This article is a translation of https://qiita.com/aktsmm/items/e32f8615938e4ed19360
Hello, this is Yamapan, a novice architect.
I'm writing to let you know that I have tried the preview feature of Azure Backup.
I happened to have an open Azure advent calendar for 12/15 when I started writing, so I would like to set this up if I finish before the date changes.
→ I finished writing it and it's safe to say that this is the 15th day of the Microsoft Azure Tech Advent Calendar 2022.
Contents
What is Cross Subscription Restore?
Cross Subscription Restore is a new feature of Azure Backup that became available as a preview on November 22.
It is still in preview as of the time of writing.
- Above excerpt.
Azure Virtual Machine Cross Subscription Restore is a new feature that allows you to restore any subscription from a restore point created in Azure Backup, either by creating a new subscription or by restoring a disk. Azure Virtual Machine to any subscription through a new or disk restore from a restore point created in Azure Backup.
By default, Azure Backup restores to the same subscription where the restore point is available. This new feature gives you the flexibility to restore to any subscription under a tenant, as long as restore permissions are available. Cross Subscription Restore of managed Azure virtual machines can only be launched from the Vault, not from a snapshot. Cross Subscription Restore is also supported for restores using Managed System Identities (MSI). It is not supported for encrypted Azure virtual machines and trusted boot virtual machines.
Cross Subscription Restore is, as the name implies, a feature that allows Azure VMs to be restored across subscriptions.
A similarly named feature is Cross Region Restore.
CRR and CSR for short. It's a bit complicated.
Cross Region Restore can restore across regions, but only within the same subscription.
The Azure Backup support blog has an article on Cross Region Restore.
https://jpabrs-scem.github.io/blog/AzureVMBackup/CRR/
Prerequisites
The prerequisites for Cross Subscription Restore are summarized below.
- Subscriptions under the same tenant
- The executing user must have restore privileges
- Restore options are "Create New VM" or "Create Disk".
- Restore from the container layer
- Not available for ADE-encrypted or Trusted VMs
- Must be a backup of a VM with a Managed System Identifier (MSI)
- Must be a managed VM (not an unmanaged VM)
- Not a Cross Region Restore
Reference
Cross Subscription Restore (Preview) You can restore Azure Virtual Machines or disks from a restore point to any subscription (per Azure RBAC feature).
You can trigger a cross-subscription restore only for Managed Virtual Machines.
Cross-subscription restores are supported for restores using the Managed System Identifier (MSI).
Snapshot and secondary region restores are not supported.
Not supported for unmanaged VMs, encrypted Azure VMs, and trusted boot VMs.
Restore Options - Cross Subscription Restore (Preview)
https://learn.microsoft.com/ja-JP/azure/backup/backup-azure-arm-restore-vms#restore-options
It's limited to restoring from the container layer, which is the same requirement as Restore by Zone Specification (CZR).
This is because instant rear (restore from the snapshot tier) is preferred (not restore from the container tier) for recovery points whose recovery type includes the snapshot tier.
The snapshot tier data used by instant restore is not stored in backup-only storage (container tier), but is secretly stored in the snapshot area of the managed disk attached to the corresponding Azure VM in the Subscription. (It is not visible to the user).
This may have something to do with this.
The following screen shot recovery type must be "Snapshot".
Note that the container layer refers to Vault-Standard.
You can see that the conditions are quite similar to those for restoring by specifying a zone.
By the way, restoring by specifying a zone is called Cross Zone Restore (CZR).
In Azure Backup, there are CRR, CSR, and CZR.
Conditions for zone-specific restore (CZR)
- Source VM is fixed zone and not encrypted.
- The restore point exists only in the container tier (snapshots only, or snapshot and container tiers are not supported)
- Recovery option is either create new VM or restore disk (disk replace option replaces source data, so availability zone option is fixed)
- Container storage redundancy is ZRS (GRS is not allowed)
- or Cross Region Restore if container storage redundancy is RA-GRS (valid for region-to-region restores) and zones are supported in the paired regions.
The above can be found in the Docs below "In summary, availability zones are only visible when:" .
For some reason, the Cross Region Restore column is available when the redundancy of the Recovery Services container is RA-GRS, but not only in that case, but also when restoring using a Recovery Services container with ZRS redundancy. It is possible to restore by specifying a zone.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#restore-in-secondary-region
::::
Trusted VMs: VMs with Trusted boot enabled and only Gen2 VMs are supported.
Deploying VMs with Trusted boot enabled
https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal2The default is Managed System Identifier (MSI).
The three complicated Azure Backup restore terms
Review the three complicated Azure Backup restore terms.
CZR : Cross Zone Restore
CRR : Cross Region Restore
CSR : Cross Subscription Restore
What we want to do
Restore Azure VM to a different Subscription.
Backed up environment
Subscription name : takXXXXXXX
Azure VM name : neko-vm
Region : Japan East
Environment you want to restore
Subscription name: tatXXXXXXX
Azure VM name: nekoneko-vm
I'll try it.
Make sure that the datastore is a standard container and that you can choose the subscription to restore to, and enter the various required fields to perform the operation. Super easy. I honestly thought it would require a bit more configuration.
Take a look at job.
You will see that there is a field named Target Subscription ID.
Cross Subscription Restore completed successfully.
Yay easy!!! 🦐.
You can see that the subscription is takXXXX for the original neko-vm and tatXXXX for the new nekoneko-vm.
Additional prerequisites
The following resources must be created in advance before restoring.
- Resource groups
- Virtual networks and subnets
- Storage accounts (staging locations)
Also, when doing a Cross Subscription Restore, you cannot choose the region of the VM to restore to, so you will need to create all but the resource group in the same region as the original Azure VM.
When doing a Cross Subscription Restore, you cannot choose the region of the VM to restore to.
The zone can be selected if the conditions are met, as described in detail below.
When performing a Cross Subscription Restore, the zone of the VM being restored to can be selected if the CZR conditions are met.
Can Cross Subscription Restore (CSR) be used together with CRR and CZR?
We have tried this one as well
CSR & CRR
As stated in the prerequisites here, CSR cannot be performed in the case of Cross Region Restore.
Specifically, the menu for subscriptions during restore did not appear.
CSR & CZR
This is possible.
CSR and CZR can be performed at the same time if the conditions for CSR and CZR are met.
Specifically, if the following conditions are met, it is possible to change and restore subscriptions and zones at the same time.
Conditions for performing CSR and CZR at the same time to change and restore subscriptions and zones at the same time
- Subscriptions under the same tenant
- The executing user must have restore privileges
- Restore options are "Create new VM" or "Create disk".
- Restore from the container layer
- Not available for ADE-encrypted or Trusted VMs
- Must be a backup of a VM with a Managed System Identifier (MSI)
- Must be a managed VM (not an unmanaged VM)
- Not a Cross Region Restore
- Recovery Services container redundancy must be ZRS.