Task 01: Configure Azure Backup
DOCUMENT CATEGORY: Runbook SCOPE: VM backup configuration with Azure Backup PURPOSE: Deploy and configure Azure Backup for Azure Local VM protection MASTER REFERENCE: Microsoft Learn - Back up Azure Local VMs with Azure Backup DESIGN REFERENCE: Azure Backup Appliance LLD
Status: Active
Azure Backup provides enterprise backup capabilities for Azure Local VMs with both local disk retention for fast recovery and Azure integration for offsite protection. This step covers Azure Backup deployment, agent installation, and protection group configuration.
Prerequisites
| Requirement | Description | Validation |
|---|---|---|
| backup server VM | Dedicated VM on cluster with sufficient storage | 80 TB recommended for 800 VMs |
| Azure Backup Software | Azure Backup V4 or later | Supports Azure Local 22H2+ |
| Recovery Services Vault | Azure vault for online protection | Created in Azure subscription |
| Network Connectivity | Azure Backup to Azure (443), Azure Backup to nodes (445, 135, dynamic RPC) | Firewall rules configured |
| Cluster Access | Domain account with local admin on all nodes | CredSSP or Kerberos delegation |
| Integration Components | Same version on guest VMs and hosts | Required for backup consistency |
Variables from variables.yml
| Variable | Config Path | Example |
|---|---|---|
AZURE_RESOURCE_GROUP | azure.resource_group.name | rg-azurelocal-prod-eus2 |
RECOVERY_VAULT_NAME | backup.recovery_vault_name | rsv-azl-dal-prod-01 |
BACKUP_SERVER_NAME | backup.server_name | azl-dal-mabs-01 |
CLUSTER_STORAGE_PATH | storage.cluster_storage_path | C:\ClusterStorage\Volume01 |
MANAGEMENT_VIRTUAL_SWITCH | networking.management.virtual_switch | ConvergedSwitch(mgmt_compute) |
Architecture Overview
Azure Backup supports two backup approaches:
| Approach | Description | Use Case |
|---|---|---|
| Host-level backup | Agent on cluster nodes, backs up entire VMs at hypervisor level | Full VM recovery, OS-agnostic, no guest agent required |
| Guest-level backup | Agent inside each VM, application-aware backups | SQL, Exchange, SharePoint item-level recovery |
Azure Local Cloud Recommendation
Use both approaches: Host-level for full VM recovery and guest-level for critical application workloads requiring item-level recovery.
Hardware Specifications
For detailed hardware specifications, storage configuration, and appliance sizing, see the Azure Backup Appliance Low Level Design.
Key Storage Design: The BOSS card contains only OS (C:) and Azure Backup/SQL (E:) partitions. All staging (G:) and storage pool (S:) volumes must reside on RAID controller-attached drives.
Configuration Steps
Step 1.1: Deploy backup server VM
- Create a dedicated VM on the Azure Local cluster:
# Create Azure Backup VM
$VMName = "{{BACKUP_SERVER_NAME}}"
$VMPath = "{{CLUSTER_STORAGE_PATH}}\VMs"
$SwitchName = "{{MANAGEMENT_VIRTUAL_SWITCH}}"
New-VM -Name $VMName `
-MemoryStartupBytes 16GB `
-Generation 2 `
-Path $VMPath `
-SwitchName $SwitchName
# Configure VM resources
Set-VMProcessor -VMName $VMName -Count 8
Set-VMMemory -VMName $VMName -DynamicMemoryEnabled $false
# Add storage for Azure Backup disk pool (minimum 1.5x protected data size)
$StorageDisk = New-VHD -Path "$VMPath\$VMName\Storage.vhdx" -SizeBytes 10TB -Dynamic
Add-VMHardDiskDrive -VMName $VMName -Path $StorageDisk.Path
- Install Windows Server 2022 on the VM
- Join to domain and configure static IP
- Format storage disk for Azure Backup disk pool
Step 1.2: Install Azure Backup
-
Download Azure Backup V4 from Microsoft Evaluation Center
-
Run the installer and select required components:
- SQL Server (bundled or use existing)
- Azure Backup Server
- Register with Recovery Services Vault:
- Azure Portal
- Direct Script (On Node)
- Standalone Script
- Navigate to Recovery Services vault → Properties → Backup Credentials
- Click Download to get vault credentials file
- Copy to backup server
- During Azure Backup setup, specify the vault credentials file
# Get vault credentials
az backup vault identity show \
--resource-group "{{AZURE_RESOURCE_GROUP}}" \
--name "{{RECOVERY_VAULT_NAME}}"
# Download vault credentials (expires in 48 hours)
az backup vault credential download \
--resource-group "{{AZURE_RESOURCE_GROUP}}" \
--name "{{RECOVERY_VAULT_NAME}}" \
--path "C:\Temp\VaultCredentials.VaultCredentials"
# Connect to Azure
Connect-AzAccount
# Get Recovery Services vault
$vault = Get-AzRecoveryServicesVault `
-ResourceGroupName "{{AZURE_RESOURCE_GROUP}}" `
-Name "{{RECOVERY_VAULT_NAME}}"
# Generate vault credentials file
$credentialsPath = "C:\Temp"
Get-AzRecoveryServicesVaultSettingsFile `
-Vault $vault `
-Backup `
-Path $credentialsPath
Step 1.3: Configure Azure Backup Storage Pool
- Open Azure Backup Administrator Console
- Navigate to Management → Disk Storage
- Click Add to add storage disks
- Select the storage disk attached to Azure Backup VM
- Configure storage allocation:
| Recommendation | Size Formula |
|---|---|
| Replica volume | Protected data size × 2 |
| Recovery point volume | Protected data size × retention days × daily change rate |
Step 1.4: Install Protection Agent on Cluster Nodes
Application Control
If Azure Benefits is enabled with WDAC, temporarily switch to Audit mode before agent installation.
- Orchestrated Install (Push)
- Manual Install
- In backup console, navigate to Management → Agents
- Click Install in the toolbar
- Select Install agents
- Enter cluster node names or browse Active Directory
- Provide credentials with local admin rights
- Complete installation wizard
On each cluster node:
# Disable WDAC if enabled
$env:COMPUTERNAME
Disable-NetFirewallRule AzsHci-ImdsAttestation-Block-TCP-In
# Copy agent installer from backup server
$BackupServer = "{{BACKUP_SERVER_NAME}}"
Copy-Item "\\$BackupServer\C$\Program Files\Azure Backup\DPM\Agents\RA\*.exe" `
-Destination "C:\Temp\"
# Install agent
Start-Process -FilePath "C:\Temp\DPMAgentInstaller.exe" `
-ArgumentList "/q" `
-Wait
# Configure agent to connect to Azure Backup
Set-Location "C:\Program Files\Microsoft Data Protection Manager\DPM\bin"
.\SetDpmServer.exe -dpmServerName $BackupServer
After installation on all nodes, attach agents in backup console:
- Navigate to Management → Agents
- Click Install → Attach agents
- Select installed agents and confirm
After agent installation, re-enable WDAC if it was disabled.
Step 1.5: Create Protection Group for VMs
-
In backup console, select Protection → Create protection group
-
Select protection type: Servers
-
Select group members:
- Highly Available VMs: Select from cluster for clustered VMs
- Hyper-V (Unmanaged) VMs: Select from individual nodes
- Configure Data Protection Method:
- Name:
{{PROTECTION_GROUP_NAME}} - Enable: I want short-term protection using Disk
- Enable: I want online protection (for Azure backup)
- Configure Short-Term Goals:
- Retention range:
{{BACKUP_RETENTION_DAYS}}days - Synchronization frequency: Every 15 minutes or before recovery point
- Configure Disk Allocation:
- Review and accept default allocations
- Enable Automatically grow the volumes if needed
- Configure Online Protection:
- Select data for online protection
- Configure online backup schedule (daily/weekly)
- Set online retention policy (up to 99 years)
- Review and create protection group
Step 1.6: Configure Backup Schedules
Example protection schedule:
| Schedule Type | Frequency | Time | Retention |
|---|---|---|---|
| Express full backup | Daily | 9:00 PM | 14 days (disk) |
| Online backup | Daily | 11:00 PM | 30 days (Azure) |
| Weekly full | Sunday | 2:00 AM | 5 weeks (Azure) |
| Monthly | 1st Sunday | 2:00 AM | 12 months (Azure) |
# Example: Modify protection group schedule via PowerShell
$pg = Get-DPMProtectionGroup -DPMServerName "{{BACKUP_SERVER_NAME}}" |
Where-Object { $_.FriendlyName -eq "{{PROTECTION_GROUP_NAME}}" }
# Set synchronization schedule
$sched = Get-DPMPolicySchedule -ProtectionGroup $pg -ShortTerm
# Modify as needed and commit
Set-DPMPolicySchedule -ProtectionGroup $pg -Schedule $sched
Validation
Verify Agent Status
# On backup server - check agent status
Get-DPMProductionServer -DPMServerName "{{BACKUP_SERVER_NAME}}" |
Select-Object Name, ServerProtectionState, AgentVersion
Expected output shows all cluster nodes with Valid protection state.
Run Test Backup
- In backup console, select a protected VM
- Right-click → Create recovery point
- Select Online protection to test Azure connectivity
- Monitor job in Monitoring → Jobs
Verify Azure Recovery Points
- Azure Portal
- Direct Script (On Node)
- Navigate to Recovery Services vault → Backup items
- Select Azure Backup Server
- Verify VMs appear with recent recovery points
az backup item list \
--resource-group "{{AZURE_RESOURCE_GROUP}}" \
--vault-name "{{RECOVERY_VAULT_NAME}}" \
--backup-management-type MAB \
--output table
Validation Checklist
| Component | Verification | Expected Result |
|---|---|---|
| Azure Backup Service | Get-Service MSDPM | Running |
| Protection Agent | Agent status in console | Valid on all nodes |
| Protection Group | Group status | OK, no warnings |
| Disk Recovery Points | Latest recovery point | Within last 24 hours |
| Online Recovery Points | Azure portal check | Synced to Azure |
Recovery Procedures
Recover Entire VM (Host-Level)
- Navigate to Recovery → Select date with recovery point
- Expand server → Select VM
- Right-click → Recover
- Select recovery type:
- Recover to original instance: Replaces existing VM
- Recover as virtual machine to any host: New location
- Copy to a network folder: Export VHD files
Recover Files (Item-Level Recovery)
Hyper-V Role Required
Item-level recovery requires Hyper-V role on backup server.
- Select VM recovery point
- Right-click → Recover
- Select Copy to a network folder
- Browse recovered VHD and extract files
Cross-Cluster Recovery
When restoring a VM to a different cluster:
- Recover VM to alternate location
- VM will be unmanaged (not Arc-connected)
- Re-register with Azure Arc:
Register-AzStackHCI -SubscriptionId "{{AZURE_SUBSCRIPTION_ID}}" `
-ResourceGroupName "{{AZURE_RESOURCE_GROUP}}" `
-ArcServerResourceGroupName "{{ARC_RESOURCE_GROUP}}"
45-Day Window
If restoring to the same cluster, Azure Arc connection is maintained automatically if within the 45-day reconnection window.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
| Agent installation fails | WDAC blocking | Switch to Audit mode, install, then re-enable |
| WMI query timeout | Firewall blocking | Disable AzsHci-ImdsAttestation-Block-TCP-In |
| Backup fails for HA VMs | Cluster not selected | Select VMs from cluster node, not individual hosts |
| Online backup slow | Bandwidth limited | Configure throttling in Azure Backup or schedule off-hours |
| Recovery point missing | Replica invalid | Run consistency check on protection group |
Capacity Planning
| Protected Data | Azure Backup Disk Storage | Azure Storage |
|---|---|---|
| 10 TB | 30 TB | Varies by retention |
| 50 TB | 150 TB | Varies by retention |
| 100 TB | 300 TB | Varies by retention |
Storage Formula
Azure Backup storage = (Protected data × 2) + (Protected data × retention days × daily change rate)
Variables Reference
| Variable | Description | Example |
|---|---|---|
{{BACKUP_SERVER_NAME}} | backup server hostname | Azure Backup-dal-01 |
{{PROTECTION_GROUP_NAME}} | Protection group name | AzureLocal-VMs-Prod |
{{RECOVERY_VAULT_NAME}} | Recovery Services vault name | rsv-azl-dal-prod-01 |
{{BACKUP_RETENTION_DAYS}} | Local disk retention days | 14 |
Next Steps
After configuring Azure Backup:
- ➡️ Task 2: Configure Site Recovery — Set up VM replication to Azure
- Document protection group assignments
- Configure email notifications for backup failures
- Schedule regular restore tests