Veritas NetBackup™ for Microsoft Azure Stack Administrator's Guide

Last Published:
Product(s): NetBackup & Alta Data Protection (9.0.0.1, 9.0)
  1. Introduction
    1.  
      Protecting Microsoft Azure Stack VMs using NetBackup
    2.  
      Backing up Microsoft Azure Stack VMs
    3.  
      Restoring Microsoft Azure Stack VMs
    4.  
      Managed disk VM
    5.  
      NetBackup for Microsoft Azure Stack terminologies
  2. Pre-requisites for configuring the Microsoft Azure Stack plug-in for NetBackup
    1.  
      Operating system and platform compatibility
    2.  
      License for Microsoft Azure Stack plug-in for NetBackup
    3.  
      Settings for Backup host in IPV6 setup
    4.  
      Time Sync with Azure Stack
    5.  
      About deployment of NetBackup to protect Microsoft Azure Stack
  3. Configuring NetBackup and Microsoft Azure Stack
    1.  
      Overview of configuring NetBackup and Microsoft Azure Stack
    2. Managing backup hosts
      1.  
        Whitelisting a backup host on NetBackup master server
    3.  
      Adding a Microsoft Azure Stack custom role to provide access permissions to NetBackup administrator
    4. Configuring the Microsoft Azure plug-in using the azurestack.conf configuration file
      1.  
        Whitelisting the configuration file path on NetBackup master server
    5. Creating a file that contains Microsoft Azure Stack credentials
      1.  
        Configuring proxy settings for communication with Microsoft Azure Stack AAD authentication
    6.  
      Adding Microsoft Azure Stack credentials in NetBackup
    7.  
      Creating a BigData policy for Microsoft Azure Stack using the NetBackup Policies utility
    8.  
      Stale Snapshot cleanup
  4. Performing backups and restores of Microsoft Azure Stack
    1.  
      About backing up Microsoft Azure virtual machines
    2.  
      About restoring Microsoft Azure Stack virtual machines
    3. About the restore scenarios for Microsoft Azure Stack VMs from the BAR interface
      1.  
        Considerations for Microsoft Azure Stack VM restore and recovery
    4.  
      Using the BAR interface to restore an Microsoft Azure Stack VM at the same location
    5.  
      Using the bprestore command to restore Microsoft Azure Stack VM at the same location
    6.  
      Using the BAR interface to restore an Microsoft Azure Stack VM to different location
    7. Using the BAR interface to restore an Microsoft Azure Stack VM with modified metadata at a different location
      1.  
        Conversion of Unmanaged disk VM to Managed disk VM
      2.  
        Conversion of Unmanaged disk VM backed up using old plugin to Managed disk VM
    8.  
      Using the bprestore command to restore Microsoft Azure VM with modified metadata to an alternate location
    9.  
      Using the bprestore command to restore Microsoft Azure Stack VM with modified metadata to an alternate region
  5. Troubleshooting
    1.  
      About NetBackup for Microsoft Azure debug logging
    2.  
      Known limitations for Microsoft Azure protection using NetBackup
    3.  
      Backup fails with error 6662
    4.  
      Backup fails with error 6661
    5.  
      Backup fails with error 6646
    6.  
      Backup fails with error 6629
    7.  
      Backup fails with error 6626
    8.  
      Backup fails with error 6630
    9.  
      Restore fails with error 2850
    10.  
      Backup fails with error 1
    11.  
      Adding Azure Stack credentials to NetBackup fails with error 9101
    12.  
      Adding Azure Stack credentials to NetBackup fails with error 7610

Adding a Microsoft Azure Stack custom role to provide access permissions to NetBackup administrator

NetBackup requires access to Azure Stack subscriptions to protect them. You must create a custom user in Active Directory for NetBackup and grant the user the role to access the subscriptions. You can either give a co-owner role to the user or you can create a custom role with permissions that are required for backup and recovery. An Azure Stack administrator as a subscription owner can create the custom role for a subscription.

The minimum permissions that NetBackup requires are as follows:

  • Microsoft.Compute/virtualMachines/*

  • Microsoft.Network/networkInterfaces/*

  • Microsoft.Network/networkSecurityGroups/join/action

  • Microsoft.Network/networkSecurityGroups/read

  • Microsoft.Network/publicIPAddresses/join/action

  • Microsoft.Network/publicIPAddresses/read

  • Microsoft.Network/publicIPAddresses/write

  • Microsoft.Network/virtualNetworks/read

  • Microsoft.Network/virtualNetworks/subnets/read

  • Microsoft.Network/virtualNetworks/subnets/join/action

  • Microsoft.Resources/subscriptions/resourceGroups/read

  • Microsoft.Storage/storageAccounts/read

  • Microsoft.Storage/storageAccounts/listKeys/action

To create a custom role, complete the following steps:

  1. For Active Directory Federation Services (ADFS)

    Create a user or service principal named nbu_azst in the Active Directory from the Active Directory Users and Computers dialog box from Microsoft Management Console.

    For Microsoft Azure Active Directory (Azure AD)

    Create the service principal from the Microsoft Azure Active Directory Users dialog box.

    Complete the following steps on a Windows computer that has PowerShell for Azure Stack.

    For more information, refer to https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-powershell-install.

  2. Create a new text file rbac_NBU_role.json and add the following script in the file:
    {
"Name": "NBU BnR Role",
"IsCustom": true,
"Description": "Let's you perform backup and recovery of VMs",
"Actions": [
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/Disks/read",
"Microsoft.Compute/Disks/write",
"Microsoft.Compute/Disks/beginGetAccess/action",
"Microsoft.Compute/Disks/endGetAccess/action",
"Microsoft.Compute/Snapshots/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/Resources/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/subscription_ID_1",
"/subscriptions/subscription_ID_2"
.
.
.
]
}

    Note:

    Ensure that you add the required subscriptions under the AssignableScopes field so that the custom role is created with those subscriptions.

    For example, in the file snippet, replace subscription_ID_1 and subscription_ID_2 with actual subscription IDs that you have.

  3. Run the following commands:

    • Add-AzureRMEnvironment -Name AzureStackAdmin -ArmEndpoint "ArmEndpointValue"

      For example, Add-AzureRMEnvironment -Name AzureStackAdmin -ArmEndpoint "https://management.local.azurestack.external"

    • Add-AzureRmAccount -EnvironmentName "AzureStackAdmin"

    • New-AzureRmRoleDefinition -InputFile "<directory_path>\rbac_NBU_role.json"

    You can use the following ARM endpoints:

    • provider subscription

    • tenant subscription

  4. Open the Microsoft Azure Stack console and complete the following steps:

    1. Click Menu and open the subscriptions that you want to protect with NetBackup. Click Access Control (IAM) > Roles to view the newly created role.

    2. From Subscriptions > Access Control (IAM), click Add. In the Select Name field add nbu_azst user (ADFS) or the display name of the service principal (AAD), in the Type field select User, and in the Role field select the newly added role.

  5. Add the nbu_azst user or service principal to the tpconfig command to take backups.

More Information

Adding Microsoft Azure Stack credentials in NetBackup