6/8/2016

Microsoft Azure: Infrastructure as a

Service (IaaS)

Conditions and Terms of Use

Microsoft Confidential

Copyright and Trademarks

© 2013 Microsoft Corporation. All rights reserved.

http://www.microsoft.com/about/legal/permissions/

Module 7: Azure Backup

Azure Backup Introduction

Microsoft Confidential

1
 6/8/2016

Traditional Offsite Backup

• Time consuming
• Manual data movement
• Difficult to store, index, find recall physical tapes or media

Microsoft Confidential

Azure Backup
• Secure: Encryption is done at the source using customer’s encryption keys
• Reliable: 99.9% availability SLA, 3 copies of the data within the Azure datacenter, 3 more copies geo-
replicated to a second Azure datacenter
• Efficient: Only changed data is sent, bandwidth usage controlled with throttling
• Simple: User interface integrated with Windows Server Backup, System Center Data Protection Manager,
and Server Essentials Dashboard

Microsoft Confidential

Integration With Existing Backup Offerings

Your On-Premises Datacenter

Off-site backup of files, virtual machines and

databases from your on-premises datacenter to
Azure

Microsoft Confidential

2
 6/8/2016

How Azure Backup Works

1. Identify changed blocks

2. Encrypt 3. Encrypted data stored online

6. Recover data
5. Decrypt 4. Transmit selected encrypted data

Microsoft Confidential

Demo: Backup and Restore

Scenario

Backup of Azure VMs

• Application-consistent backup of virtual machines
o Backup with no impact to production workloads
o No shut down of VM required
o Application level consistency for Windows OSes
o File system level consistency for Linux OSes
• Fabric level backup
o Unlimited scalability, with no customer resources required for backup
o Agentless backup of multiple VMs at the same time
o Single, central management interface through the Azure portal
o Detailed Jobs view for tracking progress and success/failure
• Policy-driven backup and retention
o Configuration of scheduled backup
o On-demand backup
o Automatic management of recovery points within Azure Backup vault
o Retain backup data in Azure Backup vault even if the original VM is deleted

Microsoft Confidential

3
 6/8/2016

Azure VM Backup Design Principles

• Independent isolated backup copy – accidental destruction of original data
prevented
• Application-consistent backup
• Predictable IO and Backup time – optimized blob copy
• Efficient storage consumption – only changes backed up
• Zero infrastructure deployment and maintenance – no need to deploy
anything

Microsoft Confidential

Azure VM Backup Steps

• Discover - This step gets a list of all IaaS VMs in the same region that have
not already been protected.
• Register - This one-time step installs the backup extension into the selected
VMs in preparation for backup.
• Protect - This step involves setting the backup and retention policy for the
VM. As per the backup policy, the initial replication of the VM’s data will
automatically be done, and will be followed by incremental backup at the
predefined schedule

Microsoft Confidential

Backup File security

First level of Security
• You cannot decipher the data unless you have the key
• Without the passphrase, even the Azure team can’t access the data

Second level of Security

• All the machines are registered to backup vault using vault credentials
• Only the machines registered to same vault will be able to recover the data from the
backup vault
• Additionally, the Vault credential itself is secured by your need to have access to Azure
subscription (which is protected by Two Factor Authentication)
• You can use a single passphrase for all machines registered in the same vault

Microsoft Confidential

4
 6/8/2016

Module 7: Azure Backup

Server

Microsoft Confidential

Azure Backup vs. Azure Backup Server

Item Azure Backup Azure Backup Server

Files
Folders
Volumes
Azure VMs
SQL Server
Exchange
SharePoint Farm

Microsoft Confidential

Azure Backup Server

Protect Application Workloads
• Hyper-V VMs
• Microsoft SQL Server
• SharePoint Server
• Microsoft Exchange
• Windows clients

*Inherits functionality from DPM but does not provide tape

backup or integrate with System Center

Microsoft Confidential

5
 6/8/2016

Steps to Install Azure Backup Server

• Create a Backup Vault

• Download and Install the ‘For Application Workloads (Disk
to Disk to Cloud)’ on the designated Windows Server (on-
premises or Azure VM)
• Confirm network connectivity – connectivity to Azure is
required, even for on-premises backups
• Use PowerShell cmdlet Get-DPMCloudConnection to test
connectivity to Azure

Microsoft Confidential

Firewalls / Proxies that need to be open

Add the following domains to your firewall/proxy list of
approved domains:

1. www.msftncsi.com
2. *.Microsoft.com
3. *.WindowsAzure.com
4. *.microsoftonline.com
5. *.windows.net

Microsoft Confidential

What is Azure Site Recovery (ASR)?

• Azure Backup and ASR are part of Azure Recovery Services
• ASR is represented as a way to back up on-premises VMs into Azure storage
• ASR Scenarios
o On-premises Hyper-V to Azure protection with Hyper-V replication
o On-premises VMM site to on-premises VMM site protection with Hyper-V replication
o On-premises VMM site to on-premises VMM site protection with SAN replication
o On-premises VMM site to Azure protection
o On-premises VMWare site to on-premises VMWare site with InMage
• ASR requires the creation of a vault, similar to Azure Backup

Microsoft Confidential

6
 6/8/2016

Module 7: Automation

Automation Introduction

Microsoft Confidential

Automation Overview
• Automate time-consuming, error prone, operational tasks
• Increase reliability of your business processes
• Boost the efficiency of your platform
• Lower your operational costs
• Integrate with and extend existing systems
• Automation Learning Path https://azure.microsoft.com/en-us/documentation/learning-paths/automation/

Microsoft Confidential

Azure Automation Primary Features

Runbook Authoring in Azure: Highly Available Engine: Integration into other systems:
Create runbooks to automate all aspects of cloud Support requirements for scale and H/A. Import PS modules and create additional modules
operations, from deployment, monitoring, and Built on PowerShell Workflow. Isolation for runbook and runbooks for Azure services or to connect into
optimizations jobs 3rd party systems

Azure

Automation
Monitoring
Systems

Change
Control
Systems

Anything 
23
Microsoft Confidential

7
 6/8/2016

Pricing
• Current pricing posted here: http://azure.microsoft.com/en-us/pricing/details/automation/
• Process Automation
o Billed by the minute according to actual run time of your jobs
o Free tier gives you 500 minutes of job run time
o Basic tier costs $20 per 10,000 min. Job run time is unlimited
• Desired State Configuration (DSC)
o Free tier has 5 nodes
o Basic tier costs $6/node per month. Number of nodes is unlimited
• SLA 99.9% guaranteed that planned jobs start within 30 minutes

Microsoft Confidential 24

Automation Account
• The first thing you must create to use Azure
Automation
• Security and resource boundary for Azure
Automation
• Contains Runbooks
• Contains assets that support Runbook execution
• Ties infrastructure and assets needed to execute
Runbooks to an Azure region
• Specifies the Azure subscription to be billed for
Automation usage
• Limited to 25 accounts per subscription

Microsoft Confidential

Automation Runbooks
• Runbooks – central concept for Automation. They
contain a set of instructions in the form of
PowerShell Workflows to execute your
maintenance tasks
• Monitor Runbook execution status, history and
usage through the portal
• Author Runbooks through the portal or on your
laptop and import them
• Test Runbooks and publish them through the
portal
• Runbooks execute in jobs running in the Azure
Automation service

Microsoft Confidential

8
 6/8/2016

Automation Assets
• Certificates
• Credentials
• PowerShell modules
• Connections
• Schedules
• Variables

Microsoft Confidential

Demo: Tour of the Azure

Automation Portal

28

Running an Automation Runbook

Azure Portal Simplest interactive method for testing or single

execution
Windows PowerShell Using command line or within an automated
solution
Azure Automation API Most flexible/most complex ~ call API from any
custom code that can make HTTP requests. Can also
track job state
Webhooks Start runbook from a single HTTP request.
Authenticated with security token in URL. Cannot
track job state
Respond to Azure Alert Configure webhook for runbook and link to the
alert
Schedule Automatically start runbook on hourly, daily or
weekly schedule
From another runbook Use a runbook as an activity in another runbook
Microsoft Confidential

9
 6/8/2016

Automation Runbook Types

Type Description
Graphical Based on Windows PowerShell Workflow and created and
edited completely in the graphical editor in the Azure
portal (only) https://azure.microsoft.com/en-
us/documentation/articles/automation-graphical-
authoring-intro/
PowerShell Workflow Text runbook based on Windows PowerShell Workflow
https://azure.microsoft.com/en-
us/documentation/articles/automation-powershell-
workflow/
PowerShell • Text runbook based on Windows PowerShell script
• You directly edit the code of the runbook in the Azure
Portal or any offline text editor and then import the
runbook
• Can’t use parallel processing for multiple actions
• Can’t use checkpoints to resume runbooks that have
stopped

Microsoft Confidential

Runbook Lifecycle
1. An Actor starts a runbook
2. Azure Automation notes that the
runbook should be started
3. Cloud resources – Runbook acts on
local Azure resources or other
external resources reachable via the
network
4a. On-Premises – Hybrid runbook
group sends the runbook to an
on-premises machine to run
4b. Runbook acts on its local networked
resources
4c. Job results are returned from on-
premises

Microsoft Confidential

Webhooks
• Allows you to start a particular workbook in Azure Automation through a single HTTP request
• Allows externals services and code to be able to execute runbooks

Microsoft Confidential

10
 6/8/2016

Demo: Using a Webhook to

run an imported PowerShell
Workflow Runbook

Graphical Runbook Authoring

• Allows you to create runbooks
without the complexities of
Windows PowerShell Workflow
• Ability to add activities from a
library of cmdlets to the Azure
Portal canvas
• Graphical runbooks are
classified as Windows
PowerShell Workflows and
generate PowerShell code

Microsoft Confidential

Graphical Runbook Library

Selection Description
Cmdlets • Includes all PowerShell cmdlets that can be used in
your runbook
Runbooks • Runbooks in your automation account organized by
tag
• Added to your new runbook as a child runbook
Assets • Automation assets
Runbook • Junction – takes multiple inputs and waits until all
Control have completed before continuing
• Workflow Script – runs one or more lines of
PowerShell Workflow code

Microsoft Confidential

11
 6/8/2016

Demo: Graphical Runbook

Authoring

Automation Desired State Configuration (DSC)

• Consistently deploy, monitor and automatically update the desired state of IT resources
• Both Windows and Linux machines supported (currently only Classic VMs for Linux)
• Use for Cloud or on-premises machines (through Hybrid-Connection)
• Builds on top of PowerShell DSC
• Automation DSC includes:
o Author and manage PowerShell DSC configurations
o Import DSC Resources
o Generate DSC Node configurations (MOF documents)
• DSC items are placed on an Azure Automation DSC Pull server so that target nodes can pick
them up

Microsoft Confidential

Automation DSC Terms

• Configuration – introduced in PowerShell DSC, allows you to define via PowerShell syntax the
desired state of the environment
• Node configuration – produced when a DSC configuration is compiled depending on the node
block configuration (this is the MOF document)
• Node – any machine that has its configuration managed by DSC
• Resource – building blocks used to define a DSC configuration. Resources contain PowerShell
modules with pre-written code used to build your resources
• Compilation Job – an instance of compilation of a configuration to create a node configuration
o Similar to Azure Automation runbook jobs, but they do not perform any task, only create
configurations
o Automatically placed on Azure DSC pull server
o Overwrites previous versions of node configurations

Microsoft Confidential

12
 6/8/2016

Automation DSC Lifecycle

Microsoft Confidential

13