Quickstart: Configure vaulted backup for Azure Blobs using Azure Backup via Azure CLI
This quickstart describes how to configure vaulted backup for Azure Blobs using Azure CLI.
Azure Backup now allows you to configure both operational and vaulted backups to protect block blobs in your storage accounts.
Vaulted backup of blobs is a managed offsite backup solution that stores the backup data in a general v2 storage account, enabling you to protect your backup data against ransomware attacks or source data loss due to malicious or rogue admin.
With vaulted backup, you can:
- Define the backup schedule to create recovery points and the retention settings that determine how long the backups will be retained in the vault.
- Configure and manage the vaulted and operational backups using a single backup policy.
- Copy and store the backup data in the Backup vault, thus providing an offsite copy of data that can be retained for a maximum of 10 years.
Prerequisites
Before you configure blob vaulted backup, ensure that:
- You review the support matrix to learn about the Azure Blob region availability, supported scenarios, and limitations.
- You have a Backup vault to configure Azure Blob backup. If you haven't created the Backup vault, create one.
Create a backup policy
To create a backup policy for blob vaulted backup, run the following commands:
To understand the inner components of a Backup policy for Azure Blobs backup, retrieve the policy template using the
az dataprotection backup-policy get-default-policy-templatecommand.This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.
Once you have saved the policy JSON with all the required values, proceed to create a new policy from the policy object using the
az dataprotection backup-policy createcommand.Az dataprotection backup-policy create -g testBkpVaultRG –vault-name TestBkpVault -n BlobBackup-Policy –policy policy.jsonThe following JSON is to configure a policy with 30 days retention for operational backup and 30 days default retention for vaulted backup. The vaulted backup is scheduled every day at 7:30 UTC.
{ "datasourceTypes": [ "Microsoft.Storage/storageAccounts/blobServices" ], "name": "BlobPolicy1", "objectType": "BackupPolicy", "policyRules": [ { "isDefault": true, "lifecycles": [ { "deleteAfter": { "duration": "P30D", "objectType": "AbsoluteDeleteOption" }, "sourceDataStore": { "dataStoreType": "OperationalStore", "objectType": "DataStoreInfoBase" }, "targetDataStoreCopySettings": [] } ], "name": "Default", "objectType": "AzureRetentionRule" }, { "isDefault": true, "lifecycles": [ { "deleteAfter": { "duration": "P30D", "objectType": "AbsoluteDeleteOption" }, "sourceDataStore": { "dataStoreType": "VaultStore", "objectType": "DataStoreInfoBase" }, "targetDataStoreCopySettings": [] } ], "name": "Default", "objectType": "AzureRetentionRule" }, { "backupParameters": { "backupType": "Discrete", "objectType": "AzureBackupParams" }, "dataStore": { "dataStoreType": "VaultStore", "objectType": "DataStoreInfoBase" }, "name": "BackupDaily", "objectType": "AzureBackupRule", "trigger": { "objectType": "ScheduleBasedTriggerContext", "schedule": { "repeatingTimeIntervals": [ "R/2023-06-28T07:30:00+00:00/P1D" ], "timeZone": "UTC" }, "taggingCriteria": [ { "isDefault": true, "tagInfo": { "id": "Default_", "tagName": "Default" }, "taggingPriority": 93 } ] } } ] }
Configure backup
Once the vault and policy are created, there are two critical points that you need to consider to protect all the Azure Blobs within a storage account.
- Key entities
- Permissions
Key entities
Storage account containing the blobs to be protected: Fetch the Azure Resource Manager ID of the storage account that contains the blobs to be protected. This will serve as the identifier of the storage account. We'll use an example of a storage account named CLITestSA, under the resource group blobrg, in a different subscription present in the Southeast Asia region.
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/blobrg/providers/Microsoft.Storage/storageAccounts/CLITestSA"Backup vault: The Backup vault requires permissions on the storage account to enable backups on blobs present within the storage account. The system-assigned managed identity of the vault is used for assigning such permissions.
Assign permissions
You need to assign a few permissions via Azure RBAC to the created vault (represented by vault MSI) and the relevant storage account. These can be performed via Portal or PowerShell. Learn more about all the related permissions.
Prepare the request to configure blob backup
Once all the relevant permissions are set, configure the blob backup by running the following commands:
Prepare the relevant request by using the relevant vault, policy, storage account using the az dataprotection backup-instance initialize command.
az dataprotection backup-instance initialize --datasource-type AzureBlob -l southeastasia --policy-id "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/TestBkpVault/backupPolicies/BlobBackup-Policy" --datasource-id "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/blobrg/providers/Microsoft.Storage/storageAccounts/CLITestSA" > backup_instance.jsonSubmit the request using the az dataprotection backup-instance create command.
az dataprotection backup-instance create -g testBkpVaultRG --vault-name TestBkpVault --backup-instance backup_instance.json { "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/testBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/TestBkpVault/backupInstances/CLITestSA-CLITestSA-c3a2a98c-def8-44db-bd1d-ff6bc86ed036", "name": "CLITestSA-CLITestSA-c3a2a98c-def8-44db-bd1d-ff6bc86ed036", "properties": { "currentProtectionState": "ProtectionConfigured", "dataSourceInfo": { "datasourceType": "Microsoft.Storage/storageAccounts/blobServices", "objectType": "Datasource", "resourceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/blobrg/providers/Microsoft.Storage/storageAccounts/CLITestSA", "resourceLocation": "southeastasia", "resourceName": "CLITestSA", "resourceType": "Microsoft.Storage/storageAccounts", "resourceUri": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/blobrg/providers/Microsoft.Storage/storageAccounts/CLITestSA" }, "dataSourceSetInfo": null, "friendlyName": "CLITestSA", "objectType": "BackupInstance", "policyInfo": { "policyId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/TestBkpVault/backupPolicies/BlobBackup-Policy", "policyParameters": { "dataStoreParametersList": [ { "dataStoreType": "OperationalStore", "objectType": "AzureOperationalStoreParameters", "resourceGroupId": "" } ] }, "policyVersion": "" }, "protectionErrorDetails": null, "protectionStatus": { "errorDetails": null, "status": "ProtectionConfigured" }, "provisioningState": "Succeeded" }, "resourceGroup": "testBkpVaultRG", "systemData": null, "type": "Microsoft.DataProtection/backupVaults/backupInstances" }
Important
Once a storage account is configured for blobs backup, a few capabilities, such as change feed and delete lock are affected. Learn more.