Microsoft Azure plug-in configuration notes
The Microsoft Azure plug-in lets you create, delete, and restore snapshots at the virtual machine level and the managed disk level.
Support for restore of multiple network interfaces (NIC)
NetBackup provides support for restoring all the NIC's and static IP addresses attached to a VM on Azure. Following are the specific behavior for the supported scenarios:
Private IP addresses have the following allocation methods:
Static: If the IP address was statically allocated, then the exact private IP address would be restored.
Dynamic: If the IP address was dynamically allocated, then a dynamic IP address would be assigned to the NIC and the exact IP address would not be enforced.
For Public IP addresses it is not possible to specify the actual Public IP address to be associated with a Public IP resource, irrespective of the allocation method used.
Hence a Public IP resource is created and associated with relevant NIC. Other properties of the Public IP resource would still be the same as they were during the backup time.
Support for Azure Disk Encryption (ADE) enabled VM
NetBackup provides support for Azure disk encrypted VM's. ADE enabled VM will show flag as in asset details in Web UI. Following are the supported scenarios:
Rollback Restore
Snapshot, Backup and Restore from snapshot and backup of VMs.
If Azure disk encryption extension is present at the time of snapshot then only extension will be present after VM is restored from snapshot.
Supported operating systems:
For Linux VM: Supported VMs and operating systems
For Windows: Supported VMs and operating systems
Support for protecting managed disks with network policy set to DENY_ALL
NetBackup Snapshot Manager provides an option to automatically manage Azure disk access resources and their associated private endpoints for Azure virtual machines (VMs). This feature simplifies backup and snapshot operations for managed disks that have the network access policy set to , by automatically creating and managing disk access resources and required private endpoints.
When this feature is enabled, Snapshot Manager dynamically handles disk access configuration during snapshot and backup operations without requiring manual disk access object or private endpoint creation. Before enabling this feature, ensure that the following prerequisites are met.
Prerequisites
NetBackup Snapshot Manager must be installed or upgraded to version 11.2 or later.
Required Azure permissions must be configured for managing disk access resources and private endpoints. For details, see Configuring permissions on Microsoft Azure.
A Private DNS zone must be available for resolving private endpoints used to access SAS URIs for disks being exported.
This feature can be enabled only when the NetBackup Snapshot Manager is deployed on Azure cloud.
To enable automatic protection of disks with network policy set to DENY_ALL:
- Install or upgrade NetBackup Snapshot Manager to 11.2 to enable this feature.
- Assign the required custom roles and permissions to the service principal or managed identity used by NetBackup Snapshot Manager.
For more information, refer to the "Permissions required for auto-managed disk access object creation" section in Configuring permissions on Microsoft Azure.
- Create a private DNS zone for mapping private endpoints used to access the SAS URI of disks being exported.
For example, private DNS zone with ID:
/subscriptions/aaaa-bbbb-cccc-dddd/resourceGroups/nbsm-rg/providers/
Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net
Where:
privatelink.blob.core.windows.netis the private DNS zone name.aaaa-bbbb-cccc-ddddis the subscription ID.nbsm-rgis the resource group where NetBackup Snapshot Manager is installed.Note:
It is recommended to use the resource from the same resource group (RG) where NetBackup Snapshot Manager is deployed.
- Add the following entries in the
/cloudpoint/flexsnap.conffile or edit flexsnap config map in case of kubernetes deployment:[azure] # Enable feature manage_private_disk_access = true # DNS zone private_dns_zone_id = /subscriptions/aaaa-bbbb-cccc-dddd/resourceGroups/dns-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net
Replace the
private_dns_zone_idvalue with the ID of the private DNS zone created in your environment. - Restart the NetBackup Snapshot Manager services to apply the configuration changes:
For VM-based deployment: flexsnap_configure restart
For Cloud Scale (Kubernetes) deployment: Restart the agent, coordinator, and workflow pods.
- Run snapshot or backup operations for Azure VMs that have managed disks with the network access policy set to DENY_ALL.
Support for application consistency using Azure recovery points
By default, the create snapshot operation in Snapshot Manager would create recovery points instead of snapshots. To use Azure recovery points for the snapshots to be application consistent, refer to the following table to connect and configure the VM's in Azure cloud:
| For Windows | For Linux |
|---|---|
No need to connect and configure the VM's |
|
Note:
While creating and restoring snapshots, restore points would be created instead of snapshots being created in Azure.
Create snapshot
In Snapshot Manager a is created with a VM restore point when the first snapshot is taken for a VM.
Each VM restore point contains the disk restore points of all disks whose snapshots have been taken in the VM snapshot operation.
Each subsequent snapshot taken on the VM is saved in Azure under the same that was created when the first snapshot was taken.
The subsequent restore points are incremental backups.
Restore snapshot
Snapshots would be restored from snapshots in Azure, for snapshots taken in versions prior to Snapshot Manager version 10.2.
Snapshots would be restored from , for snapshots taken in Snapshot Manager version 10.2.
Note the following:
Locate the restore point:
Obtain the Snapshot ID in the job details of the created snapshot in NetBackup as follows:
Snapshot ID: azure-snapvmrp-<subscription name>+<RG name>+<restore point collection name>+<restore point>
The restore point can be found in Azure portal by navigating to .
Locate the logs:
Snapshot Manager:
/cloudpoint/flexsnap.logHost VM:
Linux:
/var/log/azure/Microsoft.Azure.RecoveryServices.VMSnapshotLinux/extension.logWindows:
C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.RecoveryServices.VMSnapshot\<version>
Prerequisites
Before you configure the Azure plug-in, complete the following preparatory steps:
(Applicable only if user proceeds with application service principal route) Use the Microsoft Azure Portal to create an Azure Active Directory (AAD) application for the Azure plug-in.
Assign the required permissions to a role to access resources.
For more information on Azure plug-in permissions required by NetBackup Snapshot Manager, See Configuring permissions on Microsoft Azure.
In Azure you can assign permissions to the resources by one of the following methods:
Service principal: This permission can be assigned to user, group or an application.
Managed identity: Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. There are two types of managed identities:
System-assigned
User-assigned
For more details, follow the steps mentioned in the Azure documentation.
Table: Microsoft Azure plug-in configuration parameters
NetBackup Snapshot Manager configuration parameter | Microsoft equivalent term and description |
|---|---|
Credential type: Note: Assign a role to the application service principal. | |
Tenant ID | The ID of the Azure AD directory in which you created the application. |
Client ID | The application ID. |
Secret key | The secret key of the application. |
Credential type: Note: Assign a role to the system managed identity. | |
Enable system managed identity on NetBackup Snapshot Manager host in Azure. | |
Credential type: Note: Assign a role to the user managed identity. | |
The Client ID of the user managed identity connected to the NetBackup Snapshot Manager host. | |
Following parameters are applicable for all the above credential type's | |
Regions | One or more regions in which to discover cloud assets. Note: If you configure a government cloud, select US Gov Arizona, US Gov Texas US, or Gov Virginia. |
Resource Group prefix | The prefix used to store the snapshots created for the assets in a different resource group other than the one in which the assets exist. For example, if an asset exists in and prefix for resource group is , then snapshots of assets in NetBackup Snapshot Manager resource group would be stored in resource group. |
Protect assets even if prefixed Resource Groups are not found | On selecting this check box, NetBackup Snapshot Manager would not fail the snapshot operation if resource group does not exists. It tries to store the snapshot in the original resource group. Note: The prefixed resource group region must be same as the original resource group region. |
If you are creating multiple configurations for the same plug-in, ensure that they manage assets from different Subscriptions. Two or more plug-in configurations should not manage the same set of cloud assets simultaneously.
When multiple accounts are all managed with a single NetBackup Snapshot Manager server, the number of assets being managed by a single NetBackup Snapshot Manager instance might get too large. Hence it would be better to segregate the assets across multiple NetBackup Snapshot Manager servers for better load balancing.
To achieve application consistent snapshots, we would require agent/agentless network connections between the remote VM instance and NetBackup Snapshot Manager server. This would require setting up cross account/subscription/project networking.
Consider the following before you configure the Azure plug-in:
The current release of the plug-in does not support snapshots of blobs.
NetBackup Snapshot Manager currently only supports creating and restoring snapshots of Azure-managed disks and the virtual machines that are backed up by managed disks.
If you are creating multiple configurations for the same plug-in, ensure that they manage assets from different Tenant IDs. Two or more plug-in configurations should not manage the same set of cloud assets simultaneously.
When you create snapshots, the Azure plug-in creates an Azure-specific lock object on each of the snapshots. The snapshots are locked to prevent unintended deletion either from the Azure console or from an Azure CLI or API call. The lock object has the same name as that of the snapshot. The lock object also includes a field named "
notes" that contains the ID of the corresponding VM or asset that the snapshot belongs to.Ensure that the
notesfield in the snapshot lock objects is not modified or deleted. Doing so will disassociate the snapshot from its corresponding original asset.The Azure plug-in uses the ID from the
notesfields of the lock objects to associate the snapshots with the instances whose source disks are either replaced or deleted, for example, as part of the 'Original location' restore operation.Azure plug-in supports the following GovCloud (US) regions:
US Gov Arizona
US Gov Texas
US Gov Virginia
US Gov Iowa
US DoD Central
US DoD East
Azure plug-in supports the following India regions:
Jio India West
Jio India Central
Azure plug-in supports the following additional regions:
Italy North
Poland Central
Qatar Central
Israel Central
New Zealand North (Asia Pacific)
Indonesia Central (Jakarta - Indonesia)
Malaysia West (Kuala Lumpur - Malaysia)
Austria East
Belgium Central
Chile Central
Denmark East
NetBackup Snapshot Manager Azure plug-in does not support the following Azure regions:
Location
Region
US
US DoD Central
US DoD East
US Sec West
China
NetBackup Snapshot Manager does not support any regions in China.
China East
China East 2
China North
China North 2
Germany
Germany Central (Sovereign)
Germany Northeast (Sovereign)
NetBackup Snapshot Manager also supports Microsoft Azure generation 2 type of virtual machines.
NetBackup Snapshot Manager does not support application consistent snapshots and granular file restores for Windows systems with virtual disks or storage spaces that are created from a storage pool. If a Microsoft SQL server snapshot job uses disks from a storage pool, the job fails with an error. But if a snapshot job for virtual machine which is in a connected state is triggered, the job might be successful. In this case, the file system quiescing and indexing is skipped. The restore job for such an individual disk to original location also fails. In this condition, the host might move to an unrecoverable state and requires a manual recovery.
Snapshot Manager does not support Managed Identity database authentication for Azure database for MariaDB server.
Consider the following points for snapshots of (ADE) enabled VM:
Indexing on ADE enabled VM is not supported. If user has protection plan with GRT enabled, subscribing ADE enabled VM to this protection plan is disabled.
If VM is subscribed to GRT enabled protection plan and later ADE is enabled on the same VM, then indexing will fail for such VMs with an error 9997.
If ADE enabled VM is part of intelligent group which is subscribed to protection plan consisting GRT, indexing for ADE enabled VM will fail with an error 9997.
Single file restore can be performed to ADE enabled VMs from non-ADE VMs.
Proper access to key vault must be assigned to other resource group if user is trying to restore VM to another resource group.
Snapshot and restore is not supported for applications deployed on ADE enabled VMs.
If is applied on any OS or Data Disk, then change of encryption form PMK to any other encryption type is not supported.
If Operating System disk is encrypted with and data disk with encryption other than PMK is attached later to the VM, then for successful restore change the encryption to PMK for the data disks.
If NetBackup Snapshot Manager is running behind the firewall then ensure that the following endpoints and metadata IP are allowed on port 443 for successful asset discovery:
:
*.management.azure.com
*.login.microsoftonline.com
*.storage.azure.net
*.vault.azure.net
: 169.254.169.254
If NetBackup Snapshot Manager is configured with proxy settings, then refer to the following section for more information:
NetBackup version 10.5.0.1 or later provides support for backup of ADE enabled VMs, but with the following limitation:
For a VM which is already encrypted with ADE and then additional data disks (which are not encrypted) are added to the VM, the snapshot and backup operation would be successful, but after restore the data on extra non-ADE disks would be lost or not present.
Note:
Currently there is no workaround. Corresponding new disks would be present in the restored VM, but no data would be present on them.
Consider the following points to automate protection of managed disks with network policy set to DENY_ALL:
All subscriptions must be protected using a single Azure provider configuration (single service principal or managed identity).
All required virtual network links for cross-subscription or cross-region access must already exist in the Private DNS zone.
When this feature is enabled, managed disks with the network access policy set to are automatically updated to , regardless of whether the job succeeds or fails.
Note:
This change continues even if the feature is disabled. It can be only be reverted manually through Azure portal or Azure CLI scripts.
Managed disks that already have the network access policy are not modified. It is expected that private endpoints for such disks already exist in the NetBackup Snapshot Manager subnet.
During restore operations, managed disks that had network access are restored with the network access policy. After restore, users must manually update the disk network access policy as required.
Once the feature is enabled and the required permissions are granted, the necessary resources such as disk accesses and the private endpoints associated with those disk accesses are created. Using these private endpoints incurs additional egress costs.
More Information