Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you'll learn to perform backup of an Azure Managed CCF (Managed CCF) resource and restore it to create a copy of the original Managed CCF resource. Here are some of the use cases that warrant this capability:
- A Managed CCF resource is an append only ledger at the core. It is impossible to delete few erroneous transactions without impacting the integrity of the ledger. To keep the data clean, a business could decide to recreate the resource sans the erroneous transactions.
- A developer could add reference data into a Managed CCF resource and create a back of it. The developer can use the copy later to create a fresh Managed CCF resource and save time.
This article uses the commands found at the Managed CCF's REST API Docs.
Prerequisites
- Install the Azure CLI.
- An Azure Storage Account.
Setup
Generate an access token
An access token is required to use the Managed CCF REST API. Execute the following command to generate an access token.
Note
An access token has a finite lifetime after which it is unusable. Generate a new token if the API request fails due to a HTTP 401 Unauthorized error.
az account get-access-token –subscription <subscription_id>
Generate a Shared Access Signature token
The backup is stored in an Azure Storage Fileshare that is owned and controlled by you. The backup and restore API requests require a Shared Access Signature token to grant temporary read and write access to the Fileshare. Follow these steps:
Note
A Shared Access Signature(SAS) token has a finite lifetime after which it is unusable. We recommend using short lived tokens to avoid tokens being leaked into the public and misused.
Navigate to the Azure Storage Account where the backups will be stored.
Navigate to the
Security + networking->Shared access signatureblade.Generate a SAS token with the following configuration:
Save the
File service SAS URL.
Backup
Create a backup
Creating a backup of the Managed CCF resource creates a Fileshare in the storage account. This backup can be used to restore the Managed CCF resource at a later time.
Follow these steps to perform a backup.
- Generate and save a bearer token generated for the subscription that your Managed CCF resource is located in.
- Generate a SAS token for the Storage Account to store the backup.
- Execute the following command to trigger a backup. You must supply a few parameters:
- subscription_id: The subscription where the Managed CCF resource is deployed.
- resource_group: The resource group name of the Managed CCF resource.
- app_name: The name of the Managed CCF resource.
- sas_token: The Shared Access Signature token.
- restore_region: An optional parameter to indicate a region where the backup would be restored. It can be ignored if you expect to restore the backup in the same region as the Managed CCF resource.
curl --request POST 'https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ConfidentialLedger/ManagedCCFs/<app_name>/backup?api-version=2023-06-28-preview' \ --header 'Authorization: Bearer <bearer_token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "uri": "<sas_token>", "restoreRegion": "<restore_region>" }' - A Fileshare is created in the Azure Storage Account with the name
<mccf_app_name>-<timestamp>.
Explore the backup files
After the backup completes, you can view the files stored in your Azure Storage Fileshare.
Refer to the following articles to explore the backup files.
Restore
Create a Managed CCF resource using the backup files
This restores the Managed CCF resource using a copy of the files in the backup Fileshare. The resource will be restored to the same state and transaction ID at the time of the backup.
Important
The restore will fail if the backup files are older than 90 days.
Note
The original Managed CCF resource must be deleted before a restore is initiated. The restore command will fail if the original instance exists. Delete your original Managed CCF resource.
The app_name should be the same as the original Managed CCF resource.
Follow these steps to perform a restore.
Generate a Bearer token for the subscription that the Managed CCF resource is located in.
Generate a SAS token for the storage account that has the backup files.
Execute the following command to trigger a restore. You must supply a few parameters.
- subscription_id: The subscription where the Managed CCF resource is deployed.
- resource_group: The resource group name of the Managed CCF resource.
- app_name: The name of the Managed CCF resource.
- sas_token: The Shared Access Signature token.
- restore_region: An optional parameter to indicate a region where the backup would be restored. It can be ignored if you expect to restore the backup in the same region as the Managed CCF resource.
- fileshare_name: The name of the Fileshare where the backup files are located.
curl --request POST 'https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ConfidentialLedger/ManagedCCFs/<app_name>/restore?api-version=2023-06-28-preview' \ --header 'Authorization: Bearer <bearer_token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "uri": "<sas_token>", "restoreRegion": "<restore_region>", "fileShareName": "<fileshare_name>" }'At the end of the command, the Managed CCF resource is restored.