Back up an encrypted Azure virtual machine with PowerShell

03/05/2019

2 minutes to read

+2



In this article

This script creates a Recovery Services vault with geo-redundant storage (GRS) for an encrypted Azure virtual machine. The default protection policy is applied to the vault. The policy generates a daily backup for the virtual machine, and retains each backup for 30 days. The script also triggers the initial recovery point for the virtual machine and retains that recovery point for 365 days.

This sample requires Azure PowerShell Az 1.0 or later. Run Get-Module -ListAvailable Az to see which versions are installed. If you need to install, see Install Azure PowerShell module.

Run Connect-AzAccount to sign in to Azure.

If you don't have an Azure subscription, create a free account before you begin.

Sample script

Note This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

# Edit these global variables with your unique Recovery Services Vault name, resource group name and location $rsVaultName = "myRsVault" $rgName = "myResourceGroup" $location = "East US" # Register the Recovery Services provider and create a resource group Register-AzResourceProvider -ProviderNamespace "Microsoft.RecoveryServices" New-AzResourceGroup -Location $location -Name $rgName # Create a Recovery Services Vault and set its storage redundancy type New-AzRecoveryServicesVault ` -Name $rsVaultName ` -ResourceGroupName $rgName ` -Location $location $vault1 = Get-AzRecoveryServicesVault â€“Name $rsVaultName Set-AzRecoveryServicesProperties ` -Vault $vault1 ` -BackupStorageRedundancy GeoRedundant # Set Recovery Services Vault context and create protection policy Get-AzRecoveryServicesVault -Name $rsVaultName | Set-AzRecoveryServicesVaultContext $schPol = Get-AzRecoveryServicesSchedulePolicyObject -WorkloadType "AzureVM" $retPol = Get-AzRecoveryServicesRetentionPolicyObject -WorkloadType "AzureVM" New-AzRecoveryServicesProtectionPolicy ` -Name "NewPolicy" ` -WorkloadType "AzureVM" ` -RetentionPolicy $retPol ` -SchedulePolicy $schPol # Provide permissions to Azure Backup to access key vault and enable backup on the VM Set-AzKeyVaultAccessPolicy ` -VaultName "KeyVaultName" ` -ResourceGroupName "KyeVault-RGName" ` -PermissionsToKeys backup,get,list ` -PermissionsToSecrets backup,get,list ` -ServicePrincipalName 262044b1-e2ce-469f-a196-69ab7ada62d3 $pol = Get-AzRecoveryServicesProtectionPolicy -Name "NewPolicy" ` Enable-AzRecoveryServicesProtection ` -Policy $pol ` -Name "myVM" ` -ResourceGroupName "VM-RGName" # Modify protection policy $retPol = Get-AzRecoveryServicesRetentionPolicyObject -WorkloadType "AzureVM" $retPol.DailySchedule.DurationCountInDays = 365 $pol = Get-AzRecoveryServicesProtectionPolicy -Name "NewPolicy" Set-AzRecoveryServicesProtectionPolicy ` -Policy $pol ` -RetentionPolicy $RetPol # Trigger a backup and monitor backup job $namedContainer = Get-AzRecoveryServicesContainer -ContainerType "AzureVM" -Status "Registered" -FriendlyName "myVM" $item = Get-AzRecoveryServicesItem -Container $namedContainer -WorkloadType "AzureVM" $job = Backup-AzRecoveryServicesItem -Item $item $joblist = Get-AzRecoveryServicesJob â€“Status "InProgress" Wait-AzRecoveryServicesJob ` -Job $joblist[0] ` -Timeout 43200

Clean up deployment

Run the following command to remove the resource group, VM, and all related resources.

Remove-AzResourceGroup -Name myResourceGroup

Script explanation

This script uses the following commands to create the deployment. Each item in the table links to command specific documentation.

Command Notes New-AzResourceGroup Creates a resource group in which all resources are stored. New-AzRecoveryServicesVault Creates a Recovery Services vault to store backups. Set-AzRecoveryServicesBackupProperty Sets backup storage properties on Recovery Services vault. New-AzRecoveryServicesBackupProtectionPolicy Creates protection policy using schedule policy and retention policy in Recovery Services vault. Set-AzKeyVaultAccessPolicy Sets permissions on the Key Vault to grant the service principal access to encryption keys. Enable-AzRecoveryServicesBackupProtection Enables backup for an item with a specified Backup protection policy. Set-AzRecoveryServicesBackupProtectionPolicy Modifies an existing Backup protection policy. Backup-AzRecoveryServicesBackupItem Starts a backup for a protected Azure Backup item that isn't tied to the backup schedule. Wait-AzRecoveryServicesBackupJob Waits for an Azure Backup job to finish. Remove-AzResourceGroup Removes a resource group and all resources contained within.

Next steps

For more information on the Azure PowerShell module, see Azure PowerShell documentation.