Hi All,
A bit different blog than the other serie both I think one that can help you allot getting the most out off the combination of Azure Backup, Tags and Azure Policy.
In this blog I will walk you trough how to automate Backup with Azure and what the limitations are that you have to keep in mind.
First we are going to create a Recovery Services Vault, this will enable us to create backup schedules, and add backup infra
Microsoft documentation can be found here: Overview of Recovery Services vaults - Azure Backup | Microsoft Docs
All tough this is our vault for all backup, there are limitations:
* Every Subscription needs its own vault (you can't backup from another subscription)
* You can't back-up across regions, so the VM and RSV needs to be in the same region
Once the RSV is create we can open it to create our backup schedules, so lets say we need 1 for Non Production servers and 1 for Production servers.
Microsoft is so nice to provide us with some default policy's we can use, but as we want some specifics, lets create a new one.
In the creation screen of the backup policy we can select standard vs enhanced backup, provide the name and the schedule we want for our servers.
After doing the same for the Production schedule with more retention points, lets see if they show up in the overview.
Now we need something to identify the servers to determine what backup policy will get applied later on.
Here comes the Tags in to play, we will tag the VM with the tags Backup:Prod or Backup:NonProd
Off course you can create your own naming in the tags if you wish.
Also see the Microsoft documentation: Tag resources, resource groups, and subscriptions for logical organization - Azure Resource Manager | Microsoft Docs
Now we have both components in place, lets create a Azure Policy so our VM's get added to the RSV backup policy.
Here we have to select the Configure back on virtual machines with a given tag to an existing RSV.
As we cannot use the RSV across Subscriptions this policy has to be Subscription assigned.
Scoping to management groups won't work unfortunately for this policy type.
In the next Parameters screen there are some things we keep have to select, first unchecked the Only show parameters that need input, as this is not correct and we need to put in more information.
Than we can select the Location, the Tag Name as normal text field, and the text value as in Array format
Next step is the selection of the vault and the backup policy we have created in the RSV.
Now we want the policy not only to take effect on newly deployed VM's but also on VM's that are already running, therefore we need the check the box to create a remediation task.
Now the policy is created, i have done the same steps, but than for the Prod policy.
Policy's can take up to 30 minutes to take effect, also don't add more than 200 servers at the same time to you RSV as it can delay the first backup run.
So lets take a look after some coffee to see if our servers are added to the backup policy based on their tags!
Additional tips:
If you deploy you can add the tags during the deployment so its get directly added to the correct backup schedule.
Also you can use Azure Policy to deploy tags on your resources.
This way you don't have to worry about servers not being backup within Azure.
Use Backup Center for the overview of your Backup Compliance, jobs and Vaults, specially when you work in bigger environments this really helps in the overview.
