Azure Recovery Services in CSP: Backup

Great news! Starting this week, Azure Recovery Services (which include Azure Backup and Azure Site Recovery) are available for all CSP partners. It means that 2 very popular Azure services can be used by customers through the CSP model.

This is what CSP partners asked us for months. Azure Backup and Azure Site Recovery (ASR) are popular services even among cloud-agnostic customers. Before this week, configuration of Backup and ASR was available through PowerShell and APIs, and it was hard for CSP partners to deploy and manage. Now this functionality is available through Azure Portal. It means than CSP partners can easily provide backup and disaster recovery services to their customers in a managed way, or their Azure CSP tenants can use Azure Backup and ASR on their own, just adding these services into their existing subscriptions.

This post is related to Azure Backup in CSP. Azure Site Recovery topic in uncovered in the next post.

To add backup and disaster recovery services to an existing Azure CSP subscription, just add "Recovery Services" in "Data + Storage" menu of the Azure Marketplace.

I recommend to create Recovery Services vault in a dedicated Resource Group with an assigned Tag to separate billing data for backup and ASR and for other Azure services (e.g. IaaS, DBs etc.).

You can configure Backup and Recovery services in the same menu called "Recovery Services vaults".

 Azure Backup

First of all, you need to understand the pricing model of Azure Backup. It is described here. You are charged for 2 things:

  1. Protected instances - you pay for every instance that you backup. It can be a VM, SQL database, Exchange database etc. If you backup Exchange server and a VM that it runs on, you are charged for 2 instances. There are 3 price tiers for instances, that depend on data size per instance (less than 50Gb, 50-500Gb, more than 500Gb).
  2. Consumed storage for the backup vault. Block blob storage is used for that, and you can choose between Locally Redundant Storage (LRS) or Geo-Redundant Storage (GRS), its pricing is available here.

By default, Backup vault uses Geo-Redundant Storage. If you don't want to pay for extra redundancy, you can switch to Locally Redundant Storage, which is 2 times cheaper. I recommend you to switch in the beginning using "Backup Configuration" menu in settings. After you'll put any backup data in Recovery service vault, you won't be able to change this setting.

There are 3 scenarios available for Azure Backup:

  1. Azure Virtual Machine backup - backup Azure virtual machines
  2. File-Folder Backup - backup files on Windows clients and Windows Servers using a special Recovery Services agent
  3. System Center Data Protection Manager - connect System Center Data Protection Manager server (located On-Premise or in the cloud) to Azure Backup to store DPM backup data in Azure Backup vault.

 

Azure Virtual Machine backup

Azure Backup allows use to backup virtual machines that run in Azure with a simple two step configuration:

  1. Create backup policy or choose an existing one
  2. Select virtual machines that you want to backup. You can choose among all VMs in the current subscription that you have access to.

After that you can see the current status of this backup and manage recovery jobs in "Backup Items" menu.

File-Folder Backup

This scenario allows you to backup files on remote Windows client VMs and Windows Servers. These computers can be located anywhere - On-Premise, in Azure, in service provider environment etc. To configure this you need to download Recovery Services agent and install it on every computer where you want to backup files. Also you need to download Vault Credentials file by clicking on "Download" button, you'll need this file during the agent installation.

After the agent installation, open Azure Backup Client and schedule a new backup. You'll need to select items to backup and configure a retention policy.

Agent encrypts the data using the encryption key that you specify during the configuration. So all the backups stored in Azure will be encrypted.

 

To recover the data, you need to launch Agent Backup Client on this computer or on another computer and choose "Recover data" option.

On the Azure Portal you can see how many recovery points are stored in the backup vault.

System Center Data Protection Manager

This scenario allows System Center Data Protection Manager to copy backups to Azure Backup vault. It can be used for:

  1. Long-term backup - e.g. store backups on local disk storage only for the last month, and copy backups to Azure Backup vault weekly and store them there for years
  2. Short-term backup - copy backups from local disks to Azure Backup vault daily. Anyway - you need to store at least one backup on local disks before moving it to Azure Backup vault.

Azure Backup vault eliminates the need of tape storage for long-term backups, because usually it is much cheaper to backup to Azure instead of buying an expensive tape storage system. Currently you can store backup data for the last 99 years. Move then enough.

DPM 2012 R2 and later can backup files, SQL Server databases, Exchange databases, SharePoint farms, Windows Server system states and Hyper-V VMs. Details are available here.

This functionality can be used in 2 different ways:

  1. Service provider backups data of all tenants (IaaS, hosted Exchange, Database-as-a-Service) to DPM. DPM copies backup copies to the Azure Backup vault, provided via common Azure CSP Subscription. Currently each DPM server can use only one Azure Backup vault, so it is impossible to use several different Azure subscriptions for different tenants data on the same DPM server.
  2. CSP Partner provides managed backup service to its customer. He deploys DPM server (or configures the existing one) in the on-premise customer environment and configures it to use Azure Backup vault in a dedicated Azure CSP subscription.

First of all, you need to install Azure Recovery Services agent on a DPM server. This is the same agent as was used for File-Folder Backup scenario. Click "Download" button and save vault credentials file to the location, that can be accessed by DPM server.

After that, go to Management -> Online menu in DPM Administration console and click "Register" button.

Choose the file with vault credentials that you've got from Azure portal.

 

During the installation process, you'll be able to configure Internet connection throttling settings. Also you'll need to specify a local staging folder, that can be used to temporary data during recovery jobs from Azure Backup vault.

 

Generate a passphrase that will be used for data encryption in Azure backup vault. Save this passphrase to a secure location, you'll need it to recover data from Backup vault if primary DPM server will fail.

Good hint in the installer - don't forget to configure DPM database backup.

 

After that you'll need to create a Protection Group or add Online Protection option to the existing Protection Group.

The full copy of data is being transferred to Azure Backup vault only once. After that only compressed incremental data will be sent, which is much smaller in size. Azure ImportExport service is not available via CSP right now.

You can see all conntected DPM servers on Azure CSP portal in "Backup Management Servers" menu.

Update: Bonus scenario - Azure Backup Server

If service provider wishes to provide backup services to Azure to its customer with an ability to backup VMs, SQL Server DBs and Exchange DBs, but customer doesn't have licenses for System Center and doesn't want to spent much time on a full DPM server installation, then you can use Azure Backup Server instead.

Several months ago Microsoft released Azure Backup Server. This is a special version of Data Protection Manager 2012 R2, but with several differences:

  1. Simple and smooth installation (no need to install SQL Server manually)
  2. No System Center licenses required
  3. Azure subscription with Azure Backup services required (installation won't start without validated Vault credentials)
  4. No tape support
  5. No SCOM integration, so no central management and monitoring.

Download Azure Backup Server from here. I recommend to use the latest version of Microsoft Azure Recovery Services Agent. Download it from here. When I wrote this blogpost, the latest version available was 2.0.9032.0, while Azure Backup Server distributive included older version (2.0.8720.0) which is not compatible with new Azure Recovery Services vault. Just copy fresh MARSAgentInstaller.exe to C:Microsoft Azure BackupMARSAgent before Azure Backup Server installation.

Download your Recovery Vault Credentials:

Start the installer on the on-premise server or VM and proceed with the next steps as usual.

Launch Azure Backup Server management console. As you see, this is a usual DPM server, but no Tape Management is available:

Create a protection group as in usual DPM. As you see, Online Protection is available here, but not required.

In the next post I've provided the information regarding Recovery Services (ASR) functionality, that become available in Azure CSP. If you are interested - go here.

Comments

  • Anonymous
    April 11, 2016
    As I've already mentioned in my previous post , that Azure Backup and Azure Site Recovery functionality become available in Azure CSP. Previous post was related to Azure Backup, and today I'll talk about Azure Site Recovery. Azure Site Recovery
  • Anonymous
    April 15, 2016
    In my previous post I've mentioned, that currently there are significant feature differences between Microsoft Azure, purchased via traditional channels (Direct, Open, EA), and Azure CSP. In this port I'll continue my CSP story and describe Azure
  • Anonymous
    May 21, 2017
    Azure Backup vault holds the second copy of the data while the local storage holds the first (and mandatory) backup copy. My question is - Does Azure Backup Server also encrypt the first backup copy on local storage?
    • Anonymous
      May 24, 2017
      No, DPM and Azure Backup Server don't encrypt locally stored backups. To encrypt local storage, you can use storage-level encryption. For example, enable BitLocker on the volume, where DPM virtual disks are stored.