MCT USE ONLY.

STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions 6-31

Lesson 4
Implementing Azure Backup
Azure offers several different options that you can use to take advantage of its services for backup of on-
premises and cloud-based systems. Some Azure backup options integrate seamlessly with existing
Microsoft backup products, including built-in Windows Backup software and Microsoft System Center
2016 Data Protection Manager (DPM). Other options such as Azure VM-level backup or Microsoft Azure
Backup Server can enhance or even replace existing backup solutions. This lesson details characteristics
and functionality of various Azure backup options.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe the available Azure Backup options.

• Explain how to perform file and folder backups with the Azure Recovery Services Agent.
• Explain how to protect Azure IaaS virtual machines by using Azure Backup VM extensions.

• Describe how to integrate Azure Backup with Data Protection Manager and Azure Backup Server.

• Integrate Azure Backup with System Center 2016 Data Protection Manager.

Overview of Azure Backup

The Azure Backup service uses Azure resources for
short-term and long-term storage to minimize or
even eliminate the need for maintaining physical
backup media such as tapes, hard drives, and
DVDs. Since its introduction, the service has
evolved from its original form, which relied
exclusively on a Windows Server backup agent
that was downloadable on the Azure portal, into a
much more diverse offering. The Azure Backup
service includes:

• A Windows 64-bit Server and Client file,

folder-level backups with the Recovery
Services Agent, and the Online Backup integration module for Windows Server Essentials.

• Long-term storage for backups with Data Protection Manager and Recovery Services Agent.

• Long-term storage for backups with Microsoft Azure Backup Server and Recovery Services Agent.

• Windows-based and Linux-based Azure IaaS VM-level backups with the Azure VM extensions
(VMSnapshot and VMSnapshotLinux, respectively).

Recovery Services vault

Regardless of the backup functionality that you intend to implement, to use Azure Backup to protect your
data, you must first create a Recovery Services vault in Azure. A vault is the virtual destination of your
backups, which also contains configuration information about the systems that Azure Backup protects. To
protect a system, you must register it with a vault. The vault should reside in an Azure region that is close
to the physical location of the data, and in the case of Azure IaaS virtual machines, in the same region.
 MCT USE ONLY. STUDENT USE PROHIBITED
6-32 Planning and implementing storage, backup, and recovery services

Two resiliency options are available when creating an Azure Recovery Services vault: locally redundant and
geo-redundant. The first option is based on locally redundant Azure Storage, consisting of three copies of
backed-up content in the same Azure region. The second option is based on geo-redundant Azure
Storage, including three additional copies in another Azure region, providing an additional level of
protection.

Note: You should set this option as soon as you create the vault, since will not be able to
change it once you register the first of your systems with the vault.

An Azure subscription can host up to 25 vaults. Each vault can protect up to 50 computers that run the
Recovery Services Agent or the Online Backup integration module. Alternatively, if you back up Azure IaaS
virtual machines by relying on the Azure IaaS VM Backup extension, the vault can protect up to 200
computers.

Note that there is no limit on the amount of data in the vault for each protected computer. There also is
no limit on the maximum retention time of backed up content. However, there is a restriction on the size
of each data source: about 54,000 GB for Windows 8, Windows Server 2012, and newer operating systems.
The maximum backup frequency depends on the backup approach, with up to three backups per day
with Windows Server and Client Recovery Services Agent, up to two backups with Data Protection
Manager or the Microsoft Azure Backup Server, and a single backup when using VM extension–based
setup.
All backups are encrypted at the source with a passphrase that the customer chooses and maintains.
There are no additional charges for the traffic generated during backup, both ingress, into Azure and
during restore, egress, out of Azure.

Note: Azure Backup relies on the same agent as Azure Site Recovery, which later topics in
this module will discuss. This is the reason for the references to the Recovery Services Agent in
this lesson. Both Azure Backup and Azure Site Recovery also store data from systems they protect
by using an Azure Recovery Services vault. A single vault can simultaneously serve as the
repository for Azure Backup and Azure Site Recovery.

File and folder backups with the Recovery Services Agent

Azure Backup’s most basic functionality allows you
to protect folders and files on 64-bit Windows
Server and client operating systems, both on-
premises and in Azure. This functionality relies on
the Recovery Services Agent, which is available for
download on the Azure Recovery Services vault
interface in the Azure portal. You must install the
agent on every system that you want to protect,
and you must register it with the target vault.
 MCT USE ONLY. STUDENT USE PROHIBITED
Implementing Microsoft Azure Infrastructure Solutions 6-33

To set up Recovery Services Agent –based protection for an on-premises Windows computer from the
Azure portal, perform the following steps:

1. Create a Recovery Services vault.

2. Configure the Backup Infrastructure storage replication type, by choosing either the Locally-
redundant option or the Geo-redundant option on the Backup Configuration blade.

3. Specify Backup Goal settings, including the:

o Location of the workload: On-premises

o Workload type: Files and folders

4. Download the vault credentials from the Prepare infrastructure blade of the Azure Recovery
Services vault. The Recovery Services Agent uses vault credentials to register with the vault during the
installation process.
5. Download the Recovery Services Agent from the Prepare infrastructure blade. Choose the
appropriate option for the system that you want to protect. In this case, you need to select the
Download Agent for Windows Server or Windows Client option.

6. Install the Recovery Services Agent and register it with the vault. When registering with the vault,
you specify a custom passphrase for encrypting backups.
7. Use the Azure Backup console to configure and schedule backups. After installing the agent, the new
console, whose interface closely matches the native Windows backup console, becomes available. This
allows you to select files and folders to back up and to schedule a backup directly to the Azure
Recovery Services vault. You can also use Azure PowerShell to configure and initiate backup
operations. After you schedule a backup, you also have the option to run an on-demand backup.

Note: If the computer that you want to protect contains a large amount of data and you
have limited bandwidth in your internet connection to Azure, consider using the Azure
Import/Export service to perform the initial backup. In this approach, you copy the data to back
up locally to a physical disk, encrypt it, and then ship the disk to the Azure datacenter where the
vault is located. Azure then restores the content directly to the vault, which allows you to perform
an incremental rather than full backup following the registration.

Additional Reading: For more information, refer to: “Back up a Windows Server or client to
Azure using the Resource Manager deployment model” at: http://aka.ms/Aabdfe

VM-level backup by using the Azure Backup VM extension

If the systems that you want to protect are
running the Windows or Linux operating systems
on Azure VMs, you can perform a VM-level
backup. This process uses the Azure VMSnapshot
(on Windows) or Azure VMSnapshotLinux (on
Linux) extension. A VM-level backup offers
application consistency for Windows virtual
machines. It also offers a higher limit for the
number of protected systems per vault, which is
200 Azure VMs instead of 50 protected systems
with the Recovery Services Agent. On the other
hand, the backup frequency in this case is limited
to once per day.
 MCT USE ONLY. STUDENT USE PROHIBITED
6-34 Planning and implementing storage, backup, and recovery services

You should also keep in mind that the restore process available from the Azure portal creates a new
virtual machine. As a result, an Azure VM–level backup does not facilitate restoring individual files or
folders. In addition, the restore does not include such VM-level settings as network configuration, which
means that you must recreate them after the restore. However, you can overcome these shortcomings by
using Azure PowerShell to perform a restore. This allows you, for example, to restore individual disks. You
should use scripting when recovering Azure VMs that host Active Directory domain controllers or that
have complicated network configuration, including such characteristics as load balancing, multiple
reserved IP addresses, or multiple network adapters.

Setting up an Azure IaaS VM-level backup by using the Azure portal involves the following steps:

1. If you do not already have an available Recovery Services vault, create a new one. Note that the vault
must reside in the same Azure region as the Azure IaaS virtual machines.

2. Specify the vault’s storage replication type.

3. Specify Backup goal settings, including the:

o Location of the workload: Azure

o Workload type: Virtual machine

4. Choose the backup policy. The policy determines backup frequency and retention range. The default,
predefined policy triggers the backup daily at 6:30 PM and has the 30-day retention period. You can
create a custom policy to modify these values, by scheduling backup to take place on specific days
and setting the retention period on a daily, weekly, monthly, and yearly basis.
5. Specify the virtual machines to back up. The Azure portal will automatically detect the Azure VMs
which satisfy Azure VM–level backup requirements. When you click Items to backup on the Getting
started with backup blade, the Azure portal will display these virtual machines on the Select virtual
machines blade. This will automatically deploy the Azure VM backup extension to the virtual
machines you that select and register them with the vault.

6. At this point, you can identify the Azure VMs that are backed up to the vault by viewing the content
of the Backup Items blade.

Integrating Azure Backup with Data Protection Manager and Microsoft

Azure Backup Server
If your environment contains a large number of
systems that require protection, you might want
to consider implementing Microsoft Azure Backup
Server. Alternatively, if you have an existing
implementation of DPM, you will likely benefit
from integrating it with Azure Backup by installing
the Recovery Services Agent on the DPM server.

These two methods generally yield equivalent

results. Microsoft Azure Backup Server provides
the same set of features as DPM, except support
for tape backups and integration with other
System Center products. Azure Backup Server also
offers the same management interface as DPM. Effectively, by implementing Microsoft Azure Backup
Server, you gain enterprise-grade protection without requiring System Center licenses.
 MCT USE ONLY. STUDENT USE PROHIBITED
Implementing Microsoft Azure Infrastructure Solutions 6-35

With both of these products, you can provide recovery for Linux and Windows operating systems that run
on-premises or in Azure, as long as an Azure Backup Server or DPM server resides in the same location.
DPM and Azure Backup Server support consistent application backups of the most common Windows
server workloads, including SQL Server, Office SharePoint Server, and Microsoft Exchange Server. They
also deliver superior efficiency and disk space savings because of built-in deduplication capabilities.
It is important to remember that unlike the other Recovery Services Agent–based methods, neither DPM
nor Azure Backup Server can back up data directly to an Azure Recovery Services vault. Instead, they
operate as disk-to-disk-to-cloud solutions, using their local disks as the immediate backup target, and
afterward, copying data to Azure from the newly created backup.

To integrate System Center DPM with Azure Backup by using the Azure portal, you must perform the
following steps:

1. If you do not already have an available Recovery Services vault, create a new one.

Note: You can use the same vault for protecting Azure VMs with the Azure Backup VM
extension and systems that run the Recovery Services Agent, including System Center DPM.

2. Specify the vault’s storage replication type.

3. Specify Backup goal settings, including the:

o Location of the workload: On-premises

o Workload type: any combination of Hyper-V Virtual Machines, VMware Virtual Machines,
Microsoft SQL Server, Microsoft SharePoint, Microsoft Exchange, System State, or Bare
Metal Recovery

4. On the Prepare infrastructure blade of the Azure Recovery Services vault, select the Already using
System Center Data Protection Manager or any other System Center product check box.
5. Download the vault credentials from the Prepare infrastructure blade. The Recovery Services Agent
uses vault credentials to register with the vault during the installation process.
6. Download and install the Recovery Services Agent from the Prepare infrastructure blade. Start by
clicking the Download link. Once the download completes, run the installation and register the local
computer running System Center Data Protection Manager with the vault. As part of the registration,
designate a passphrase for encrypting backups.

7. From the Protection workspace of the DPM Administrator Console, create a new protection group
or modify an existing one. Within the protection group settings, enable the Online Protection
option.

Note: You must enable short-term protection by using local disks. While you cannot use
tapes for this purpose, you can additionally enable long-term protection to tape. As part of the
protection group configuration, specify an online backup schedule, online protection data, online
retention policy, and initial online backup methodology. Similar to the Azure Backup consoles,
you can choose between performing initial backup over the internet and using the Azure
Import/Export service to copy it offline.
 MCT USE ONLY. STUDENT USE PROHIBITED
6-36 Planning and implementing storage, backup, and recovery services

Deploying Microsoft Azure Backup Server by using the Azure portal requires that you perform the
following steps:

1. If you do not already have an existing, available Recovery Services vault, create a new one.

Note: You can use the same vault for protecting Azure VMs with the Azure Backup VM
extension and systems that run the Recovery Services Agent, including System Center DPM.

2. Specify the vault’s storage replication type.

3. Specify Backup goal settings, including the:

o Location of the workload: On-premises

o Workload type: any combination of Hyper-V Virtual Machines, VMware Virtual Machines,
Microsoft SQL Server, Microsoft SharePoint, Microsoft Exchange, System State, or Bare
Metal Recovery

4. On the Prepare infrastructure blade of the Azure Recovery Services vault, make sure that the
Already using System Center Data Protection Manager or any other System Center product
check box is cleared.

5. Use the Download link on the Prepare infrastructure blade to download the Microsoft Azure
Backup Server installation media, which are over 3 GB in size.

6. Download the vault credentials from the Prepare infrastructure blade. The Microsoft Azure Backup
Server setup uses vault credentials to register with the vault during the installation process.

7. Once the download of the Microsoft Azure Backup Server installation media completes, extract the
download package content by running MicrosoftAzureBackupInstaller.exe, and then start the
setup process.

Note: Azure Backup Server requires a local instance of SQL Server. You have the option of
using the SQL Server installation media in the package or deploying an instance prior to running
the setup.

8. When prompted, provide the path to the vault credentials that you downloaded earlier. When
registering the Microsoft Azure Backup Server with the vault, you must provide a passphrase for
encrypting backups.

9. Because Microsoft Azure Backup Server has the same administrative interface as the System Center
DPM, after the setup completes, the remaining configuration is the same as described above for
System Center DPM, with the exception of tape backup–related settings.

Demonstration: Implementing Azure IaaS virtual machine backups

In this demonstration, you will see how to implement Azure IaaS virtual machine backups:
• Create a Recovery Services vault.

• Create a custom backup policy.

• Register an Azure VM in the Azure Recovery Services vault.

 MCT USE ONLY. STUDENT USE PROHIBITED
Implementing Microsoft Azure Infrastructure Solutions 6-37

Check Your Knowledge

Question

You need to perform an application-level backup and restore of an Azure VM running Windows.
What solution can you use?

Select the correct answer.

Install the Recovery Services Agent on the virtual machine.

Install the Recovery Services Agent on a Microsoft System Center 2016 Data Protection Manager
(Data Protection Manager) server. Install the DPM agent on the Azure VM.

Install Azure Backup Server. Install the DPM agent on the Azure VM.

Install the Azure VMSnapshot extension on the Azure VM.

Use the built-in Windows Backup feature.