MicrosoftDocs
diff --git a/‎articles/backup/backup-sql-server-azure-troubleshoot.md
Lines changed: 13 additions & 11 deletions b/‎articles/backup/backup-sql-server-azure-troubleshoot.md
Lines changed: 13 additions & 11 deletions
diff --git a/‎articles/backup/backup-sql-server-database-azure-vms.md
Lines changed: 28 additions & 23 deletions b/‎articles/backup/backup-sql-server-database-azure-vms.md
Lines changed: 28 additions & 23 deletions
diff --git a/‎articles/backup/media/backup-azure-sql-database/re-register-vm.png
-54.9 KB b/‎articles/backup/media/backup-azure-sql-database/re-register-vm.png
-54.9 KB
diff --git a/‎articles/backup/media/backup-azure-sql-database/sql.png
-7.85 KB b/‎articles/backup/media/backup-azure-sql-database/sql.png
-7.85 KB
@@ -15,20 +15,20 @@ For more information about the backup process and limitations, see [About SQL Se
 
 To configure protection for a SQL Server database on a virtual machine, you must install the **AzureBackupWindowsWorkload** extension on that virtual machine. If you get the error **UserErrorSQLNoSysadminMembership**, it means your SQL Server instance doesn't have the required backup permissions. To fix this error, follow the steps in [Set VM permissions](backup-azure-sql-database.md#set-vm-permissions).
 
-## Troubleshooting Discover and Configure issues
+## Troubleshoot discover and configure issues
 After creating and configuring a Recovery Services vault, discovering databases and configuring backup is a two-step process.<br>
 
 ![sql](./media/backup-azure-sql-database/sql.png)
 
 During the backup configuration, if the SQL VM and its instances are not visible in the **Discovery DBs in VMs** and **Configure Backup** (refer to above image) ensure that:
 
-**Step 1: Discovery DBs in VMs**
-<br>
-- If the VM is not listed in the discovered VM list and also not registered for SQL backup in another vault, then follow the [Discovery SQL Server backup](https://docs.microsoft.com/azure/backup/backup-sql-server-database-azure-vms#discover-sql-server-databases) steps.<br>
+### Step 1: Discovery DBs in VMs
 
-**Step 2: Configure Backup**
-<br>
-- If the vault in which the SQL VM is registered in the same vault used to protect the databases, then follow the [Configure Backup](https://docs.microsoft.com/azure/backup/backup-sql-server-database-azure-vms#configure-backup) steps.<br>
+- If the VM is not listed in the discovered VM list and also not registered for SQL backup in another vault, then follow the [Discovery SQL Server backup](https://docs.microsoft.com/azure/backup/backup-sql-server-database-azure-vms#discover-sql-server-databases) steps.
+
+### Step 2: Configure Backup
+
+- If the vault in which the SQL VM is registered in the same vault used to protect the databases, then follow the [Configure Backup](https://docs.microsoft.com/azure/backup/backup-sql-server-database-azure-vms#configure-backup) steps.
 
 If the SQL VM needs to be registered in the new vault, then it must be unregistered from the old vault.  Unregistration of a SQL VM from the vault requires all the protected data sources to be stop protected and then you can delete the backed up data. Deleting backed up data is a destructive operation.  After you have reviewed and taken all the precautions to unregister the SQL VM, then register this same VM with a new vault and retry the backup operation.
 
@@ -153,11 +153,13 @@ Check for one or more of the following symptoms before you trigger the re-regist
 * All operations (such as backup, restore, and configure backup) are failing on the VM with one of the following error codes: **WorkloadExtensionNotReachable**, **UserErrorWorkloadExtensionNotInstalled**, **WorkloadExtensionNotPresent**, **WorkloadExtensionDidntDequeueMsg**.
 * The **Backup Status** area for the backup item is showing **Not reachable**. Rule out all the other causes that might result in the same status:
 
-  * Lack of permission to perform backup-related operations on the VM.<br>
-  * Shutdown of the VM, so backups can’t take place.<br>
-  * Network issues.<br><br>  
+  * Lack of permission to perform backup-related operations on the VM.
+  * Shutdown of the VM, so backups can’t take place.
+  * Network issues.
+
+   !["Not reachable" status in re-registering a VM](./media/backup-azure-sql-database/re-register-vm.png/)
+
 
-!["Not reachable" status in re-registering a VM](./media/backup-azure-sql-database/re-register-vm.png)
 
 * In the case of an Always On availability group, the backups started failing after you changed the backup preference or after a failover.
 
 
@@ -37,42 +37,47 @@ For all operations, a SQL Server VM requires connectivity to Azure public IP add
 
 Establish connectivity by using one of the following options:
 
-#### **Allow the Azure datacenter IP ranges**.
+#### Allow the Azure datacenter IP ranges
+
 This option allows the [IP ranges](https://www.microsoft.com/download/details.aspx?id=41653) in the downloaded file. To access a network security group (NSG), use the Set-AzureNetworkSecurityRule cmdlet. If your safe recipients list only includes region-specific IPs, you'll also need to update the safe recipients list the Azure Active Directory (Azure AD) service tag to enable authentication.
 
-#### **Allow access using NSG tags**.
+#### Allow access using NSG tags
+
 If you use NSG to restrict connectivity, then you should use AzureBackup service tag to allows outbound access to Azure Backup. In addition, you should also allow connectivity for authentication and data transfer by using [rules](https://docs.microsoft.com/azure/virtual-network/security-overview#service-tags)  for Azure AD and Azure Storage. This can be done from the Azure portal or via PowerShell.
 
 To create a rule using the portal:
 
-  * In **All Services**, go to **Network security groups** and select the network security group.
-  * Select **Outbound security rules** under **Settings**.
-  * Select **Add**. Enter all the required details for creating a new rule as described in [security rule settings](https://docs.microsoft.com/azure/virtual-network/manage-network-security-group#security-rule-settings). Ensure the option  **Destination** is set to **Service Tag** and **Destination service tag** is set to **AzureBackup**.
-  * Click **Add**, to save the newly created outbound security rule.
+  1. In **All Services**, go to **Network security groups** and select the network security group.
+  2. Select **Outbound security rules** under **Settings**.
+  3. Select **Add**. Enter all the required details for creating a new rule as described in [security rule settings](https://docs.microsoft.com/azure/virtual-network/manage-network-security-group#security-rule-settings). Ensure the option  **Destination** is set to **Service Tag** and **Destination service tag** is set to **AzureBackup**.
+  4. Click **Add**, to save the newly created outbound security rule.
+
+To create a rule using PowerShell:
+
+ 1. Add Azure account credentials and update the national clouds<br/>
+      `Add-AzureRmAccount`<br/>
+
+ 2. Select the NSG subscription<br/>
+      `Select-AzureRmSubscription "<Subscription Id>"`
 
-To create a rule using Powershell:<br>
-  -  Add Azure account credentials and update the national clouds<br/>
-      ``Add-AzureRmAccount``<br/>
-  - Select the NSG subscription<br/>
-      ```Select-AzureRmSubscription "<Subscription Id>"```
+ 3. Select the NSG<br/>
+    `$nsg = Get-AzureRmNetworkSecurityGroup -Name "<NSG name>" -ResourceGroupName "<NSG resource group name>"`
 
-  - Select the NSG<br/>
-    ```$nsg = Get-AzureRmNetworkSecurityGroup -Name "<NSG name>" -ResourceGroupName "<NSG resource group name>"```
+ 4. Add allow outbound rule for Azure Backup service tag<br/>
+    `Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureBackupAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureBackup" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"`
 
-  -   Add allow outbound rule for Azure Backup service tag<br/>
-    ```Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureBackupAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureBackup" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"```
+ 5. Add allow outbound rule for Storage service tag<br/>
+    `Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "StorageAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "Storage" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"`
 
-  -   Add allow outbound rule for Storage service tag<br/>
-    ```Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "StorageAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "Storage" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"```
+ 6. Add allow outbound rule for AzureActiveDirectory service tag<br/>
+    `Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureActiveDirectoryAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureActiveDirectory" -DestinationPortRange 443 -Description "Allow outbound traffic to AzureActiveDirectory service"`
 
-  -   Add allow outbound rule for AzureActiveDirectory service tag<br/>
-    ```Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureActiveDirectoryAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureActiveDirectory" -DestinationPortRange 443 -Description "Allow outbound traffic to AzureActiveDirectory service"```
+ 7. Save the NSG<br/>
+    `Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg`
 
-  -	 Save the NSG<br/>
-    ```Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg```
+**Allow access by using Azure Firewall tags**. If you're using Azure Firewall, create an application rule by using the AzureBackup [FQDN tag](https://docs.microsoft.com/azure/firewall/fqdn-tags). This allows outbound access to Azure Backup.
 
-* **Allow access by using Azure Firewall tags**. If you're using Azure Firewall, create an application rule by using the AzureBackup [FQDN tag](https://docs.microsoft.com/azure/firewall/fqdn-tags). This allows outbound access to Azure Backup.
-* **Deploy an HTTP proxy server to route traffic**. When you back up a SQL Server database on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. The backup extension also uses Azure AD for authentication. Route the backup extension traffic for these three services through the HTTP proxy. The extensions are the only component that's configured for access to the public internet.
+**Deploy an HTTP proxy server to route traffic**. When you back up a SQL Server database on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. The backup extension also uses Azure AD for authentication. Route the backup extension traffic for these three services through the HTTP proxy. The extensions are the only component that's configured for access to the public internet.
 
 Connectivity options include the following advantages and disadvantages: