Azure Stack Infrastructure Backup Configuration

Infrastructure Backup is something that I have set in the past and basically have forgotten about ever since the introduction of scheduled backups. From my experience the backup solution works and I really don’t spend much time on it outside of doing disaster recovery testing.

This can be done on an ASDK box once a month or so. This allows me to verify my infrastructure backups are actually working.

It wasn’t until update 1.19010.95 (1901) that I took notice of infrastructure backups again. I noticed that my Infrastructure Backup Health was in warning with a new alert shortly after the update was installed. In the 1901 Update release notes there under Changes was the following:

Infrastructure backup now requires a certificate with a public key only (.CER) for encryption of backup data. Symmetric encryption key support is deprecated starting in 1901. If infrastructure backup is configured before updating to 1901, the encryption keys will remain in place. You will have at least 2 more updates with backwards compatibility support to update backup settings. For more information, see Azure Stack infrastructure backup best practices.

At first I was a little worried that we needed to spend more money on yet another public certificate. So after getting verification that doesn’t need a public CA certification but just a self signed certificate I was feeling better about the change.

The process itself was fairly easy. For new configurations you are required to use the certificate and can not choose to use an encryption key for authentication. For those that have already been using the encryption key method we have at least 2 more updates to change over before our infrastructure backups will not work.

Enable Backup For Azure Stack

There are a few ways I could go about configuring my infrastructure backup to use the certificate. I could use the portal or I can use PowerShell. For this blog I have chosen to use the portal but I will show the PowerShell script that is available on the Microsoft Doc’s website as well.

PowerShell Method

The PowerShell method is pretty simple. For more detailed instructions visit the Microsoft Doc’s page Enable Backup for Azure Stack with PowerShell.

Below is the example PowerShell script that will enable and configure the Azure Stack infrastructure backup. The following variables will need to be changed before running the script:

  • $UserName
  • $Password
  • $Sharepath
  • $FrequencyInHours
  • $RetentionPeriodInDays
  • $encryptioncertpath
# Example username:
    $username = "domain\backupadmin"

    # Example share path:
    $sharepath = "\\serverIP\AzSBackupStore\contoso.com\seattle"

    $password = Read-Host -Prompt ("Password for: " + $username) -AsSecureString

    # Create a self-signed certificate using New-SelfSignedCertificate, export the public key portion and save it locally.

    $cert = New-SelfSignedCertificate `
        -DnsName "www.contoso.com" `
        -CertStoreLocation "cert:\LocalMachine\My" 

    New-Item -Path "C:\" -Name "Certs" -ItemType "Directory" 

    #make sure to export the PFX format of the certificate with the public and private keys and then delete the certificate from the local certificate store of the machine where you created the certificate

    Export-Certificate `
        -Cert $cert `
        -FilePath c:\certs\AzSIBCCert.cer 

    # Set the backup settings with the name, password, share, and CER certificate file.
    Set-AzsBackupConfiguration -BackupShare $sharepath -Username $username -Password $password -EncryptionCertPath "c:\temp\cert.cer"

Confirm the backup settings by running the following PowerShell commands:

Get-AzsBackupConfiguration | Select-Object -Property Path, UserName

Enable Azure Backup using Admin Portal

As mentioned before, shortly after my 1901 update completed I started seeing alerts that my Infrastructure Backup health was not Healthy.

Checking on the alerts I saw this new alert that my backup settings needed to be updated.

Clicking even further into the alert gave me some good information on what settings needed to be updated along with the link to the Microsoft Docs site.

So I am basically going to be following the Microsoft Docs Enable backup for Azure Stack from the administration portal. I want to call out a few things for those that may not be familiar with Azure Stack infrastructure backup. This doesn’t backup any of the tenant workloads such as IaaS or PaaS resources. So Virtual Machines, App Service, and various other Resource Providers will need to have another backup solution.

Create Certificate

First thing I need to do is create a self signed certificate that I will use for Infrastructure backup. I will use the example PowerShell script provided by Microsoft.

$cert = New-SelfSignedCertificate `
        -DnsName "www.contoso.com" `
        -CertStoreLocation "cert:\LocalMachine\My"

    New-Item -Path "C:\" -Name "Certs" -ItemType "Directory" 
    Export-Certificate `
        -Cert $cert `
        -FilePath c:\certs\AzSIBCCert.cer

After running the above PowerShell script I now have a newly created self-signed certificate I will be using for my infrastructure backup.

Now that my certificate is created I can log on to my Administration console (Portal) and continue with the configuration of my infrastructure backup. Once in the Infrastructure backup blade click on the settings icon.

I had already configured my Infrastructure Backup in the past to use the encryption key. If this happened to be the first time I would have needed to fill in my backup storage location, username, and password.

Click the Use Certificate bullet and then browser to where the certificate is saved. A notification should pop up saying the certificate has been uploaded. Once the OK button has been clicked the process should take a few minutes.

A new notification should pop up with the successfully configuration of the backup infrastructure.

Click back on setting to verify that the configurations have stayed and that that everything is configured correctly.

From the dashboard I can now see that my infrastructure backup is now healthy again and no more alerts.

Now that I have changed over to a certificate from an encrypted key I will need to test a backup to verify everything is working. Outside of this everything is good to go now. It would also be a good idea to keep this certificate handy to disaster recovery testing on the ASDK’s.

Final Thoughts

Overall this was pretty simple task to complete since I already had my infrastructure backup configured. It took just a few minutes to create the certificate and change the configuration for my infrastructure backup.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s