Tutorial: Backup and restore Azure Disk using Azure Backup via Azure CLI

Credits: Special thanks to Kartik Pullabhota (Sr. PM for Automation, HANA and Database backup using Azure Backup) for SME input and Swathi Dhanwada (Customer Engineer, Tech community) for testing.

 

Prerequisites 

If you don't already have an Azure subscription, create a free account before you begin. 

Azure CLI: 

• Launch Cloud Shell from the top navigation of the Azure portal. 

 

 

• Select a subscription to create a storage account and Microsoft Azure Files share.

• Select Create storage.

• After creation, check that the environment drop-down from the left-hand side of shell window says Bash.

Note: Support for Azure Blobs backup and restore via CLI is in preview and available as an extension in Az 2.15.0 version and later. The extension is automatically installed when you run the az dataprotection commands. Learn more about extensions. 

 

Create resource group: 

• To create a resource group from the Bash session within Cloud Shell, run the following: 

RGNAME= ‘your resource group name’ 

LOCATION= ‘your location’ 

az group create --name $RGNAME --location $LOCATION 

 

• To retrieve properties of the newly created resource group, run the following: 

az group show --name $RGNAME 

 

Create disk 

• To create a new managed disk with the Cloud Shell, run the following: 

DISKNAME='disk name' 

az disk create  --resource-group $RGNAME  --name $DISKNAME  --sku 'Standard_LRS'  --size-gb 32 

• To retrieve properties of the newly created disk, run the following: 

az disk show --resource-group $RGNAME --name $DISKNAME 

• Create and attach disks to VM Tutorial - Manage Azure disks with Azure PowerShell - Azure Virtual Machines | Microsoft Docs 

Create backup vault 

• Use the az dataprotection vault create command to create a Backup vault. Learn more about creating a Backup vault.  

az dataprotection backup-vault create -g <rgname> --vault-name <backup-vault-name> -l westus --type SystemAssigned --storage-settings datastore-type="VaultStore" type="LocallyRedundant" 

 

Create backup policy  

      Create a protection policy to define when a backup job runs, and how long the recovery points are stored.  

• Retrieve the policy template using the az dataprotection backup-policy get-default-policy-template command and store it in a file. 

az dataprotection backup-policy get-default-policy-template --datasource-type AzureDisk > diskpolicy.json 

 

• Open the JSON file is that is created in the previous step, and edit scheduled trigger and retention based as required.  
   
  Note: Here, we are using the default policy settings. 
• Create a new policy from the policy object using the az dataprotection backup-policy create command. 

az dataprotection backup-policy create -g <rgname>--vault-name <backup-vault-name> -n <backup-policy-name>--policy diskpolicy.json 

 

Grant required permissions to the Backup Vault 

• You need to assign a few permissions via RBAC to the vault (represented by vault MSI) and the relevant disk and/or the disk RG. These can be performed via Azure portal or CLI. You need objectId of the Backup Vault to assign the required permissions. 

az ad sp list --display-name <backup-vault-name> --query [].objectId -o json 

• Assign the Disk Backup Reader role to Backup Vault’s managed identity on the Source disk that needs to be backed up. 

az role assignment create --role "Disk Backup Reader" --assignee ”<object-id of backup-vault identity>” --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/<diskrg>/providers/Microsoft.Compute/disks/<disk-name>" 

• Assign the Disk Snapshot Contributor role to the Backup Vault’s managed identity on the Resource group where backups are created. 

az role assignment create --role "Disk Snapshot Contributor" --assignee ”<object-id of backup-vault identity>” --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/<diskrg>" 

 

The steps to add permissions are detailed in points - 1, 2, and 3 - in Configure backup. 

Configure backup for azure disk 

• Fetch the ARM ID and the location of the disk to be protected. 

 DiskId = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/<diskrg>/providers/Microsoft.Compute/disks/<disk-name>" 

 

• We recommend you to create a dedicated resource group as a snapshot datastore to be used by the Azure Backup service. 

snapshotrg = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourceGroups/snapshotrg" 

• Use the az dataprotection backup-vault update command to enable system-assigned managed identity for the Recovery Services Vault, if not enabled. 

az dataprotection backup-vault update -g testBkpVaultRG --vault-name <backup-vault-name>--type SystemAssigned 

•  First, prepare the relevant request by using the relevant vault, policy, disk, and snapshot resource group using the az dataprotection backup-instance initialize command. The initialize command will return a JSON file, and then you have to update the snapshot resource group value.  

az dataprotection backup-instance initialize --datasource-type AzureDisk -l southeastasia --policy-id "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<backup-vault-rg>>/providers/Microsoft.DataProtection/backupVaults/<backup-vault-name>/backupPolicies/mypolicy" --datasource-id "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/<disk-rg>/providers/Microsoft.Compute/disks/<disk-name>" > backup_instance.json 

 

• Open the JSON file and edit the snapshot resource group ID in the resource_group_id under the data_store_parameters_list section. 

• Use the edited JSON file to create a backup instance of the Azure Managed Disk. 

az dataprotection backup-instance create -g <backup-vault-rg>--vault-name <backup-vault-name>  --backup-instance backup_instance.json 

 

Trigger an on-demand backup 

  You can proceed to trigger an on-demand backup if you don't want to wait for the policy scheduled. 

• As an initial step, list all backup instances within a vault using the az dataprotection backup-instance list command. 

az dataprotection backup-instance list-from-resourcegraph --datasource-type AzureDisk --datasource-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/<disk-rg>/providers/Microsoft.Compute/disks/<disk-name> 
 

• Fetch the relevant instance name from previous command and verify it using the az dataprotection backup-instance show command. 

az dataprotection backup-instance show --resource-group <rgname> --vault-name <backup-vault-name>  --name <backup-instance-name obtained from previous step> 

 

• Obtain rule name of the Azure retention rule from the backup policy that was created at the start of this article. 

For the default policy, the rule name is “Default” 

• Trigger on-demand backup using the following command. 

az dataprotection backup-instance adhoc-backup --name <backup-instance-name obtained from previous step>  --rule-name "Default" --resource-group <backup-vault-rg>  --vault-name <backup-vault-name> 

 

Restore azure disk 

• List all backup instances within a vault using the az dataprotection backup-instance list command. 

az dataprotection backup-instance list-from-resourcegraph --datasource-type AzureDisk --datasource-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/diskrg/providers/Microsoft.Compute/disks/CLITestDisk 

• Fetch recovery point 

az dataprotection recovery-point list --backup-instance-name <backup-instance-name obtained previously> --resource-group <backup-vault-rg>  --vault-name <backup-vault-name> 

 

• Prepare disk ID 

$targetDiskId = /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourceGroups/targetrg/providers/Microsoft.Compute/disks/CLITestDisk2 

• Prepare restore  

az dataprotection backup-instance restore initialize-for-data-recovery --datasource-type AzureDisk --restore-location southeastasia --source-datastore OperationalStore --recovery-point-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/<backup-vault-name>/backupInstances/clitest-clitest-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/recoveryPoints/5081ad8f1e6c4548ae89536d0d45c493 --target-resource-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourceGroups/targetrg/providers/Microsoft.Compute/disks/targetdiskname> restore.json 

• Validate  

az dataprotection backup-instance validate-for-restore --resource-group <backup-vault-rg>  --vault-name <backup-vault-name> --backup-instance-name <backup-instance-name obtained previously> --restore-request-object restore.json 

• Trigger restore 

az dataprotection backup-instance restore trigger --resource-group <backup-vault-rg> --vault-name <backup-vault-name>  --backup-instance-name <backup-instance-name obtained previously> --parameters restore.json 

Track jobs  

• Track all jobs using the az dataprotection job list command. 

az dataprotection job list-from-resourcegraph --datasource-type AzureDisk --status Completed 

 

Additional Resources: 

• https://docs.microsoft.com/en-us/azure/backup/disk-backup-overview
• https://docs.microsoft.com/en-us/azure/backup/backup-managed-disks-cli 
• https://docs.microsoft.com/en-us/azure/backup/restore-managed-disks-cli
• https://docs.microsoft.com/en-us/azure/backup/disk-backup-faq 
• https://docs.microsoft.com/en-us/azure/backup/disk-backup-support-matrix 

 

 

 

 

 

Posted at https://sl.advdat.com/2UFF8Ev