Märkus.
Juurdepääs sellele lehele nõuab autoriseerimist. Võite proovida sisse logida või kausta vahetada.
Juurdepääs sellele lehele nõuab autoriseerimist. Võite proovida kausta vahetada.
Important
Azure Backup for Confidential virtual machines (VMs) is currently in preview. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Azure Backup supports Confidential Virtual Machines (CVMs) that provide secure backup and restore for sensitive workloads. This capability uses Azure Disk Encryption Sets (DES) with Platform Managed Keys (PMKs) or Customer Managed Keys (CMKs) to maintain data confidentiality throughout the backup lifecycle. Confidential VMs provide strong security by creating a hardware-enforced boundary between your application and the virtualization stack.
This article describes how to configure and back up Confidential VM (CVM) with Platform or Customer Managed Key (PMK or CMK).
Supported scenarios for Confidential VM backup
The following table lists the supported scenarios for Confidential VM backup:
| Scenario | Supportability |
|---|---|
| Virtual Machine size | v6-series is supported. v5-series isn't supported. |
| Region availability | Supported in UAE North, Korea Central. |
| Key rotation for backups | When key rotation occurs on a confidential virtual machine, the keys for the VM disks, related restore points, and snapshots update automatically. Known issue: The key rotation in this preview release might have performance issues or fail in the following scenarios: - More than 40 disks are attached to one DES when (only) restore points are associated with these disks. - If you also directly create disk snapshots outside of Azure backup for these disks connected to the same DES, this lowers the safe threshold of 40 disks to DES mapping. Recommendation: Keep the number of disks connected to each DES to a minimum until the issue is resolved. |
| Backup capabilities | - You can backup Confidential VMs with OS disk encryption only. - Backup and restore fail if the CVM v2 opt-out feature flag is enabled for your subscription. - Multi-disk crash consistent backup is unsupported. - Cross Region Restore is currently unsupported as CVM v6 VM size isn't generally available in Azure paired regions. |
Prerequisites
Before you configure backup for CVM with CMK, ensure that the following prerequisites are met:
Register for the preview feature
RestorePointSupportForConfidentialVMV2under theMicrosoft.Computeprovider namespace by running the following cmdlet. The registration is autoapproved.Register-AzProviderFeature -FeatureName "RestorePointSupportForConfidentialVMV2" -ProviderNamespace "Microsoft.Compute"Identify or create a Confidential VM (CVM) in a supported region. See the supported regions.
Identify or create a Recovery Services Vault in the same region as the VM.
Create a new Confidential VM with PMK or CMK
To back up a Confidential VM using Azure Backup, you must have a Confidential VM configured with PMK or CMK encryption. Azure Backup uses the Disk Encryption Set (DES) associated with your VM to maintain encryption throughout the backup and restore process.
Learn how to create a new Confidential VM with PMK or CMK, if needed.
Assign permissions for Confidential VM backup
Azure Backup requires access to the Key vault or Managed Hardware Security Module (HSM) that stores your keys. This access ensures the service can back up keys and recover them if they're deleted. When you configure backup in the Azure portal, Azure Backup automatically gets the required permissions. If you use other clients, such as PowerShell, CLI, or REST API, you must assign these permissions manually.
If you're using a Key vault to store keys, grant permission to the Azure Backup service for the backup operations.
To assign permissions for MHSM, follow these steps:
In the Azure portal, go to Managed HSM, and then select Local RBAC in Settings.
Select Add to add a new Role Assignment.
Select one of the following roles:
Built-in roles: If you want to use a built-in role, select the Managed HSM Crypto User role.
Custom roles: If you want to use custom role, then dataActions of that role should have these values:
- Microsoft.KeyVault/managedHsm/keys/read/action
- Microsoft.KeyVault/managedHsm/keys/backup/action
You can create a custom role using the Managed HSM data plane role management.
For Scope, select the specific key used to create Confidential VM with Customer Managed Key.
You can also select All Keys.
On the Security principal, select Backup Management Service.
Configure backup for Confidential VM
Once Azure Backup has the necessary permissions, you can continue configuring backup. Learn how to configure Azure VM backup.
Next step
Restore CVM using Azure Backup (preview).