Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Backups for Azure Virtual Machines

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: VirtualMachines-013

Ensure that Azure Backup service is enabled and configured to create server backups for your Microsoft Azure virtual machines (VMs), in order to follow data security best practices and compliance requirements. Azure Backup service is a cost-effective, one-click backup solution that simplifies virtual machine data recovery in your Azure cloud account.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

To protect your Azure virtual machines (VMs) against accidental deletion and/or corruption, Cloud Conformity strongly recommends that you enable and configure VM backups. Once Azure Backup service is configured, your virtual machines are backed up according to a precise schedule defined within the appropriate backup policy, then recovery points are created from those backups and stored in the Azure Recovery Services vaults.


Audit

To determine if your Microsoft Azure VMs are configured for backup, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list only the Azure virtual machines available in the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to examine.

06 On the navigation panel, under Operations, select Backup to access the Azure Backup service configuration settings available for the selected virtual machine. If the Azure Backup service is not configured, instead the Enable Backup button is displayed, the selected Microsoft Azure virtual machine (VM) is not protected by server backups.

07 Repeat step no. 5 and 6 for each Azure virtual machine deployed in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine (VM) provisioned in the current Azure subscription:

az vm list
  --output table
  --query '[*].{"VirtualMachines":name, "ResourceGroups":resourceGroup, "Location":location}'

02 The command output should return the requested virtual machine (VM) identifiers:

VirtualMachines     ResourceGroups                  Location
-----------------   ------------------------------  ----------------
cc-production-vm    cloud-shell-storage-westeurope  westeurope
cc-warehouse-vm     cloud-shell-storage-westeurope  westeurope
cc-project5-vm      cloud-shell-storage-westeurope  westeurope

03 Run backup vault list command (Windows/macOS/Linux) using custom query filters to list the name of each Azure Recovery Service vault available within the current subscription. A Recovery Service vault is a storage entity in Azure cloud that holds backup data for various resources such as virtual machines and SQL databases:

az backup vault list
  --resource-group cloud-shell-storage-westeurope
  --query '[*].{"Vault":name, "Location":location}'

04 The command output should return the requested vault name(s):

Vault                 Location
-------------------   ----------------
cc-vm-backup-vault    westeurope

05 Run backup item list command (Windows/macOS/Linux) using the name of the Azure Recovery Service vault that you want to examine as identifier parameter and custom query filters to list the names of the virtual machines backed up within the selected Azure Recovery Service vault. Repeat this step for all Recovery Service vaults available in the current subscription:

az backup item list
  --resource-group cloud-shell-storage-westeurope
  --vault-name cc-vm-backup-vault
  --output table
  --query '[*].properties.{"BackedUpVirtualMachines":friendlyName}'

06 The command output should return a table with the names of the virtual machines (VMs) that use the Azure Backup service, available in the current subscription:

BackedUpVirtualMachines
-----------------------
cc-warehouse-vm
cc-project5-vm

Compare the Azure virtual machine names returned by the backup item list command output with the ones returned by the vm list command output at step no. 2. If a virtual machine name is missing from the list returned at the previous step, that specific Microsoft Azure virtual machine (VM) is not backed up using Azure Backup service.

07 Repeat steps no. 1 – 6 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable backups for your Microsoft Azure virtual machines (VMs), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list only the Azure virtual machines available in the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to reconfigure.

06 On the navigation panel, under Operations, select Backup to access the Azure Backup service configuration for the selected virtual machine.

07 On the Backup page, perform the following:

  1. From the Recovery Service vault choose whether to create a new vault or select an existing one. An Azure Recovery Service vault is a storage entity that holds the virtual machine backups.
  2. From Choose backup policy dropdown list select an existing backup policy or click Create (or edit) a new policy to create/edit a new backup policy. A backup policy specifies frequency and time at which specified resources will be backed up and how long the backup copies are retained.
  3. Once the backup policy is properly configured, click Enable Backup to enable server backups for the selected Microsoft Azure virtual machine. You can now start a backup job by using Backup now button or wait for the selected policy to run the job at the scheduled time. The first backup job creates a full recovery point. Each backup job after the initial server backup creates incremental recovery points.

08 Repeat steps no. 5 – 7 to enable server backups for other Azure virtual machines available in the selected subscription.

09 Repeat steps no. 4 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure Console

01 Run backup vault create command (Windows/macOS/Linux) to create a new Azure Recovery Service vault that will hold all the server backups created for the specified Azure virtual machine (VM):

az backup vault create
  --resource-group cloud-shell-storage-westeurope
  --name cc-new-backup-vault
  --location westeurope

02 The command output should return the configuration metadata for the new vault:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.RecoveryServices/vaults/cc-new-backup-vault",
  "location": "westeurope",
  "name": "cc-new-backup-vault",
  "properties": {
    "provisioningState": "Succeeded",
    "upgradeDetails": null
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sku": {
    "name": "Standard"
  },
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults"
}

03 Run backup protection enable-for-vm command (Windows/macOS/Linux) to enable server backups for the selected Microsoft Azure virtual machine. Use the default backup policy provided by Azure Backup service or run az backup policy set command (Windows/macOS/Linux) to update the default policy if you need to change the backup schedule/frequency and/or the retention period configured. The default backup protection policy (i.e. "DefaultPolicy") runs a backup job each day and retains recovery points for 30 days:

az backup protection enable-for-vm
  --resource-group cloud-shell-storage-westeurope
  --vm cc-production-vm
  --vault-name cc-new-backup-vault
  --policy-name DefaultPolicy

04 The command output should return the backup protection enable-for-vm command request metadata:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cc-vm-resource-group/providers/microsoft.recoveryservices/vaults/cc-new-backup-vault/backupJobs/abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "location": null,
  "name": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "properties": {
    "actionsInfo": null,
    "activityId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
    "backupManagementType": "AzureIaasVM",
    "containerName": ";iaasvmcontainerv2;cc-vm-resource-group;cc-production-vm",
    "duration": "0:00:30.975155",
    "endTime": "2019-10-29T12:15:00.240606+00:00",
    "entityFriendlyName": "cc-production-vm",
    "errorDetails": null,
    "extendedInfo": {
      "dynamicErrorMessage": null,
      "estimatedRemainingDuration": null,
      "internalPropertyBag": null,
      "progressPercentage": null,
      "propertyBag": {
        "Policy Name": "DefaultPolicy",
        "VM Name": "cc-production-vm"
      },
      "tasksList": []
    },
    "jobType": "AzureIaaSVMJob",
    "operation": "ConfigureBackup",
    "startTime": "2019-10-29T12:15:00.265451+00:00",
    "status": "Completed",
    "virtualMachineVersion": "Compute"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults/backupJobs"
}

05 Repeat steps no. 1 – 4 to enable server backups for other Azure virtual machines provisioned in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

References

Publication date Jun 24, 2020