Hi guys! In today’s post of the Azure Files series (You can find out more about the series here), I will end the series talking about how to configure your environment to be backed up and have security in case of any data hijacking attempt through, for example, ransomwares.
Okay, let’s go straight to the configuration steps.
Create a Recovery Services vault
Sign in to your subscription in the Azure portal and search for Backup center in the Azure portal, and navigate to the Backup Center dashboard.
Select +Vault from the Overview tab and select Recovery Services vault and click Continue.
The Recovery Services vault dialog box opens. Provide values for the Name, Subscription, Resource group, and Location. Then hit Review and create.
Name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription. Specify a name that has at least 2 but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.
Subscription: Choose the subscription to use. If you’re a member of only one subscription, you’ll see that name. If you’re not sure which subscription to use, use the default (suggested) subscription. There are multiple choices only if your work or school account is associated with more than one Azure subscription.
Resource group: Use an existing resource group or create a new one. To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list. To create a new resource group, select Create new and enter the name. For more information about resource groups, see Azure Resource Manager overview.
Location: Select the geographic region for the vault. To create a vault to protect any data source, the vault must be in the same region as the data source.
It can take a while to create the Recovery Services vault. Monitor the status notifications in the Notifications area at the upper-right corner of the portal. After your vault is created, it’s visible in the list of Recovery Services vaults. If you don’t see your vault, select Refresh.
Configure backup from the Recovery Services vault
The following steps explain how you can configure backup for multiple file shares from the Recovery Services vault pane. In the Azure portal, open the Recovery Services vault you want to use for configuring backup for the file share.
Next in the Recovery Services vault pane, select the +Backup from the menu on the top.
In the Backup Goal pane, set Where is your workload running? to Azure by selecting the Azure option from the drop-down list.
In What do you want to back up?, select Azure File Share from the drop-down list.
Select Backup to register the Azure file share extension in the vault.
After you select Backup, the Backup pane opens. To select the storage account hosting the file share that you want to protect, select the Select link text below the Storage Account textbox.
The Select Storage Account Pane opens on the right, listing a set of discovered supported storage accounts. They’re either associated with this vault or present in the same region as the vault, but not yet associated to any Recovery Services vault. From the list of discovered storage accounts, select an account, and select OK.
The next step is to select the file shares you want to back up. Select the Add button in the FileShares to Backup section.
The Select File Shares context pane opens on the right. Azure searches the storage account for file shares that can be backed up. If you recently added your file shares and don’t see them in the list, allow some time for the file shares to appear
From the Select File Shares list, select one or more of the file shares you want to back up. Select OK.
To choose a backup policy for your file share, you have three options:
Choose the default policy.
This option allows you to enable daily backup that will be retained for 30 days. If you don’t have an existing backup policy in the vault, the backup pane opens with the default policy settings. If you want to choose the default settings, you can directly select Enable backup.
The update link opens the Security Settings pane, which provides a summary of the features and lets you enable them.
From the drop-down list Have you configured Azure AD Multi-Factor Authentication?, select a value to confirm if you’ve enabled Azure AD Multi-Factor Authentication. If it’s enabled, you’re asked to authenticate from another device (for example, a mobile phone) while signing in to the Azure portal.
When you perform critical operations in Backup, you have to enter a security PIN, available on the Azure portal. Enabling Azure AD Multi-Factor Authentication adds a layer of security. Only authorized users with valid Azure credentials, and authenticated from a second device, can access the Azure portal.
Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication, and maintaining a minimum retention range for recovery purposes.
Authentication to perform critical operations
As part of adding an extra layer of authentication for critical operations, you’re prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations.
That’s all for now! I hope it was useful guys, until the next post, thank you!