Azure VM Backup Architecture
Let’s look at the Azure Virtual Machine Architecture.
Diagram: Azure VM backup Architecture, and the process in creating a backup as described in the content.
Microsoft has an extension inside of every Azure VM
When you configure Backup, it communicates with the Azure Backup Service and associates itself to a policy.
It identifies itself to the Azure Backup Service as a VM, and that the service should back it up accordingly.
When it’s time for backup per the backup policy, Microsoft sends a command to the Azure Backup extension and then Azure Backup orchestrates a VSS snapshot.
Once the snapshot is available it goes to your local VM storage as an instant recovery snapshot which you can quickly recover from as it is in your VM storage.
In the background, the snapshot is compared to a snapshot of a previous recovery point and moves only the incremental blocks via HTTPs into the recovery services vault.
The recovery services vault has encryption enabled via server-side encryption (SSE), so the backup is encrypted at rest and is protected while in transit.
When you secure your data via Azure Disk Encryption you are given keys, key encryption key (KEK) and BitLocker encryption key (BEK), which go to an Azure key vault, and are also backed up via Azure Backup.
This is important because when you recover, you don’t have to worry about what keys you had when the backup was taken and the keys are restored for you to apply these keys on the recovered data.
No comments:
Post a Comment