UUID format), or let N2WS create one for you.

26.5.2 Deleting a Storage Account Repository

You can delete all snapshots copied to a specific Storage Account repository.

Deleting a repository is not possible when the repository is used by a policy. You must change the policy's repository to a different one before you can delete the Target repository.

  1. Select the Storage Repositories tab.

  2. Select the repository to delete.

  3. Select Delete.

26.6 Creating an Azure Policy

To back up resources in Azure, create an N2WS Azure policy.

Before saving a policy with an SQL Server backup target, the policy must have a Storage Account Repository. To create a Storage Account Repository, see ‎section 26.5.

  1. In N2WS, select the Policies tab.

  2. In the New Azure Policy screen, complete the fields:

  • Name – Enter a name for the policy.

  • Enabled – Clear to disable the policy.

  • Subscription – Select from the list.

  • Auto Target Removal – Select Yes to automatically remove a non-existing target from the policy.

4. Select the Backup Targets tab. 5. For each resource type to back up, in the Add Backup Targets menu, select a target. The applicable screen opens.

  • For Virtual Machines, see section ‎26.6.2.

  • For SQL Servers and their databases, see section ‎26.6.1.

  • For Azure disks, see section ‎26.6.3.

6. Before completing a policy with SQL Server backup targets, select a Target repository for the policy in the Storage Repository tab, and then select Save.

7. In the Backup Targets tab, review the selected targets, and then select Save.

26.6.1 Adding an SQL Server Target

An SQL Server backup is performed by a worker. The worker parameters for each SQL Server target are configured in the Policy SQL Server and Database Configuration screen, as shown in step 3 below.

Following are possible backup configurations for an SQL Server target:

  • Back up all databases

  • Include or Exclude only pre-selected databases in the backup process

Before selecting individual SQL Servers, it is required to filter by the Location of the target resources using the list in the upper left corner. Filtering by Resource Group is optional.

To add an SQL Server target:

  1. In the Add Backup Targets menu, select SQL Servers. The Add SQL Servers table opens.

2. When finished selecting targets, select Add selected. The Backup Targets tab lists the selected targets.

4. In the Which Databases list, choose whether to back up All Databases on this server, or select databases, and then choose Include Selected or Exclude Selected.

5. For each database, change Private DNS Zone, SSH Key, Virtual Network, Subnet, Security Group, and Network Access as needed, and then select Apply.

6. In the Storage Repository tab, select the Target repository for the SQL Server backup, and then select Save.

26.6.2 Adding an Azure Virtual Machine

Before selecting individual Virtual Machine targets, it is required to filter by the Location of the target resources using the list in the upper left corner. Filtering by Resource Group is optional.

  1. On the Add Backup Targets menu, select Virtual Machines. The Add Virtual Machines table opens.

2. Select the virtual machines for backup, and then select Add selected. The Backup Targets tab lists the selected targets.

4. In the Which Disks list, select the disks to Include or Exclude in the backup. Change additional information as needed, and then select Apply.

26.6.3 Adding an Azure Disk Backup Target

1. In the Add Backup Targets menu, select Disks.

26.6.4 Enabling Immutable Backups

Enabling Immutable Backups will prevent the unauthorized deletion of Azure VM and disk snapshots. When a policy is enabled for Immutable Backups, a ‘Delete’ lock type is assigned to a disk snapshot until the lock is removed. The lock is removed by N2WS before Cleanup or by user-initiated deletion.

To enable immutable backups:

  1. Select the relevant policy.

  2. In the More Options tab, select Enable Immutable Backups.

To view the Lock Type in Azure:

On the Azure console, go to the Snapshot page and select Locks.

The following permissions are required:

o Microsoft.Authorization/locks/read

o Microsoft.Authorization/locks/write

o Microsoft.Authorization/locks/delete

26.7 Configuring Azure DR

The DR operation copies managed disk snapshots to selected locations.

  1. In the DR tab, select Enable DR.

  2. Complete DR Frequency and DR Timeout.

  3. In the Target Locations list, select the DR target locations.

26.7.1 Setting a Tag for Managed Disks with Disk Access

Azure can manage private access disks using a Disk Access resource, which is based on subscription and location. For disk targets using private access, provide a tag with the ID of the Disk Access resource on the selected DR locations.

To provide a Disk Access ID, add a tag to the resource as follows:

Key: ‘cpm_dr_disk_access’ or ‘cpm_dr_disk_access:<LOCATION>’; Value: ‘<Disk Access ID>

  • If disks are attached to a Virtual Machine target and same Disk Access is used for all backed up disks, it is sufficient to add the tag to the Virtual Machine and not each disk.

  • If a single DR location is selected, there is no need for ‘:<LOCATION>’ in the tag key.

26.8 Backing Up an Azure Policy

If the policy has a schedule, the policy will backup automatically according to the schedule.

26.9 Recovering from an Azure Backup

Only one VM is recoverable during a recovery operation.

After creating a backup, you can recover it from the Backup Monitor.

In the VM recovery Basic Options, there are Azure options for replicating data to additional locations

to protect against potential data loss and data unavailability:

  • Availability Zone – A redundant data center (different building, different servers, different power, etc.) within a geographical area that is managed by Azure.

  • Availability Set – A redundant data center (different building, different servers, different power, etc.) that can be launched and fully configured by the customer and managed by the customer.

  • No Redundancy Infrastructure Required – By selecting this option, the customer can choose not to replicate its data to an additional (redundant) location in another zone or set. By choosing this option, the customer would save some money, but in rare cases (usually 11 9s of durability and 99.9% of availability), the customer can experience some degree of data loss and availability.

In the Disk Recovery screen, you may be presented with an option to change the encryption when recovering certain disks.

26.9.1 Recovering a VM and Disks

To recover a VM and/or attached disks:

b. In the Availability Type list, select one of the following:

  • No Infrastructure Redundancy Required – Select to not replicate data at a redundant location in another zone or set.

  • Availability Zone – Select a zone in the Availability Zone list.

  • Availability Set – Select a set in the Availability Set list.

c. In the Private IP Address box, assign an available IP address or switch the Custom toggle key to Auto assigned. d. In the Disks tab, enter a new Name for each disk. Similar names will cause the recovery to fail. e. Select Recover Virtual Machine.

3. To recover only Disks attached to the VM, select Recover Disks Only. a. In the Disks tab, enter a new Name for each disk. Similar names will cause the recovery to fail. b. See Note in section 26.5 about changing the Encryption Set for certain disks. c. Change other settings as needed. d. Select Recover Disk.

26.9.2 Recovering Independent Disks

To recover from backups with independent disks:

  1. In the Independent Disks tab:

    1. Enter a new Name for each disk to recover as similar names will cause failure.

    2. See section 26.10 about changing the Encryption Set for certain disks.

    3. Change other settings as needed.

    4. Select Recover Disk.

26.9.3 DR Recovery

When recovering from a backup that includes DR (DR is in Completed state), the same Recover screen opens but with the addition of the Restore to Location drop-down list.

  • Default location is Origin, which will recover all the objects from the original backup. It will perform the same recovery as a policy with no DR.

  • When choosing one of the other regions, the objects are listed and are recovered in the selected location.

26.9.4 Recovering an SQL Server and Databases

You can recover an SQL Server and some of or all its databases or just the SQL databases.

For Recover SQL Databases Only, enable Allow Azure services and resources to access this server.

To recover an SQL Server with some or all its databases:

3. In the Server Admin Login and Password boxes, provide the credentials to use in the recovered SQL Server.

4. In the Network tab:

a. Select the Minimum TLS Version in the list.

b. Select Firewall Rules and Virtual Network Rules, or select Deny Pubic Network Access.

5. In the SQL Databases tab, select the databases to recover.

6. In the Worker Options tab, set values to enable communication between the Worker and the SQL Server.

7. Select Recover SQL Server.

To recover SQL Databases only:

  1. In the SQL Databases tab, enter a new Name for each database. Similar names will cause the recovery to fail.

3. Change other settings as needed.

4. Select Recover SQL Database.

26.9.5 File-level Recovery from a Snapshot of an Azure Disk or Virtual Machine

When you back up an Azure Virtual Machine or disks, you can recover individual files from the backup without having to recover the entire Virtual Machine or all disks.

To recover individual files from a snapshot of an Azure disk or Virtual Machine:

  1. Complete the steps required to configure a worker to be launched in the account, subscription, and location of the source snapshot. See section 22.

  2. To explore files from an entire virtual machine, go to the Virtual Machine tab, select the virtual machine, and then select Explore Disks Files.

  3. To explore files from one or more disks belonging to a virtual machine, go to the Virtual Machine tab, select the virtual machine, then select Recover Disks Only. Select one or more disks, and then select Explore Disks.

  4. To explore files from an independent disk, go to the Independent Disks tab, select the disk, and then select Explore Disks.

  5. If multiple backups of the chosen target exist, you will be prompted to select the number of different backups to explore. Select the desired number, and then select Start Session.

26.10 Cross-Cloud Recovery of AWS Volume to Azure

N2WS allows recovering an AWS volume backup to Azure.


  • Cross-cloud recovery is supported only for Instance Volume backups copied to S3.

  • From the UI, such recovery can only be initiated for one volume at a time chosen from the Volume Recovery from Instance screen.

OS\root disk functionality doesn’t migrate from AWS to S3. If N2WS recovers an AWS root volume to Azure, an Azure VM can’t be spined up from that disk.

To recover an volume from S3 to Azure:

Worker configuration is required. The recovery process uses a worker machine launched in Azure to write the required data to the volume.

  1. In the Backup Monitor, select an Instance backup that was copied to S3, and then select Recover.

  2. In the Recover screen, select the instance from which the volume is to be recovered.

  3. In the Restore from list, choose the repository to which the volume was copied.

  4. In the Restore to Account list, choose the Azure account to restore to.

  5. In the Subscription list, choose the subscription to restore to.

  6. Select Recover volumes only.

7. In the Volume Recovery from Instance screen, select one volume to recover.

8. In the Disk Name box, type the name of the disk to be recovered in Azure.

9. In the Resource Group list, choose the resource group to which the disk will be recovered.

10. Optionally, choose an Availability Zone to recover to and the Encryption Set to use on the recovered disk.

11. Select Recover Volume.

Last updated