Search <book_title>...

NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Last Published: 2024-03-27

Product(s): NetBackup & Alta Data Protection (10.4)

Microsoft Azure plug-in configuration notes

The Microsoft Azure plug-in lets you create, delete, and restore snapshots at the virtual machine level and the managed disk level.

Support for Azure Disk Encryption (ADE) enabled VM

NetBackup provides support for Azure disk encrypted VM's. ADE enabled VM will show Azure Disk Encryption flag as True in asset details in Web UI. Following are the supported scenarios:

Rollback Restore
Snapshot and Restore from snapshot of VMs only
If Azure disk encryption extension is present at the time of snapshot then only extension will be present after VM is restored from snapshot.
Supported operating systems:
For Linux VM: Supported VMs and operating systems
For Windows: Supported VMs and operating systems

Support for private disk access in NetBackup Snapshot Manager

NetBackup Snapshot Manager provides support for disks having private disk access using disk access object. Consider the following points while protecting the private disk access:

To support backup from snapshot, the Azure managed disks of the VM must have public or private disk access enabled.
- Azure propagates the same setting to the VM restore point created during the snapshot operation.
- The snapshot contents are then read securely using a SAS URI for the disk snapshots of the VM restore point.
- If private disk access has been setup with a disk access object and associated private endpoint, then due to the restriction from Azure which allows maximum of 5 exports of disk/snapshot per disk access object, ensure that not more than 2 disks would share the same disk access object. Else backup from snapshot would fail with the following error:
```
DiskAccessObjectHasTooManyActiveSASes)Too many simultaneous imports or exports using disk access object. The current cap is 5. Revoke some active access tokens before creating more access requests 
```
This feature allows user to snapshot and restore disks having private disk access enabled. The restored disk will also have the same disk access object associated.
User would be able to snapshot, backup and restore VM's having private disk access. The restored VM will also have disks having private disk enabled with same disk access object.
If VMs having private disk access are restored through snapshot or backup copy, then ensure that the count of the disks per disk access object would increase and might not adhere to the prerequisite of 5 disks per disk access object. User must take appropriate actions to protect the restored VM.
For cross subscription restore from backup copy or if disk access object is deleted which was present in original VM, then disks of the restored VM would have disabled public and private access.
If NetBackup Snapshot Manager is in one subscription and VM's to be protected are in different subscription, then appropriate private endpoint created within Snapshot Manager subscription must be associated with disk access objects.

Support for application consistency using Azure recovery points

By default, the create snapshot operation in Snapshot Manager would create recovery points instead of snapshots. To use Azure recovery points for the snapshots to be application consistent, refer to the following table to connect and configure the VM's in Azure cloud:

For Windows	For Linux
No need to connect and configure the VM's	For Linux: By default the snapshots would be filesystem consistent in Azure. For Oracle on Linux: The VM must be in a connected state `Or` Pre-scipts or post-scripts for application consistency must be configured for the Linux VM as mentioned in the Application-consistent backup of Azure Linux VMs documentation.

Note:

While creating and restoring snapshots, restore points would be created instead of snapshots being created in Azure.

Create snapshot

In Snapshot Manager a Restore Point Collection is created with a VM restore point when the first snapshot is taken for a VM.
Each VM restore point contains the disk restore points of all disks whose snapshots have been taken in the VM snapshot operation.
Each subsequent snapshot taken on the VM is saved in Azure under the same Restore Point Collection that was created when the first snapshot was taken.
The subsequent restore points are incremental backups.

Restore snapshot

Snapshots would be restored from snapshots in Azure, for snapshots taken in versions prior to Snapshot Manager version 10.2.
Snapshots would be restored from Restore Points, for snapshots taken in Snapshot Manager version 10.2.

Note the following:

Locate the restore point:
Obtain the Snapshot ID in the job details of the created snapshot in NetBackup as follows:
```
Snapshot ID: azure-snapvmrp-<subscription name>+<RG name>+<restore point collection name>+<restore point>
```
The restore point can be found in Azure portal by navigating to Subscription -> Resource Group (RG) -> Restore Point Collection (RPC) -> Restore Point.
Locate the logs:
- Snapshot Manager: /cloudpoint/flexsnap.log
- Host VM:
  - Linux: /var/log/azure/Microsoft.Azure.RecoveryServices.VMSnapshotLinux/extension.log
  - Windows: C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.RecoveryServices.VMSnapshot\<version>

Prerequisites

Before you configure the Azure plug-in, complete the following preparatory steps:

(Applicable only if user proceeds with application service principal route) Use the Microsoft Azure Portal to create an Azure Active Directory (AAD) application for the Azure plug-in.
Assign the required permissions to a role to access resources.
For more information on Azure plug-in permissions required by NetBackup Snapshot Manager, See Configuring permissions on Microsoft Azure.
In Azure you can assign permissions to the resources by one of the following methods:
- Service principal: This permission can be assigned to user, group or an application.
- Managed identity: Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. There are two types of managed identities:
  - System-assigned
  - User-assigned

For more details, follow the steps mentioned in the Azure documentation.

Table: Microsoft Azure plug-in configuration parameters

NetBackup Snapshot Manager configuration parameter	Microsoft equivalent term and description
Credential type: Application service principal Note: Assign a role to the application service principal.
Tenant ID	The ID of the Azure AD directory in which you created the application.
Client ID	The application ID.
Secret key	The secret key of the application.
Credential type: System managed identity Note: Assign a role to the system managed identity.
Enable system managed identity on NetBackup Snapshot Manager host in Azure.
Credential type: User managed identity Note: Assign a role to the user managed identity.
Client ID	The Client ID of the user managed identity connected to the NetBackup Snapshot Manager host.
Following parameters are applicable for all the above credential type's
Regions	One or more regions in which to discover cloud assets. Note: If you configure a government cloud, select US Gov Arizona, US Gov Texas US, or Gov Virginia.
Resource Group prefix	The prefix used to store the snapshots created for the assets in a different resource group other than the one in which the assets exist. For example, if an asset exists in NetBackup Snapshot Manager and prefix for resource group is snap, then snapshots of assets in NetBackup Snapshot Manager resource group would be stored in snapNetBackup Snapshot Manager resource group.
Protect assets even if prefixed Resource Groups are not found	On selecting this check box, NetBackup Snapshot Manager would not fail the snapshot operation if resource group does not exists. It tries to store the snapshot in the original resource group. Note: The prefixed resource group region must be same as the original resource group region.

Configuring multiple accounts or subscriptions or projects

If you are creating multiple configurations for the same plug-in, ensure that they manage assets from different Subscriptions. Two or more plug-in configurations should not manage the same set of cloud assets simultaneously.
When multiple accounts are all managed with a single NetBackup Snapshot Manager server, the number of assets being managed by a single NetBackup Snapshot Manager instance might get too large. Hence it would be better to segregate the assets across multiple NetBackup Snapshot Manager servers for better load balancing.
To achieve application consistent snapshots, we would require agent/agentless network connections between the remote VM instance and NetBackup Snapshot Manager server. This would require setting up cross account/subscription/project networking.

Azure plug-in considerations and limitations

Consider the following before you configure the Azure plug-in:

The current release of the plug-in does not support snapshots of blobs.
NetBackup Snapshot Manager currently only supports creating and restoring snapshots of Azure-managed disks and the virtual machines that are backed up by managed disks.
If you are creating multiple configurations for the same plug-in, ensure that they manage assets from different Tenant IDs. Two or more plug-in configurations should not manage the same set of cloud assets simultaneously.
When you create snapshots, the Azure plug-in creates an Azure-specific lock object on each of the snapshots. The snapshots are locked to prevent unintended deletion either from the Azure console or from an Azure CLI or API call. The lock object has the same name as that of the snapshot. The lock object also includes a field named "notes" that contains the ID of the corresponding VM or asset that the snapshot belongs to.
Ensure that the notes field in the snapshot lock objects is not modified or deleted. Doing so will disassociate the snapshot from its corresponding original asset.
The Azure plug-in uses the ID from the notes fields of the lock objects to associate the snapshots with the instances whose source disks are either replaced or deleted, for example, as part of the 'Original location' restore operation.
Azure plug-in supports the following GovCloud (US) regions:
- US Gov Arizona
- US Gov Texas
- US Gov Virginia
- US Gov Iowa
- US DoD Central
- US DoD East
Azure plug-in supports the following India regions:
- Jio India West
- Jio India Central

NetBackup Snapshot Manager Azure plug-in does not support the following Azure regions:

Location	Region
US	US DoD Central US DoD East US Sec West
China NetBackup Snapshot Manager does not support any regions in China.	China East China East 2 China North China North 2
Germany	Germany Central (Sovereign) Germany Northeast (Sovereign)

Location

Region

US DoD Central
US DoD East
US Sec West

China

NetBackup Snapshot Manager does not support any regions in China.

China East
China East 2
China North
China North 2

Germany

Germany Central (Sovereign)
Germany Northeast (Sovereign)

NetBackup Snapshot Manager also supports Microsoft Azure generation 2 type of virtual machines.
NetBackup Snapshot Manager does not support application consistent snapshots and granular file restores for Windows systems with virtual disks or storage spaces that are created from a storage pool. If a Microsoft SQL server snapshot job uses disks from a storage pool, the job fails with an error. But if a snapshot job for virtual machine which is in a connected state is triggered, the job might be successful. In this case, the file system quiescing and indexing is skipped. The restore job for such an individual disk to original location also fails. In this condition, the host might move to an unrecoverable state and requires a manual recovery.
Snapshot Manager does not support Managed Identity database authentication for Azure database for MariaDB server.
Consider the following points for snapshots of Azure Disk Encryption (ADE) enabled VM:
- User would be able to only subscribe to snapshots that are capable of being assigned to protection plan.
- If Azure Disk Encryption (ADE) is enabled after assignment of protection plans, then the protection plan would be active. If Azure Disk Encryption is enabled during snapshot, backup and indexing would be fail with an error (9997).
- If Azure Disk Encryption (ADE) enabled VM is part of intelligent group, backup and indexing from snapshot would be fail with an error (9997) .
- File from single file restore enabled VM's can be restored to Azure Disk Encryption (ADE) enabled VM.
- Proper access to key vault must be assigned to other resource group if user is trying to restore VM to another resource group.
- Snapshot and restore for application is not supported for Azure Disk Encryption (ADE) enabled VM