AKS, PGSQL and MYSQL Update

Author: rajats22

articles/backup/azure-kubernetes-service-backup-overview.md

@@ -438,6 +438,8 @@ You incur charges for:
 
 - **Snapshot fee**: Azure Backup for AKS protects a disk-based persistent volume by taking snapshots that are stored in the resource group in your Azure subscription. These snapshots incur snapshot storage charges. Because the snapshots aren't copied to the Backup vault, backup storage cost doesn't apply. For more information on the snapshot pricing, see [Managed Disk pricing](https://azure.microsoft.com/pricing/details/managed-disks/).
 
+- **Backup Storage fee**: Azure Backup for AKS also supports storing backups in Vault Tier. This can be achieved by defining retention rules for **vault-standard** in the backup policy, with one restore point per day elligible to be moved into the Vault. Restore points stored in the Vault Tier are charged a separate fees called Backup Storage fee as per the total data stored (in GBs) and redundancy type enable on the Backup Vault. 
+
 
 ## Next step
 

articles/backup/azure-kubernetes-service-backup-troubleshoot.md

@@ -343,6 +343,14 @@ These error codes can appear while you enable AKS backup to store backups in a v
 
 **Recommended action**: Use same cluster version for Target cluster as Source cluster or manually apply the CRs.
 
+### LinkedAuthorizationFailed
+
+**Error code**: LinkedAuthorizationFailed
+
+**Cause**: To perform a restore operation, user needs to have a **read** permission over the backed up AKS cluster. 
+
+**Recommended action**: Assign Reader role over the source AKS cluster and then proceed to perform the restore operation. 
+
 ## Next steps
 
 - [About Azure Kubernetes Service (AKS) backup](azure-kubernetes-service-backup-overview.md)

articles/backup/azure-kubernetes-service-cluster-backup-policy.md

@@ -0,0 +1,67 @@
+---
+title: Audit and Enforce Backup Operations for Azure Kubernetes Service clusters using Azure Policy 
+description: 'An article describing how to use Azure Policy to audit and enforce backup operations for all Azure Kubernetes Service clusters created in a given scope'
+ms.topic: how-to
+ms.date: 08/26/2024
+ms.service: azure-backup
+author: AbhishekMallick-MS
+ms.author: v-abhmallick
+---
+
+# Audit and Enforce Backup Operations for Azure Kubernetes Service clusters using Azure Policy 
+
+One of the key responsibilities of a Backup or Compliance Admin in an organization is to ensure that all business-critical machines are backed up with the appropriate retention.
+
+Today, Azure Backup provides various built-in policies (using [Azure Policy](../governance/policy/overview.md)) to help you automatically ensure that your Azure Kubernetes Service clusters are prepped for backup configuration. Depending on how your backup teams and resources are organized, you can use any one of the below policies:
+
+## Policy 1 - Azure Backup Extension should be installed in AKS clusters
+
+It is an [audit-only](../governance/policy/concepts/effects.md#audit) policy. This policy identifies which AKS clusters don't have backup extension installed but doesn't automatically install backup extension for these AKS clusters. It is useful when you're only looking to evaluate the overall preparedness of the AKS clusters for backup compliance but not looking to take action immediately.
+
+## Policy 2 - Azure Backup should be enabled for AKS clusters
+
+It is an [audit-only](../governance/policy/concepts/effects.md#audit) policy. This policy identifies which clusters don't have backup enabled but doesn't automatically configure backups for these clusters. It's useful when you're only looking to evaluate the overall compliance of the clusters but not looking to take action immediately.
+
+## Policy 3 - Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag.
+
+A central backup team in an organization can use this policy to install backup extension to any AKS clusters in a region. You can choose to **include** clusters that contain a certain tag, in the scope of this policy.
+
+## Policy 4 - Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag.
+
+A central backup team in an organization can use this policy to install backup extension to any AKS clusters in a region. You can choose to **exclude** clusters that contain a certain tag, from the scope of this policy.
+
+## Supported Scenarios
+
+* The built-in policy is currently supported only for Azure Kubernetes Service clusters. 
+
+* Users must take care to ensure that the necessary [prerequisites](azure-kubernetes-service-cluster-backup-concept.md#Backup Extension) are enabled before Policies 3 and 4 are assigned.
+
+* Policies 3 and 4 can be assigned to a single region and subscription at a time. 
+
+* For Policies 1, 2, 3 and 4, management group scope is currently unsupported.
+
+## Using the built-in policies
+
+The below steps describe the end-to-end process of assigning Policy 3: **Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag**. Similar instructions apply for the other policies. Once assigned, any new AKS cluster created under this scope has backup extension installed automatically.
+
+1. Sign in to the Azure portal and navigate to the **Policy** Dashboard.
+2. Select **Definitions** in the left menu to get a list of all built-in policies across Azure Resources.
+3. Filter the list for **Category=Backup** and select the policy named *Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag*.
+:::image type="content" source="./media/azure-kubernetes-service-cluster-backup-policy/policy-dashboard-inline.png" alt-text="Screenshot showing how to filter the list by category on Policy dashboard." lightbox="./media/backup-azure-auto-enable-backup/policy-dashboard-expanded.png":::
+4. Select the name of the policy. You're then redirected to the detailed definition for this policy.
+![Screenshot showing the Policy Definition pane.](./media/azure-kubernetes-service-cluster-backup-policy/policy-definition-blade.png)
+5. Select the **Assign** button at the top of the pane. This redirects you to the **Assign Policy** pane.
+6. Under **Basics**, select the three dots next to the **Scope** field. It opens up a right context pane where you can select the subscription for the policy to be applied on. You can also optionally select a resource group, so that the policy is applied only for AKS clusters in a particular resource group.
+![Screenshot showing the Policy Assignment Basics tab.](./media/azure-kubernetes-service-cluster-backup-policy/policy-assignment-basics.png)
+7. In the **Parameters** tab, choose a location from the drop-down, and select the storage account to which the backup extension installed in the AKS cluster in the scope must be associated. You can also choose to specify a tag name and an array of tag values. An AKS cluster that contains any of the specified values for the given tag are excluded from the scope of the policy assignment.
+![Screenshot showing the Policy Assignment Parameters pane.](./media/azure-kubernetes-service-cluster-backup-policy/policy-assignment-parameters.png)
+8. Ensure that **Effect** is set to deployIfNotExists.
+9. Navigate to **Review+create** and select **Create**.
+
+> [!NOTE]
+>
+> - Azure Policy can also be used on existing AKS clusters, using [remediation](../governance/policy/how-to/remediate-resources.md).
+
+## Next step
+
+[Learn more about Azure Policy](../governance/policy/overview.md)

articles/backup/azure-kubernetes-service-cluster-backup-support-matrix.md

@@ -33,6 +33,8 @@ You can use [Azure Backup](./backup-overview.md) to help protect Azure Kubernete
 
 - Before you install the backup extension in an AKS cluster, ensure that the CSI drivers and snapshot are enabled for your cluster. If they're disabled, [enable these settings](/azure/aks/csi-storage-drivers#enable-csi-storage-drivers-on-an-existing-cluster).
 
+- Provide a new and empty blob container as input while installing backup extension in an AKS cluster for the first time. Do not use same blob contianer for more than one AKS cluster. 
+
 - AKS backups don't support in-tree volumes. You can back up only CSI driver-based volumes. You can [migrate from tree volumes to CSI driver-based persistent volumes](/azure/aks/csi-migrate-in-tree-volumes).
 
 - Currently, an AKS backup supports only the backup of Azure disk-based persistent volumes (enabled by the CSI driver). The supported Azure Disk SKUs are Standard HDD, Standard SSD, and Premium SSD. The disks belonging to Premium SSD v2 and Ultra Disk SKU are not supported. Both static and dynamically provisioned volumes are supported. For backup of static disks, the persistent volumes specification should have the *storage class* defined in the **YAML** file, otherwise such persistent volumes will be skipped from the backup operation.
@@ -53,7 +55,7 @@ You can use [Azure Backup](./backup-overview.md) to help protect Azure Kubernete
 
 - The Backup vault and the AKS cluster should be in the same region and subscription.
 
-- Azure Backup for AKS provides both Operation Tier (Snapshot) and Vault Tier backup. Multiple backups per day can be stored in Operational Tier, with only one backup per day to be stored in the Vault.
+- Azure Backup for AKS provides both Operational Tier (Snapshot) and Vault Tier backup. Multiple backups per day can be stored in Operational Tier, with only one backup per day to be stored in the Vault as per the retention policy defined.
 
 - Currently, the modification of a backup policy and the modification of a snapshot resource group (assigned to a backup instance during configuration of the AKS cluster backup) aren't supported.
 
@@ -70,6 +72,7 @@ You can use [Azure Backup](./backup-overview.md) to help protect Azure Kubernete
   | Number of backup policies per Backup vault | 5,000 |
   | Number of backup instances per Backup vault | 5,000 |
   | Number of on-demand backups allowed in a day per backup instance | 10 |
+  | Number of namesapces per backup instance | 800 | 
   | Number of allowed restores per backup instance in a day | 10 |
 
 - Configuration of a storage account with private endpoint is supported.

articles/backup/backup-azure-database-postgresql-flex-overview.md

@@ -22,7 +22,7 @@ Azure Backup and Azure Database Services have come together to build an enterpri
 
 To perform the backup operation:
 
-1. Grant permissions to the backup vault MSI on the target ARM resource (PostgreSQL-Flexible server), establishing access and control. 
+1. Grant permissions to the backup vault MSI on the target ARM resource (PostgreSQL-Flexible server), establishing access, and control. 
 1. Configure backup policies, specify scheduling, retention, and other parameters. 
 
 Once the configuration is complete:
@@ -47,6 +47,14 @@ For successful backup operations, the vault MSI needs the following permissions:
     1. *PostgreSQL Flexible Server Long Term Retention Backup* role on the server.
     1. *Reader* role on the resource group of the server.
 
+## Understand pricing
+
+You incur charges for:
+
+- **Protected instance fee**: Azure Backup for PostgreSQL - Flexible servers charges a *protected instance fee* as per the size of the database. When you configure backup for a PostgreSQL Flexible server, a protected instance is created. Each instance is charged on the basis of its size (in GBs) on a per unit (250 GB) basis . 
+
+- **Backup Storage fee**: Azure Backup for PostgreSQL - Flexible servers store backups in Vault Tier. Restore points stored in the vault-standard tier are charged a separate fees called Backup Storage fee as per the total data stored (in GBs) and redundancy type enable on the Backup Vault. 
+
 ## Next steps
 
 [Azure Database for PostgreSQL -Flex backup (preview)](backup-azure-database-postgresql-flex.md).

articles/backup/backup-azure-database-postgresql-overview.md

@@ -10,6 +10,13 @@ ms.author: v-abhmallick
 
 # About Azure Database for PostgreSQL backup
 
+>[!Note]
+>Azure Database for PostgreSQL - Single Server is on the retirement path and is scheduled for retirement by March 28, 2025. 
+>
+>If you currently have an Azure Database for PostgreSQL - Single Server service hosting production servers, we're glad to inform you that you can migrate your Azure Database for PostgreSQL - Single Server to the Azure Database for PostgreSQL - Flexible Server. 
+>
+>Azure Database for PostgreSQL - Flexible Server is a fully managed production-ready> database service designed for more granular control and flexibility over database management functions and configuration settings with the enterprise grade [backup solution by Azure Backup](backup-azure-database-postgresql-flex-overview.md). For more information about Azure Database for PostgreSQL - Flexible Server, visit Azure Database for PostgreSQL - Flexible Server.
+
 Azure Backup and Azure Database Services have come together to build an enterprise-class backup solution for Azure Database for PostgreSQL servers that retains backups for up to 10 years. Besides long-term retention, the solution offers the following capabilities:
 
 - Customer controlled scheduled and on-demand backups at the individual database level.

articles/backup/backup-azure-mysql-flexible-server-about.md

@@ -48,6 +48,15 @@ The following table lists permissions that the vault MSI requires for successful
 | **Backup** | - MySQL Flexible Server Long-term Retention Backup Role <br><br> - Reader Role on the server's resource group. |
 | **Restore** | Storage Blob Data Contributor Role on the target storage account. |
 
+## Understand pricing
+
+You incur charges for:
+
+- **Protected instance fee**: Azure Backup for MySQL - Flexible servers charges a *protected instance fee* as per the size of the database. When you configure backup for a PostgreSQL Flexible server, a protected instance is created. Each instance is charged on the basis of its size (in GBs) on a per unit (250 GB) basis . 
+
+- **Backup Storage fee**: Azure Backup for MySQL - Flexible servers store backups in Vault Tier. Restore points stored in the vault-standard tier are charged a separate fees called Backup Storage fee as per the total data stored (in GBs) and redundancy type enable on the Backup Vault. 
+
+
 ## Next steps
 
 - [Support matrix for Azure Database for MySQL - Flexible Server retention for long term (preview)](backup-azure-mysql-flexible-server-support-matrix.md).

articles/backup/backup-managed-disks-policy.md

@@ -0,0 +1,65 @@
+---
+title: Audit and Enforce Backup for Managed Disks using Azure Policy 
+description: 'An article describing how to use Azure Policy to audit and enforce backup for all Disks created in a given scope'
+ms.topic: how-to
+ms.date: 08/26/2024
+ms.service: azure-backup
+author: AbhishekMallick-MS
+ms.author: v-abhmallick
+---
+
+# Audit and Enforce Backup for Managed Disks using Azure Policy 
+
+One of the key responsibilities of a Backup or Compliance Admin in an organization is to ensure that all business-critical machines are backed up with the appropriate retention.
+
+Today, Azure Backup provides various built-in policies (using [Azure Policy](../governance/policy/overview.md)) to help you automatically ensure that your Azure Managed Disks are configured for backup. Depending on how your backup teams and resources are organized, you can use any one of the below policies:
+
+## Policy 1 - Azure Backup should be enabled for Managed Disks
+
+It is an [audit-only](../governance/policy/concepts/effects.md#audit) policy. This policy identifies which disks don't have backup enabled but doesn't automatically configure backups for these disks. It is useful when you're only looking to evaluate the overall compliance of the disks but not looking to take action immediately.
+
+## Policy 2 - Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region
+
+A central backup team of an organization can use this policy to configure backup to an existing central Backup vault in the same subscription and location as the Managed Disks being governed. You can choose to **include** Disks that contain a certain tag, in the scope of this policy.
+
+## Policy 3 - Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region
+
+This policy works the same as Policy 2 above, with the only difference being that you can use this policy to **exclude** Disks that contain a certain tag, from the scope of this policy.
+
+## Supported Scenarios
+
+* The built-in policy is currently supported only for Azure Managed Disks. Users must take care to ensure that the Backup Vault and backup policy specified during assignment is a Disk backup policy. 
+
+* The Policies 2 and 3 can be assigned to a single location and subscription at a time. To enable backup for Disks across locations and subscriptions, multiple instances of the policy assignment need to be created, one for each combination of location and subscription.
+
+* For the Policies 1, 2 and 3, management group scope is currently unsupported.
+
+* For the  Policies 2 and 3, the specified vault and the disks configured for backup can be under different resource groups.
+
+
+## Using the built-in policies
+
+The below steps describe the end-to-end process of assigning Policy 2: **Configure backup on Managed Disks with a given tag to an existing backup vault in the same location to a given scope** . Similar instructions are applicable for the other policies. Once assigned, any new Managed Disk created in the scope is automatically configured for backup.
+
+1. Sign in to the Azure portal and navigate to the **Policy** Dashboard.
+2. Select **Definitions** in the left menu to get a list of all built-in policies across Azure Resources.
+3. Filter the list for **Category=Backup** and select the policy named *Configure backup on Managed Disks with a given tag to an existing backup vault in the same location to a given scope*.
+:::image type="content" source="./media/backup-managed-disks-policy/policy-dashboard-inline.png" alt-text="Screenshot showing how to filter the list by category on Policy dashboard." lightbox="./media/backup-azure-auto-enable-backup/policy-dashboard-expanded.png":::
+4. Select the name of the policy. You're then redirected to the detailed definition for this policy.
+![Screenshot showing the Policy Definition pane.](./media/backup-managed-disks-policy/policy-definition-blade.png)
+5. Select the **Assign** button at the top of the pane. This redirects you to the **Assign Policy** pane.
+6. Under **Basics**, select the three dots next to the **Scope** field. It opens up a right context pane where you can select the subscription for the policy to be applied on. You can also optionally select a resource group, so that the policy is applied only for Disks in a particular resource group.
+![Screenshot showing the Policy Assignment Basics tab.](./media/backup-managed-disks-policy/policy-assignment-basics.png)
+7. In the **Parameters** tab, choose a location from the drop-down, and select the vault, backup policy to which the Disks in the scope must be associated, and resource group where these disk snapshots are stored. You can also choose to specify a tag name and an array of tag values. A Disk that contains any of the specified values for the given tag is included in the scope of the policy assignment.
+![Screenshot showing the Policy Assignment Parameters pane.](./media/backup-managed-disks-policy/policy-assignment-parameters.png)
+8. Ensure that **Effect** is set to deployIfNotExists.
+9. Navigate to **Review+create** and select **Create**.
+
+> [!NOTE]
+>
+> - Azure Policy can also be used on existing Disks, using [remediation](../governance/policy/how-to/remediate-resources.md).
+> - It's recommended that this policy not be assigned to more than 200 Disks at a time. If the policy is assigned to more than 200 Disks, it can result in the backup being triggered a few hours later than that specified by the schedule.
+
+## Next step
+
+[Learn more about Azure Policy](../governance/policy/overview.md)