Before you can back up an Azure virtual machine (VM), there are three conditions that must exist.
- You need to create a backup vault or identify an existing backup vault in the same region as your VM.
- Establish network connectivity between the Azure public Internet addresses and the Azure storage endpoints.
- Install the VM agent on the VM.
If you know these conditions already exist in your environment then proceed to the Back up your VMs article. Otherwise, read on, this article will lead you through the steps to prepare your environment to back up an Azure VM.
Supported operating system for backup
- Linux: Azure Backup supports a list of distributions that are endorsed by Azure except Core OS Linux. Other Bring-Your-Own-Linux distributions also might work as long as the VM agent is available on the virtual machine and support for Python exists. However, we do not endorse those distributions for backup.
- Windows Server: Versions older than Windows Server 2008 R2 are not supported.
Limitations when backing up and restoring a VM
Azure has two deployment models for creating and working with resources: Resource Manager and classic. The following list provides the limitations when deploying in the classic model.
- Backing up virtual machines with more than 16 data disks is not supported.
- Backing up virtual machines with a reserved IP address and no defined endpoint is not supported.
- Backup data doesn't include network mounted drives attached to VM.
- Replacing an existing virtual machine during restore is not supported. First delete the existing virtual machine and any associated disks, and then restore the data from backup.
- Cross-region backup and restore is not supported.
- Backing up virtual machines by using the Azure Backup service is supported in all public regions of Azure (see the checklist of supported regions). If the region that you are looking for is unsupported today, it will not appear in the dropdown list during vault creation.
- Backing up virtual machines by using the Azure Backup service is supported only for select operating system versions:
- Restoring a domain controller (DC) VM that is part of a multi-DC configuration is supported only through PowerShell. Read more about restoring a multi-DC domain controller.
- Restoring virtual machines that have the following special network configurations is supported only through PowerShell. VMs that you create by using the restore workflow in the UI will not have these network configurations after the restore operation is complete. To learn more, see Restoring VMs with special network configurations.
- Virtual machines under load balancer configuration (internal and external)
- Virtual machines with multiple reserved IP addresses
- Virtual machines with multiple network adapters
Create a backup vault for a VM
A backup vault is an entity that stores all the backups and recovery points that have been created over time. The backup vault also contains the backup policies that will be applied to the virtual machines being backed up.
Starting March 2017, you can no longer use the classic portal to create Backup vaults. Existing Backup vaults are still supported, and it is possible to use Azure PowerShell to create Backup vaults. However, Microsoft recommends you create Recovery Services vaults for all deployments because future enhancements apply to Recovery Services vaults, only.
This image shows the relationships between the various Azure Backup entities:
In order to manage the VM snapshots, the backup extension needs connectivity to the Azure public IP addresses. Without the right Internet connectivity, the virtual machine's HTTP requests time out and the backup operation fails. If your deployment has access restrictions in place (through a network security group (NSG), for example), then choose one of these options for providing a clear path for backup traffic:
- Whitelist the Azure datacenter IP ranges - see the article for instructions on how to whitelist the IP addresses.
- Deploy an HTTP proxy server for routing traffic.
When deciding which option to use, the trade-offs are between manageability, granular control, and cost.
|Whitelist IP ranges||No additional costs.
For opening access in an NSG, use the Set-AzureNetworkSecurityRule cmdlet.
|Complex to manage as the impacted IP ranges change over time.
Provides access to the whole of Azure, and not just Storage.
|HTTP proxy||Granular control in the proxy over the storage URLs allowed. To setup granular control in the proxy, https://*.blob.core.windows.net/* URL Pattern needs to be whitelisted. To whitelist only the storage account used by the VM, https://<storageAccount>.blob.core.windows.net/* URL pattern needs to be whitelisted.
Single point of Internet access to VMs.
Not subject to Azure IP address changes.
|Additional costs for running a VM with the proxy software.|
Whitelist the Azure datacenter IP ranges
To whitelist the Azure datacenter IP ranges, please see the Azure website for details on the IP ranges, and instructions.
Using an HTTP proxy for VM backups
When backing up a VM, the backup extension on the VM sends the snapshot management commands to Azure Storage using an HTTPS API. Route the backup extension traffic through the HTTP proxy since it is the only component configured for access to the public Internet.
There is no recommendation for the proxy software that should be used. Ensure that you pick a proxy that has outbound stickiness and which is compatible with the configuration steps below. Make sure third party softwares do not modify the proxy settings
The example image below shows the three configuration steps necessary to use an HTTP proxy:
- App VM routes all HTTP traffic bound for the public Internet through Proxy VM.
- Proxy VM allows incoming traffic from VMs in the virtual network.
- The Network Security Group (NSG) named NSF-lockdown needs a security rule allowing outbound Internet traffic from Proxy VM.
To use an HTTP proxy to communicating to the public Internet, follow these steps:
Step 1. Configure outgoing network connections
For Windows machines
This will setup proxy server configuration for Local System Account.
- Download PsExec
Run following command from elevated prompt,
psexec -i -s "c:\Program Files\Internet Explorer\iexplore.exe"
It will open internet explorer window.
- Go to Tools -> Internet Options -> Connections -> LAN settings.
- Verify proxy settings for System account. Set Proxy IP and port.
- Close Internet Explorer.
This will set up a machine-wide proxy configuration, and will be used for any outgoing HTTP/HTTPS traffic.
If you have setup a proxy server on a current user account(not a Local System Account), use the following script to apply them to SYSTEMACCOUNT:
$obj = Get-ItemProperty -Path Registry::”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" Set-ItemProperty -Path Registry::”HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" -Name DefaultConnectionSettings -Value $obj.DefaultConnectionSettings Set-ItemProperty -Path Registry::”HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" -Name SavedLegacySettings -Value $obj.SavedLegacySettings $obj = Get-ItemProperty -Path Registry::”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" Set-ItemProperty -Path Registry::”HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyEnable -Value $obj.ProxyEnable Set-ItemProperty -Path Registry::”HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name Proxyserver -Value $obj.Proxyserver
If you observe "(407)Proxy Authentication Required" in proxy server log, check your authentication is setup correctly.
For Linux machines
Add the following line to the
http_proxy=http://<proxy IP>:<proxy port>
Add the following lines to the
HttpProxy.Host=<proxy IP> HttpProxy.Port=<proxy port>
Step 2. Allow incoming connections on the proxy server:
On the proxy server, open Windows Firewall. The easiest way to access the firewall is to search for Windows Firewall with Advanced Security.
In the Windows Firewall dialog, right-click Inbound Rules and click New Rule....
- In the New Inbound Rule Wizard, choose the Custom option for the Rule Type and click Next.
- On the page to select the Program, choose All Programs and click Next.
On the Protocol and Ports page, enter the following information and click Next:
- for Protocol type choose TCP
- for Local port choose Specific Ports, in the field below specify the
<Proxy Port>that has been configured.
for Remote port select All Ports
For the rest of the wizard, click all the way to the end and give this rule a name.
Step 3. Add an exception rule to the NSG:
In an Azure PowerShell command prompt, enter the following command:
The following command adds an exception to the NSG. This exception allows TCP traffic from any port on 10.0.0.5 to any Internet address on port 80 (HTTP) or 443 (HTTPS). If you require a specific port in the public Internet, be sure to add that port to the
-DestinationPortRange as well.
Get-AzureNetworkSecurityGroup -Name "NSG-lockdown" | Set-AzureNetworkSecurityRule -Name "allow-proxy " -Action Allow -Protocol TCP -Type Outbound -Priority 200 -SourceAddressPrefix "10.0.0.5/32" -SourcePortRange "*" -DestinationAddressPrefix Internet -DestinationPortRange "80-443"
Ensure that you replace the names in the example with the details appropriate to your deployment.
Before you can back up the Azure virtual machine, you should ensure that the Azure VM agent is correctly installed on the virtual machine. Since the VM agent is an optional component at the time that the virtual machine is created, ensure that the check box for the VM agent is selected before the virtual machine is provisioned.
Manual installation and update
The VM agent is already present in VMs that are created from the Azure gallery. However, virtual machines that are migrated from on-premises datacenters would not have the VM agent installed. For such VMs, the VM agent needs to be installed explicitly. Read more about installing the VM agent on an existing VM.
|Installing the VM agent|
|Updating the VM agent||Updating the VM agent is as simple as reinstalling the VM agent binaries.
Ensure that no backup operation is running while the VM agent is being updated.
|Follow the instructions on updating the Linux VM agent .
Ensure that no backup operation is running while the VM agent is being updated.
|Validating the VM agent installation||N/A|
To back up the virtual machine, the Azure Backup service installs an extension to the VM agent. The Azure Backup service seamlessly upgrades and patches the backup extension without additional user intervention.
The backup extension is installed if the VM is running. A running VM also provides the greatest chance of getting an application-consistent recovery point. However, the Azure Backup service will continue to back up the VM--even if it is turned off, and the extension could not be installed (aka Offline VM). In this case, the recovery point will be crash consistent as discussed above.
If you have questions, or if there is any feature that you would like to see included, send us feedback.
Now that you have prepared your environment for backing up your VM, your next logical step is to create a backup. The planning article provides more detailed information about backing up VMs.