Back up an encrypted Azure virtual machine with PowerShell
This script creates a Recovery Services vault with geo-redundant storage (GRS) for an encrypted Azure virtual machine. The default protection policy is applied to the vault. The policy generates a daily backup for the virtual machine, and retains each backup for 365 days. The script also triggers the initial recovery point for the virtual machine and retains that recovery point for 30 days.
This sample requires Azure PowerShell Az 1.0 or later. Run Get-Module -ListAvailable Az to see which versions are installed.
If you need to install, see Install Azure PowerShell module.
Run Connect-AzAccount to sign in to Azure.
If you don't have an Azure subscription, create an Azure free account before you begin.
Sample script
Note
We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
# Edit these global variables with your unique Recovery Services Vault name, resource group name and location
$rsVaultName = "myRsVault"
$rgName = "myResourceGroup"
$location = "East US"
# Register the Recovery Services provider and create a resource group
Register-AzResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"
New-AzResourceGroup -Location $location -Name $rgName
# Create a Recovery Services Vault and set its storage redundancy type
New-AzRecoveryServicesVault `
-Name $rsVaultName `
-ResourceGroupName $rgName `
-Location $location
$vault1 = Get-AzRecoveryServicesVault –Name $rsVaultName
Set-AzRecoveryServicesProperties `
-Vault $vault1 `
-BackupStorageRedundancy GeoRedundant
# Set Recovery Services Vault context and create protection policy
Get-AzRecoveryServicesVault -Name $rsVaultName | Set-AzRecoveryServicesVaultContext
$schPol = Get-AzRecoveryServicesSchedulePolicyObject -WorkloadType "AzureVM"
$retPol = Get-AzRecoveryServicesRetentionPolicyObject -WorkloadType "AzureVM"
New-AzRecoveryServicesProtectionPolicy `
-Name "NewPolicy" `
-WorkloadType "AzureVM" `
-RetentionPolicy $retPol `
-SchedulePolicy $schPol
# Provide permissions to Azure Backup to access key vault and enable backup on the VM
Set-AzKeyVaultAccessPolicy `
-VaultName "KeyVaultName" `
-ResourceGroupName "KyeVault-RGName" `
-PermissionsToKeys backup,get,list `
-PermissionsToSecrets backup,get,list `
-ServicePrincipalName 262044b1-e2ce-469f-a196-69ab7ada62d3
$pol = Get-AzRecoveryServicesProtectionPolicy -Name "NewPolicy" `
Enable-AzRecoveryServicesProtection `
-Policy $pol `
-Name "myVM" `
-ResourceGroupName "VM-RGName"
# Modify protection policy
$retPol = Get-AzRecoveryServicesRetentionPolicyObject -WorkloadType "AzureVM"
$retPol.DailySchedule.DurationCountInDays = 365
$pol = Get-AzRecoveryServicesProtectionPolicy -Name "NewPolicy"
Set-AzRecoveryServicesProtectionPolicy `
-Policy $pol `
-RetentionPolicy $RetPol
# Trigger a backup and monitor backup job
$namedContainer = Get-AzRecoveryServicesContainer -ContainerType "AzureVM" -Status "Registered" -FriendlyName "myVM"
$item = Get-AzRecoveryServicesBackupItem -Container $namedContainer -WorkloadType "AzureVM"
$job = Backup-AzRecoveryServicesBackupItem -Item $item
$joblist = Get-AzRecoveryServicesJob -Status "InProgress"
Wait-AzRecoveryServicesJob `
-Job $joblist[0] `
-Timeout 43200
Clean up deployment
Run the following command to remove the resource group, VM, and all related resources.
Remove-AzResourceGroup -Name myResourceGroup
Script explanation
This script uses the following commands to create the deployment. Each item in the table links to command specific documentation.
| Command | Notes |
|---|---|
| New-AzResourceGroup | Creates a resource group in which all resources are stored. |
| New-AzRecoveryServicesVault | Creates a Recovery Services vault to store backups. |
| Set-AzRecoveryServicesBackupProperty | Sets backup storage properties on Recovery Services vault. |
| New-AzRecoveryServicesBackupProtectionPolicy | Creates protection policy using schedule policy and retention policy in Recovery Services vault. |
| Set-AzKeyVaultAccessPolicy | Sets permissions on the Key Vault to grant the service principal access to encryption keys. |
| Enable-AzRecoveryServicesBackupProtection | Enables backup for an item with a specified Backup protection policy. |
| Set-AzRecoveryServicesBackupProtectionPolicy | Modifies an existing Backup protection policy. |
| Backup-AzRecoveryServicesBackupItem | Starts a backup for a protected Azure Backup item that isn't tied to the backup schedule. |
| Wait-AzRecoveryServicesBackupJob | Waits for an Azure Backup job to finish. |
| Remove-AzResourceGroup | Removes a resource group and all resources contained within. |
Next steps
For more information on the Azure PowerShell module, see Azure PowerShell documentation.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for