2. Backup and Recovery
1. BR-1: Ensure regular automated backups
Features: Azure Backup
Since most scenarios involve a pooled host pool, there is no need to configure backups for virtual machines, as the data is stored in the Azure File Storage account using FSLogix. Therefore, we need to configure Backup and Recovery for Azure File Shares.
1. Major Considerations:
1. The Recovery Service Vault, Azure Storage Account, Host pool Session hosts should all be in the same region.
2. If you wish to enable a Private Endpoint for Azure Backup, make sure to enable it during the Recovery Services Vault configuration. If the Recovery Services Vault is already created and has files it is protecting or is already registered, enabling the Private Endpoint afterward will not work.
3. You can't create private endpoints with static IPs like you can for AVD and Storage Accounts.
4. If you're creating the private endpoint as the owner of the Recovery Services vault, the private endpoint you created is auto approved. Otherwise, the owner of the vault must approve the private endpoint before using it.
5. When the Immutable Vault is enabled for Azure Backup, you cannot decrease the retention days, but you can increase them. For example, you cannot reduce the retention period from 2 days to 1 day, but you can extend it from 2 days to 3 days.
2. Best Practices:
1. Enable the Immutable vault for Azure Backup. Immutable vault for Azure Backup is a special kind of storage container where your backup data is kept. Once you set it up, you can’t modify or delete the backup data for a certain period of time. This protects your backups from being accidentally deleted or altered, and also from being affected by ransomware attacks.
2. For Redundancy option, select Geo-redundant. This will be important when the Customer would have Disaster Recovery requirement. GRS replicates your data to a secondary region for higher durability and availability. Select this if the Customer can tolerate the higher cost. If the backup data is not that critical, you can go with Zone-Redundant or Locally-redundant depending on the requirement.
3. Encryption type, select Microsoft-managed keys as they are suitable and offer convenience with minimal management overhead. However, if you need advanced control and compliance requirements, customer-managed keys are the better choice. Microsoft manages the appropriate rotation of Microsoft-managed keys per compliance requirements. If it is Customer Managed key, customer has to manage the rotations.
4. Create a dedicated subnet for the private endpoints. A private endpoint for a vault uses 10 private IP addresses, and the count may increase over time. Ensure the subnet has enough IPs available for scalability.
5. Enable Lock on the Storage Account. The current Azure Files backup solution keeps snapshots in the same storage account as the backed-up file share. If the storage account gets deleted, you'll lose all your snapshots. To protect your account against accidental deletion, Azure Backup takes a Delete lock on the storage account.
6. Hourly backups are ideal for critical or frequently changing data, while Daily backups might suffice for less critical data.
3. Create Recovery Services Vault:
The Recovery Services vault is an interface in the Azure Portal that helps you manage backup-related activities.
1.In the global search bar, type Recovery Services Vault and select it from the results. Then click +Create.
2. Under the Basics tab, select the appropriate Subscription and Resource group.
3. Give a meaningful name to the vault.
4. Select the region.
5. Click Next-Redundancy
Note: Cross-Subscription Restore in Azure Backup is a feature that allows you to restore backup data to a different Azure subscription from the one where the backup was originally taken.
6. For Backup Storage Redundancy select Geo-redundant
7. For Cross Region Restore select Enable.
8. Click Next-Encryption.
9. Keep the default as is. Click Next-Vault properties
10. Check the box for Enable immutability.
11. Click Next-Networking.
12. For Connectivity method select
Deny public access and allow private access.
13. Click +Add
14. Select the appropriate Subscription, Resource Group, Location and Name.
15. Target sub resource is selected automatically.
16. Under the Networking tab, select the Vnet and Subnet created for Private Endpoint.
17. Scroll down.
18. Select Yes to Integrate with Private DNS Zone.
19. Click OK.
20. Click Next-Tags.
21. Give the tags as required.
22. Click Review +Create.
23. Click Create.
24. Deployment is complete.
4. Configure the Backup for Azure File Share:
1. Go to the Recovery Services vault that was created. Click on + Backup.
2. Select Azure File Share for the question: What do you want to backup?
3. Click Backup.
4. For Storage Account click Select.
5. Select the required storage account.
6. Check the box-Enable lock on the storage account.
7. Click OK.
8. Under FileShares to Backup click on Add.
9. Select the file share that you have created.
11. Click Edit this policy.
12. Give a meaningful policy name.
13. Select Snapshot for Backup tier
14. Select the backup schedule and the number of retention days based on the customer's requirements.
15. Click OK.
16. Click on Enable Backup.
17. The deployment is complete.
5. Run an on-demand backup job to test the backup:
1. Go to the Recovery Services Vault, Under Protected Items click on Backup Items.
2. Click on Azure Storage (Azure File)
3. Click on View Details.
4. Click Backup now.
5. Select a Date as per Customer requirement. Click on OK.
6. Backup is being triggered.
7. You can see the snapshot with the date and time in the Recovery Points.
6. Restore Scenarios:
Scenario: When a user logs into AVD, the VHD file storing their profile is attached to the session host using FSLogix. If, for any reason, the entire VHD file containing the user's files and folders is accidentally deleted, it will need to be restored.
For example, when the user named Duser1 logged in, he had 1 folder that is now deleted because the entire VHD file was removed. He now wants it restored.
Solution:
1. Go to the Recovery Services Vault, Under Protected Items click on Backup Items.
2. Click on Azure Storage (Azure File).
3. Click on View Details.
4. Click on File Recovery.
5. Click on Select. Select the recent Snapshot and click on OK. OR
Select the date when the user said the files have been deleted.
6. In the Restore Destination, select Original Location. 7. In Case of Conflicts select Overwrite Existing.
8. Click on Add File
9. Check the Box next to the directory of Duser1. Click on Select.
10. Click on Restore.
11. Once the Restore is successful, ask the Duser1 to login and he should now see all his files and folders that were deleted because the VHD file is restored.
2. For Redundancy option, select Geo-redundant. This will be important when the Customer would have Disaster Recovery requirement. GRS replicates your data to a secondary region for higher durability and availability. Select this if the Customer can tolerate the higher cost. If the backup data is not that critical, you can go with Zone-Redundant or Locally-redundant depending on the requirement.
No comments