Taking backup of encrypted Azure VMs with ADE (Azure Disk Encryption) using Azure Backup in OMS

We see customers migrating or deploying workloads on Azure have started encrypting their virtual machines using ADE (Azure Disk Encryption) and looking for a backup solution that supports protecting those encrypted VMs in a simple and cost effctive manner. We also heard, loud and clear, that Azure Backup (ABU) is the one which customers prefer in maintaining the encrypted VMs backup in their Azure deployment. Here, in this blog post, we show you how you can use the latest Azure Recovery Services Backup PowerShell cmdlets to take backup of your ADE (Azure Disk Encryption) encrypted VMs on Azure.

In short, here is the list of high-level steps covered in the blog post:

  1. Prepare your Azure AD application’s client ID & client Secret
  2. Prepare Azure Key Vault account & set policies for Azure AD application to store & manage encryption keys & secrets
  3. Enable Disk Encryption on Azure VM using AAD application & Key Vault
  4. Prepare Azure Recovery Services Vault settings and perform backup of encrypted VM
  5. Trigger initial backup of encrypted VM
  6. Restore encrypted VM into a storage account for recovering VM

Prerequisites:

To get you started, here are the steps you need to prepare before proceeding further:

1. Azure subscription: A valid Azure subscription is needed to use Azure services.

2. Azure PowerShell: Please use the latest Azure PowerShell version 1.6.0 or later

3. Azure Key Vault: Please refer to the Azure Key Vault – Step by Step blog post for more details on how to setup a Key Vault in Azure. Please create and use a Key Vault that is in the same region as the VM to be encrypted. For Azure Backup you need to use the key encryption key feature which you can create in the Key Vault by following instructions on this page. This key will be used as the key encryption key to wrap the encryption secrets.

4. Azure Active Directory Client ID and Secret: In order to write encryption secrets to a specified Key Vault, Azure Disk Encryption needs the Client ID and the Client Secret of the Azure Active Directory application that has permissions to write secrets to the specified Key Vault. Please refer to the Azure Key Vault – Step by Step blog post for more detail on how to get the Azure Active Directory Client ID and Client Secret using the Azure portal.

5. IaaS V2 VM in Azure: Azure Disk Encryption works only on IaaS V2 VMs (virtual machines created using the Azure Resource Management Model) in Azure. Please refer to Different ways to create a Windows virtual machine with Resource Manager for information on how to create IaaS V2 virtual machines in Azure.

6. Azure Recovery Services Vault: Please refer to the First look: Protect Azure VMs with a recovery services vault document “Step 1” for more details on how to create an Azure Recovery Services Vault.

Note:
The key encryption key (KEK) must have been created in the same key vault where the disk encryption secrets are placed. Please refer to the article Getting Started with Azure Key Vault to learn how to create keys in Key Vault.

 

########################################################################################################
# Section1:  Log-in to Azure and select appropriate subscription.
########################################################################################################

Login-AzureRmAccount -ErrorAction “Stop” 1> $null;

Get-AzureRmSubscription -SubscriptionName <your-subscription-name> | Select-AzureRmSubscription

 

########################################################################################################
# Section2:  Define the variables required Log-in to Azure and select appropriate subscription.
########################################################################################################

$rgName = ‘MySecureRg’;

$aadAppName = <your-aad-app-name>;

$aadClientSecret = <your-aad-client-secret>;

$keyVaultName = ‘MySecureVault’;

$keyEncryptionKeyName = ‘MyKeyEncryptionKey’;

$backupVMName = ‘ExtraSecureVM’;

$recoveryServicesVaultName = <your-recovery-services-vault-name>;

$recoveryServicesAADServicePrincipalName = ‘262044b1-e2ce-469f-a196-69ab7ada62d3’;

 

########################################################################################################
# Section3:  Create your Azure AD application & Key Vault for using in ADE & ABU
########################################################################################################

#  Create a new AD application if not created before

$identifierUri = [string]::Format(“http://localhost:8080/{0}”,[Guid]::NewGuid().ToString(“N”));
$defaultHomePage = ‘http://contoso.com’;
$now = [System.DateTime]::Now;
$oneYearFromNow = $now.AddYears(1);
$aadClientSecret = [Guid]::NewGuid();
$ADApp = New-AzureRmADApplication -DisplayName $aadAppName -HomePage $defaultHomePage -IdentifierUris $identifierUri  -StartDate $now -EndDate $oneYearFromNow -Password $aadClientSecret;
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $ADApp.ApplicationId;

 

# Get Resource Group object to crease Key Vault

$resGroup = Get-AzureRmResourceGroup -Name $rgName
$location = $resGroup.Location

 

# Create a new vault if vault doesn’t exist

$keyVault = New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName -Sku Standard -Location $location;

# Add a new Key to Key Vault for using in Disk Encryption for VMs

$key = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyEncryptionKeyName -Destination ‘Software’

 

########################################################################################################
# Section4:  Get your Azure AD application’s client ID
########################################################################################################

$aadAppSvcPrincipals = (Get-AzureRmADServicePrincipal -SearchString $aadAppName);
$aadClientID = $aadAppSvcPrincipals[0].ApplicationId;

 

########################################################################################################
# Section5:  Get Azure Key Vault account & set policies for Azure AD application to store & manage encryption keys & secrets
########################################################################################################

# Get Key Vault account’s Encryption Key, Resource ID and Key Encryption Key URL which are needed  for encrypting Azure VM:

$keyVault = Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $rgname;

$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;

$keyVaultResourceId = $keyVault.ResourceId;

$keyEncryptionKeyUrl = (Get-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyEncryptionKeyName).Key.kid;

 

# Specify full privileges to the key vault for the AAD application

Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all;

 

# Enable disk encryption policy in key vault for using ADE

Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -EnabledForDiskEncryption;

 

# Specify privileges for Azure Backup Service to access keys and secrets in key vault for VM Backup. Please note the Service Principal name to set which is unique to Azure Backup service

Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $rgName  -PermissionsToKeys backup,get,list -PermissionsToSecrets get,list  –ServicePrincipalName $recoveryServicesAADServicePrincipalName

 

########################################################################################################
# Section6:  Enable Disk Encryption on Azure VM using AAD application & Key Vault
########################################################################################################

# Use VM disk encryption extension to enable encryption (Bit Locker for Windows, for Linux)

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $backupVMName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId;

########################################################################################################
# Section7:   Trigger Initial Backup of encrypted VM
########################################################################################################

# Set Azure Recovery Services Vault context for backup operations

$recoveryServicesVault = Get-AzureRmRecoveryServicesVault -ResourceGroupName $rgName -Name $recoveryServicesVaultName

Set-AzureRmRecoveryServicesVaultContext –Vault $recoveryServicesVault

# Get protection policy to be used for enabling encrypted VM backup. Here the default protection policy is used which you can replace with your custom created one.

$backupPolicy = Get-AzureRmRecoveryServicesBackupProtectionPolicy DefaultPolicy

# Enable encrypted VM backup using the selected protection policy

Enable-AzureRmRecoveryServicesBackupProtection -Policy $backupPolicy -Name $backupVMName -ResourceGroupName $rgName

######################################################################################################## # Section8:  Trigger initial backup on demand to create initial copy of VM
########################################################################################################

# Trigger Initial Backup of VM

$backupContainer = Get-AzureRmRecoveryServicesBackupContainer -ContainerType AzureVM -Name $backupVMName

$backupItem = Get-AzureRmRecoveryServicesBackupItem -Container $backupContainer -WorkloadType AzureVM -Name $backupVMName

$backupItem | Backup-AzureRmRecoveryServicesBackupItem

 

########################################################################################################
# Section9:   Restore encrypted VM from a specific recovery point object to a storage account for new VM creation
######################################################################################################### Get Recovery Points of encrypted VM backup

$recoveryKeyFileLocation = <path-to-key-file-location>

$recoveryPointID=Get-AzureRmRecoveryServicesBackupRecoveryPoint -Item $backupItem
$recoveryPoint = Get-AzureRmRecoveryServicesBackupRecoveryPoint -RecoveryPointId $recoveryPointID[0] -Item $backupItem -KeyFileDownloadLocation $recoveryKeyFileLocation

# Restore encrypted VM to a storage account for creating new VM

$recoveryStorageAccount = <your-recovery-storage-account>

$recoveryResourceGroup = <your-resource-group-for-recovery>

Restore-AzureRMRecoveryServicesBackupItem -RecoveryPoint $recoveryPointID[0] -StorageAccountName $recoveryStorageAccount -StorageAccountResourceGroupName $recoveryResourceGroup

 

Summary:

Now that you have protected your encrypted VM using Azure Backup and recovered it successfully to a storage account, if you want to create a new VM using that recovered image then please follow the steps here under section “Create a VM from restored disks” in the Azure Backup documentation.

References:

Getting Started with Azure Key Vault

Azure Disk Encryption for Windows and Linux IaaS VMs

Deploy and manage backups for Resource Manager-deployed VMs using PowerShell