基础结构备份服务最佳做法-模块化数据中心 (MDC) Infrastructure Backup Service best practices - Modular Data Center (MDC)

适用于:模块化数据中心、Azure Stack 中心耐用Applies to: Modular Data Center, Azure Stack Hub ruggedized

定期查看这些最佳实践,验证在对操作流进行更改时你的安装是否仍符合要求。Review these best practices regularly to verify that your installation is still in compliance when changes are made to the operation flow. 如果在实施这些最佳实践时遇到任何问题,请联系 Microsoft 支持部门以获得帮助。If you encounter any issues while implementing these best practices, contact Microsoft Support for help.

配置最佳实践Configuration best practices

默认情况下,在部署新系统的过程中会启用基础结构备份,并在内部存储。Infrastructure backup is enabled by default during deployment of a new system and stored internally. 使用 Azure Stack 门户或 PowerShell,你可以提供用于将备份导出到辅助位置的外部存储位置。Using the Azure Stack portal or PowerShell, you can provide an external storage location to export the backups to a secondary location.

网络Networking

路径的通用命名约定 (UNC) 字符串必须使用完全限定的域名 (FQDN)。The Universal Naming Convention (UNC) string for the path must use a fully qualified domain name (FQDN). 如果名称解析不可行,可以使用 IP 地址 ' 。IP address can be used if name resolution isn't possible. UNC 字符串指定资源(例如共享文件或设备)的位置。A UNC string specifies the location of resources such as shared files or devices.

EncryptionEncryption

加密证书用来对导出到外部存储的备份数据进行加密。The encryption certificate is used to encrypt backup data that gets exported to external storage. 证书可以是自签名证书,因为证书仅用于传输密钥。The certificate can be a self-signed certificate since the certificate is only used to transport keys. 有关如何创建证书的更多信息,请参阅 New-SelfSignedCertificate。Refer to New-SelfSignedCertificate for more info on how to create a certificate.

此证书必须存储在安全的位置。The certificate must be stored in a secure location. 证书的 CER 格式仅用于加密数据,而不用于建立通信。The CER format of the certificate is used to encrypt data only and not used to establish communication.

操作最佳实践Operational best practices

备份Backups

  • 备份作业在系统运行时执行,因此不会导致 ' 管理体验或用户应用停机。Backup jobs execute while the system is running so there's no downtime to the management experiences or user apps. 对于合理负载下的解决方案,备份作业预计需要20-40 分钟 ' 。Expect the backup jobs to take 20-40 minutes for a solution that's under reasonable load.

  • 为了手动备份网络交换机和硬件生命周期主机而提供的其他说明 (HLH) 。Additional instructions provided to manually back up network switches and the hardware lifecycle host (HLH).

文件夹名称Folder names

  • 基础结构会自动创建 MASBACKUP 文件夹。Infrastructure creates MASBACKUP folder automatically. 这是由 Microsoft 管理的一个共享。This is a Microsoft-managed share. 你可以在与 MASBACKUP 相同的级别创建共享。You can create shares at the same level as MASBACKUP. '不建议在 Azure Stack 不创建的 MASBACKUP 中创建文件夹或存储数据 ' 。It's not recommended to create folders or storage data inside of MASBACKUP that Azure Stack doesn't create.

  • 在文件夹名称中使用 FQDN 和区域来区分来自不同云的备份数据。User FQDN and region in your folder name to differentiate backup data from different clouds. Azure Stack 部署和终结点的 FQDN 是区域参数和外部域名参数的组合。The FQDN of your Azure Stack deployment and endpoints is the combination of the Region parameter and the External Domain Name parameter. 有关详细信息,请参阅 Azure Stack 数据中心集成 - DNSFor more info, see Azure Stack datacenter integration - DNS.

例如,备份共享是 fileserver01.contoso.com 上托管的 AzSBackups。For example, the backup share is AzSBackups hosted on fileserver01.contoso.com. 在该文件共享中,每个 Azure Stack 部署可能有一个使用外部域名的文件夹和一个使用区域名称的子文件夹。In that file share there may be a folder per Azure Stack deployment using the external domain name and a subfolder that uses the region name.

  • FQDN:contoso.comFQDN: contoso.com
  • 区域:nycRegion: nyc
\\fileserver01.contoso.com\AzSBackups
\\fileserver01.contoso.com\AzSBackups\contoso.com
\\fileserver01.contoso.com\AzSBackups\contoso.com\nyc
\\fileserver01.contoso.com\AzSBackups\contoso.com\nyc\MASBackup

MASBackup文件夹是 Azure Stack 存储其备份数据的位置。The MASBackup folder is where Azure Stack stores its backup data. 不要使用此文件夹来存储你自己的数据。Don't use this folder to store your own data. Oem 也不应使用此文件夹存储任何备份数据。OEMs should also not use this folder to store any backup data.

建议 OEM 将其组件的备份数据存储在区域文件夹下。OEMs are encouraged to store backup data for their components under the region folder. 每台网络交换机、硬件生命周期主机 (HLH) 等等可以存储在其自己的子文件夹中。Each network switch, hardware lifecycle host (HLH), and so on, may be stored in its own subfolder. 例如:For example:

\\fileserver01.contoso.com\AzSBackups\contoso.com\nyc\HLH
\\fileserver01.contoso.com\AzSBackups\contoso.com\nyc\Switches
\\fileserver01.contoso.com\AzSBackups\contoso.com\nyc\DeploymentData
\\fileserver01.contoso.com\AzSBackups\contoso.com\nyc\Registration

监视Monitoring

系统支持以下警报:The following alerts are supported by the system:

警报Alert 说明Description 补救Remediation
备份由于文件共享中的容量不足而失败。Backup failed because the file share is out of capacity. 文件共享中的容量不足,并且备份控制器无法将备份文件导出到此位置。File share is out of capacity and backup controller can't export backup files to the location. 增加更多存储容量并重试备份。Add more storage capacity and try back up again. 删除现有的备份(从最旧的备份开始)以释放空间。Delete existing backups (starting from oldest first) to free up space.
备份由于连接问题而失败。Backup failed due to connectivity problems. Azure Stack 与文件共享之间的网络出现了问题。Network between Azure Stack and the file share is experiencing issues. 解决网络问题,然后重试备份。Address the network issue and try backup again.
备份由于路径中的错误而失败。Backup failed due to a fault in the path. 无法解析文件共享路径。The file share path can't be resolved. 从另一台计算机映射共享,以确保共享可供访问。Map the share from a different computer to ensure the share is accessible. 如果路径不再有效,可能需要更新路径。You may need to update the path if it's no longer valid.
备份由于身份验证问题而失败。Backup failed due to authentication issue. 可能存在影响身份验证的凭据问题或网络问题。There might be an issue with the credentials or a network issue that impacts authentication. 从另一台计算机映射共享,以确保共享可供访问。Map the share from a different computer to ensure the share is accessible. 如果凭据不再有效,可能需要更新凭据。You may need to update credentials if they're no longer valid.
备份由于一般错误而失败。Backup failed due to a general fault. 请求失败可能是由间歇性问题导致的。The failed request could be due to an intermittent issue. 重试备份。Try to back up again. 致电支持人员。Call support.

基础结构备份服务组件Infrastructure Backup Service components

基础结构备份服务包含以下组件:The Infrastructure Backup Service includes the following components:

  • 基础结构备份控制器:基础结构备份控制器的实例化,并驻留在每个 Azure Stack 云中。Infrastructure Backup Controller: The Infrastructure Backup Controller is instantiated with and resides in every Azure Stack cloud.

  • 备份资源提供程序:备份资源提供程序 (备份 RP) 由用户界面和 api 公开 Azure Stack 基础结构的基本备份功能组成。Backup Resource Provider: The Backup Resource Provider (Backup RP) is composed of the user interface and APIs exposing basic backup functionality for the Azure Stack infrastructure.

基础结构备份控制器Infrastructure Backup Controller

基础结构备份控制器是为 Azure Stack 云实例化的一项 Service Fabric 服务。The Infrastructure Backup Controller is a Service Fabric service that gets instantiated for an Azure Stack Cloud. 备份资源在区域级别创建,从 AD、CA、Azure 资源管理器、CRP、SRP、NRP、Key Vault 和 RBAC 捕获区域特定的服务数据。Backup resources are created at a regional level and capture region-specific service data from AD, CA, Azure Resource Manager, CRP, SRP, NRP, Key Vault, and RBAC.

备份资源提供程序Backup Resource Provider

备份资源提供程序在 Azure Stack 门户中提供了用于进行基本配置并列出备份资源的用户界面。The Backup Resource Provider presents a user interface in the Azure Stack portal for basic configuration and listing of backup resources. 操作员可以在用户界面中执行以下操作:Operators can do the following actions in the user interface:

  • 通过提供外部存储位置、凭据和加密密钥首次启用备份。Enable backup for the first time by providing external storage location, credentials, and encryption key.
  • 查看已完成创建的备份资源和正在创建的资源。View completed created backup resources and status resources under creation.
  • 修改备份控制器在其中放置备份数据的存储位置。Modify the storage location where Backup Controller places backup data.
  • 修改备份控制器用来访问外部存储位置的凭据。Modify the credentials that Backup Controller uses to access external storage location.
  • 修改备份控制器用来加密备份的加密证书。Modify the encryption certificate that Backup Controller uses to encrypt backups.

备份控制器要求Backup Controller requirements

本部分介绍基础结构备份服务的重要要求。This section describes important requirements for the Infrastructure Backup Service. 建议你在为 Azure Stack 实例启用备份之前仔细查看此信息,然后在部署和后续操作过程中根据需要返回该信息。We recommend that you review the info carefully before you enable backup for your Azure Stack instance, and then refer back to it as necessary during deployment and subsequent operation.

这些要求包括:The requirements include:

  • 软件要求:介绍支持的存储位置和大小调整指南。Software requirements: Describes supported storage locations and sizing guidance.
  • 网络要求:描述不同存储位置的网络要求。Network requirements: Describes network requirements for different storage locations.

软件要求Software requirements

支持的存储位置Supported storage locations

存储位置Storage location 详细信息Details
在可信网络环境中的存储设备上托管的 SMB 文件共享。SMB file share hosted on a storage device within the trusted network environment. 位于部署了 Azure Stack 的数据中心内或位于其他数据中心内的 SMB 共享。SMB share in the same datacenter where Azure Stack is deployed or in a different datacenter. 多个 Azure Stack 实例可以使用同一个文件共享。Multiple Azure Stack instances can use the same file share.
Azure 上的 SMB 文件共享。SMB file share on Azure. 目前不支持。Not currently supported.
Azure 上的 Blob 存储。Blob storage on Azure. 目前不支持。Not currently supported.

支持的 SMB 版本Supported SMB versions

SMBSMB 版本Version
SMBSMB 3.x3.x

SMB 加密SMB encryption

基础结构备份服务支持将备份数据传输到在服务器端启用了 SMB 加密的外部存储位置。The Infrastructure Backup Service supports transferring backup data to an external storage location with SMB encryption enabled on the server side. 如果服务器不支持 SMB 加密或未启用该功能,则基础结构备份服务将回退到未加密的数据传输。If the server doesn't support SMB Encryption or doesn't have the feature enabled, the Infrastructure Backup Service falls back to unencrypted data transfer. 放置在外部存储位置上的备份数据始终是加密的,并且不依赖于 SMB 加密。Backup data placed on the external storage location is always encrypted at rest and is not dependent on SMB encryption.

存储位置大小调整Storage location sizing

建议一天至少备份两次,并保留最多7天的备份。We recommend you back up at least twice a day, and keep at most seven days of backups. 在 Azure Stack 上启用基础结构备份时,这是默认行为。This is the default behavior when you enable infrastructure backups on Azure Stack.

环境规模Environment Scale 预计的备份大小Projected size of backup 所需的空间总量Total amount of space required
4-16 个节点4-16 nodes 20 GB20 GB 280 GB280 GB

网络要求Network requirements

存储位置Storage location 详细信息Details
在可信网络环境中的存储设备上托管的 SMB 文件共享。SMB file share hosted on a storage device within the trusted network environment. 如果 Azure Stack 实例驻留在具有防火墙的环境中,则端口 445 是必需的。Port 445 is required if the Azure Stack instance resides in a firewalled environment. 基础结构备份控制器将通过端口 445 启动到 SMB 文件服务器的连接。Infrastructure Backup Controller will initiate a connection to the SMB file server over port 445.
若要使用文件服务器的 FQDN,该名称必须可从 PEP 解析。To use the FQDN of the file server, the name must be resolvable from the PEP.

备注

无需打开任何入站端口。No inbound ports need to be opened.

加密要求Encryption requirements

基础结构备份服务使用带有公钥 ( 的证书。CER) 对备份数据进行加密。The Infrastructure Backup Service uses a certificate with a public key (.CER) to encrypt backup data. 该证书用于传输密钥,而不会用于建立经过身份验证的安全通信。The certificate is used for transport of keys and is not used to establish secure authenticated communication. 出于此原因,该证书可以是自签名证书。For this reason, the certificate can be a self-signed certificate. Azure Stack 无需验证此证书的根或信任,因此不需要外部 internet 访问。Azure Stack doesn't need to verify root or trust for this certificate, so external internet access is not required.

自签名证书有两个部分,一个部分包含公钥,另一个部分包含私钥:The self-signed certificate comes in two parts, one with the public key and one with the private key:

  • 加密备份数据:包含公钥的证书(导出到 .CER 文件)用于加密备份数据。Encrypt backup data: Certificate with the public key (exported to .CER file) is used to encrypt backup data.
  • 解密备份数据:包含私钥的证书(导出到 .PFX 文件)用于解密备份数据。Decrypt backup data: Certificate with the private key (exported to .PFX file) is used to decrypt backup data.

内部机密轮换不会管理包含公钥的证书 (.CER)。The certificate with the public key (.CER) is not managed by internal secret rotation. 若要轮替证书,必须创建新的自签名证书,并使用新文件 ( 更新备份设置。CER) 。To rotate the certificate, you must create a new self-signed certificate and update backup settings with the new file (.CER).

所有现有备份将使用以前的公钥保持加密状态。All existing backups remain encrypted using the previous public key. 新备份将使用新的公钥。New backups use the new public key.

出于安全原因,在云恢复过程中使用私钥 ( 的证书。Azure Stack 不会保留 PFX) 。For security reasons, the certificate used during cloud recovery with the private key (.PFX) is not persisted by Azure Stack.

基础结构备份限制Infrastructure Backup limits

在规划、部署和操作 Microsoft Azure Stack 实例时,请考虑这些限制。Consider these limits as you plan, deploy, and operate your Microsoft Azure Stack instances. 下表介绍了这些限制。The following table describes these limits.

限制标识符Limit identifier 限制Limit 注释Comments
备份类型Backup type 仅限完整Full only 基础结构备份控制器仅支持完整备份。Infrastructure Backup Controller only supports full backups. 不支持增量备份。Incremental backups are not supported.
计划的备份Scheduled backups 计划和手动Scheduled and manual 备份控制器支持计划备份和按需备份。Backup controller supports scheduled and on-demand backups.
最大并发备份作业数Maximum concurrent backup jobs 11 备份控制器的每个实例仅支持一个活动备份作业。Only one active backup job is supported per instance of Backup Controller.
网络交换机配置Network switch configuration 不在范围内Not in scope 管理员必须使用 OEM 工具备份网络交换机配置。Admin must back up network switch configuration using OEM tools. 请参阅每个 OEM 供应商提供的 Azure Stack 文档。Refer to documentation for Azure Stack provided by each OEM vendor.
硬件生命周期主机Hardware Lifecycle Host 不在范围内Not in scope 管理员必须使用 OEM 工具备份硬件生命周期主机。Admin must back up Hardware Lifecycle Host using OEM tools. 请参阅每个 OEM 供应商提供的 Azure Stack 文档。Refer to documentation for Azure Stack provided by each OEM vendor.
最大文件共享数Maximum number of file shares 11 只能使用一个文件共享来存储备份数据。Only one file share can be used to store backup data.
备份值-添加资源提供程序Backup value-add resource providers 范围内 In scope 基础结构备份包括事件中心 RP、IoT 中心 RP、Data Box Edge RP 的备份。Infrastructure backup includes backup for Event Hubs RP, IoT Hub RP, Data Box Edge RP.

后续步骤Next steps