{"id":120,"date":"2023-04-20T18:53:41","date_gmt":"2023-04-21T02:53:41","guid":{"rendered":"https:\/\/www.dumpsterfirecomputing.com\/?p=120"},"modified":"2023-04-20T18:53:42","modified_gmt":"2023-04-21T02:53:42","slug":"automagical-backups-with-azure-policy","status":"publish","type":"post","link":"https:\/\/www.dumpsterfirecomputing.com\/?p=120","title":{"rendered":"Automagical Backups with Azure Policy"},"content":{"rendered":"\n

This is a bit of a hasty post. Been a shortened week for me, and I’m heading out of town tomorrow for my brother’s wedding. But in conversation late today, a question was raised: “Can you add VMs to a Recovery Service Vault’s backup policy dynamically using Azure Policy and a naming pattern?”<\/p>\n\n\n\n

The answer? Sure!<\/p>\n\n\n\n

Let’s set the stage. I have the following Recovery Services Vault, with all the default backup policies:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I also have the following 3 VM’s:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The goal is to build an Azure Policy such that all the servers that start with AZM**** are automatically backed up to the RSV-MANAGEMENT vault using the built-in policy (ignoring that third AZS*** server). It must remediate existing servers and <\/em>capture newly built machines and add them to the vault as well.<\/p>\n\n\n\n

To start, we need to locate an Azure Policy that we can use as a template for tinkering. From the list of built-in Azure Policies, I filtered by the word ‘backup’ and got quite a list.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Don’t ask me why, but I used the marked policy above as my base. It will work just fine, but the first one in the list is a simpler, cleaner policy. Again, both of these will work (and I’m too lazy to tear it all down and rebuild it at this point).<\/p>\n\n\n\n

Start by duplicating the definition – never edit a built-in policy definition (I’m not that <\/em>lazy). In the definition for the newly copied policy, we simply want to add a filter which will include servers that match a pattern.<\/p>\n\n\n\n

Since coding Azure Policy isn’t something I do on a regular basis, I needed to ask Bing how to format it properly. I stumbled on the official Microsoft documentation for the policy Definition structure<\/a>, and that led me to the following two blocks:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I need a way to match the pattern AZM***, and I don’t know exactly how long the server name will be (could be AZMFOO01, could be AZMFOOBAR01), so using like<\/code> with the wildcard *<\/code> seems to be the way to go.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This one was simple – I can just use the name<\/code> properly of the resource. So now I can put the condition and field together to come up with my pattern:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In my policy definition, notice that I added it as the first check, above the built-in condition that it must be a virtual machine. For me, this is just easier to read – you do what works best for you.<\/p>\n\n\n\n

Once the definition is created, now it needs to be assigned. I assigned my policy to the subscription (to capture any VMs built anywhere in the sub that matches the name pattern), and I also allowed the creation of a managed identity for remediation. This created a system assigned MI and apply the appropriate permissions at the desired scope so that the policy can be enforced:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The parameters for this particular policy assignment want location<\/code> and backup policy<\/code> :<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This says that it will check for VM’s in West US 2<\/code> only, and the properties of the Backup Policy<\/code> show the built-in EnhancedPolicy<\/code> in the vault I chose:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

With the assignment complete, I let it run a remediation task for existing VM’s that match the pattern.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In this case it found the two existing VMs that were there, and it successfully added them both to the Recovery Vault.<\/p>\n\n\n\n

The last test was to build a brand new machine, named AZMFOO03<\/code> and see if the policy automatically added it to the vault.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Click-Ops’d my way to getting a third VM built, waited about 10 minutes or so after the VM was built, and I now have all three of these VM’s in the Recovery Services Vault:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Pretty slick, and pretty easy. The hardest part, really, is just deciding which of the pattern statements to use. If your environment has a server naming convention that segregates servers by [insert method], then this could be a way of segregating the backup vaults as well. And by incorporating Azure Policy with a Managed Identity, we’ve now achieved an automated way of ensuring all current and future servers deployed get backed up properly.<\/p>\n","protected":false},"excerpt":{"rendered":"

This is a bit of a hasty post. Been a shortened week for me, and I’m heading out of town tomorrow for my brother’s wedding. But in conversation late today, […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,30,29],"tags":[10,32,31],"class_list":["post-120","post","type-post","status-publish","format-standard","hentry","category-azure","category-backup","category-policy","tag-azure","tag-backup","tag-policy"],"_links":{"self":[{"href":"https:\/\/www.dumpsterfirecomputing.com\/index.php?rest_route=\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dumpsterfirecomputing.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dumpsterfirecomputing.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dumpsterfirecomputing.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dumpsterfirecomputing.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=120"}],"version-history":[{"count":3,"href":"https:\/\/www.dumpsterfirecomputing.com\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":135,"href":"https:\/\/www.dumpsterfirecomputing.com\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions\/135"}],"wp:attachment":[{"href":"https:\/\/www.dumpsterfirecomputing.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dumpsterfirecomputing.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dumpsterfirecomputing.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}