This article talks about steps to backup and restore virtual machines using Azure Backup. It also provides details about supported scenarios, pre-requisites, and troubleshooting steps for error cases.
- Backup and restore of encrypted VMs is supported only for Resource Manager deployed virtual machines. It is not supported for Classic virtual machines.
- It is supported for both Windows and Linux virtual machines using Azure Disk Encryption, which uses the industry standard BitLocker feature of Windows and DM-Crypt feature of Linux to provide encryption of disks.
- The following table captures supported scenarios for BitLocker Encryption Key (BEK) only and Key Encryption Key (KEK) encrypted VMs.
|BEK + KEK VMs||BEK only VMs|
- Virtual machine has been encrypted using Azure Disk Encryption.
- Recovery services vault has been created and storage replication set using steps mentioned in the article Prepare your environment for backup.
- Azure Backup has been given permissions to access key vault containing keys, secrets for encrypted VMs.
Backup encrypted VM
Use the following steps to set backup goal, define policy, configure items, and trigger backup.
If you already have a Recovery Services vault open, proceed to next step. If you do not have a Recovery Services vault open, but are in the Azure portal, on the Hub menu, click Browse.
- In the list of resources, type Recovery Services.
As you begin typing, the list filters based on your input. When you see Recovery Services vaults, click it.
The list of Recovery Services vaults appears. From the list of Recovery Services vaults, select a vault.
The selected vault dashboard opens.
From the list of items that appears under vault, click Backup to start backing up encrypted VM.
Click on Backup goal as the first step to select the backup goal.
In the first step of selecting Backup Goal, set Where is your workload running to Azure and What do you want to backup to Virtual machine, then click OK.
This leads to the second step of selecting Backup policy.
In the second step of selecting policy, select the backup policy you want to apply to the vault and click OK.
The details of the default policy are listed in the details. If you want to create a policy, select Create New from the drop-down menu. Once you click OK, the backup policy is associated with the vault.
Next choose the VMs to associate with the vault.
Choose the encrypted virtual machines to associate with the specified policy and click OK.
This page shows a message about key vault associated to the encrypted VMs selected. Backup service requires read-only access to the keys and secrets in the key vault. It uses these permissions to backup key and secret, along with the associated VMs. You must provide permissions to backup service to access key vault for backups to work. You can provide these permissions using steps mentioned in the section below.
Now that you have defined all settings for the vault, click Enable Backup at the bottom of the page. Enable Backup deploys the policy to the vault and the VMs.
- The next phase in preparation is installing the VM Agent or making sure the VM Agent is installed. To do the same, use the steps mentioned in the article Prepare your environment for backup.
Triggering backup job
Use the steps mentioned in the article Backup Azure VMs to recovery services vault to trigger backup job.
Continue backups of already backed up VMs with encryption enabled
If you have VMs already being backup up in recovery services vault and have been enabled for encryption at a later point, you must give permissions to backup service to access key vault for backups to continue. You can provide these permissions using steps in the section below or using PowerShell steps mentioned in Enable Backup section of PowerShell documentation.
Provide permissions to Azure Backup
Use the following steps to provide relevant permissions to Azure Backup to access key vault and perform backup of encrypted VMs:
Select More Services and search for Key vaults.
From the list of key vaults, select the key vault associated with encrypted VM, which needs to be backed up.
Click Access policies and then Add new.
Click Select principal and type Backup Management Service in the search bar.
Select Backup Management Service and click Select button.
Select Azure Backup in Configure from template drop down. It pre-fills the required permissions in Key permissions and Secret permissions drop down. If your VM is encrypted using BEK only, permissions for only secrets are required, so you must remove selection for Key permissions.
Click OK. Notice that Backup Management Service gets added in Access Policies.
Click Save. This will give the required permissions to Azure Backup.
Once permissions are successfully provided, you can proceed with enabling backup for encrypted VMs.
Restore encrypted VM
To restore encrypted VM, first Restore Disks using steps mentioned in section Restore backed up disks in Choosing VM restore configuration. After that, you can use one of the following options:
- Use the PowerShell steps mentioned in Create a VM from restored disks to create full VM from restored disks.
- OR, Use template generated as part of Restore Disks to create VMs from restored disks. Templates can be used only for recovery points created after 26 April 2017.
|Backup||Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines||Virtual machine should be encrypted using both BitLocker Encryption Key and Key Encryption Key. After that, backup should be enabled. Backup service should be provided these permissions using steps mentioned in the section above or by using PowerShell steps mentioned in the Enable protection section of the PowerShell documentation at Use AzureRM.RecoveryServices.Backup cmdlets to back up virtual machines.|
|Backup||Validation failed as virtual machine is encrypted with BEK alone. Backups can be enabled only for virtual machines encrypted with both BEK and KEK.||Virtual machine should be encrypted using BEK and KEK. First decrypt the VM and encrypt it using both BEK and KEK. Enable backup once VM is encrypted using both BEK and KEK. Learn more on how you can decrypt and encrypt the VM|
|Restore||You cannot restore this encrypted VM since key vault associated with this VM does not exist.||Create key vault using Get Started with Azure Key Vault. Refer the article Restore key vault key and secret using Azure Backup to restore key and secret if they are not present.|
|Restore||You cannot restore this encrypted VM since key and secret associated with this VM do not exist.||Refer the article Restore key vault key and secret using Azure Backup to restore key and secret if they are not present.|
|Restore||Backup Service does not have authorization to access resources in your subscription.||As mentioned above, Restore Disks first, using steps mentioned in section Restore backed up disks in Choosing VM restore configuration. After that, user PowerShell to Create a VM from restored disks.|