Skip to content

Commit 3f16303

Browse files
Merge pull request #99829 from vrvkrajesh/master
Added Comments
2 parents ff52b3c + 0409856 commit 3f16303

File tree

5 files changed

+73
-30
lines changed

5 files changed

+73
-30
lines changed

articles/backup/backup-azure-file-folder-backup-faq.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -154,13 +154,13 @@ The Azure Backup agent requires a passphrase (that you provided during registrat
154154

155155
| Original Machine <br> *(source machine where backups were taken)* | Passphrase | Available Options |
156156
| --- | --- | --- |
157-
| Available |Lost |If your original machine (where backups were taken) is available and still registered with the same Recovery Services vault, then you will be able to regenerate the passphrase by following these <steps> |
157+
| Available |Lost |If your original machine (where backups were taken) is available and still registered with the same Recovery Services vault, then you will be able to regenerate the passphrase by following these [steps](https://docs.microsoft.com/azure/backup/backup-azure-manage-mars#re-generate-passphrase). |
158158
| Lost |Lost |Not possible to recover the data or data is not available |
159159

160160
Consider the following conditions:
161161
- If you uninstall & re-register the agent on the same original machine with
162-
- *Same passphrase*, then you will be able to restore your backed up data.<br>
163-
- *Different passphrase*, then you will not be able to restore your backed up data.
162+
- *Same passphrase*, then you will be able to restore your backed up data.<br>
163+
- *Different passphrase*, then you will not be able to restore your backed up data.
164164
- If you install the agent on a *different machine* with<br>
165165
- the same passphrase (used in the original machine), then you will be able to restore your backed up data.<br>
166166
- a different passphrase, you will not be able to restore your backed up data.<br>
@@ -172,7 +172,7 @@ If you have the same passphrase (that you provided during registration) of the o
172172

173173
| Original Machine | Passphrase | Available Options |
174174
| --- | --- | --- |
175-
| Lost |Available |You can install and register the MARS agent on another machine with the same passphrase that you provided during registration of the original machine. Choose **Recovery Option** > **Another location** to perform your restore. For more information, see
175+
| Lost |Available |You can install and register the MARS agent on another machine with the same passphrase that you provided during registration of the original machine. Choose **Recovery Option** > **Another location** to perform your restore. For more information, refer to this [article](https://docs.microsoft.com/azure/backup/backup-azure-restore-windows-server#use-instant-restore-to-restore-data-to-an-alternate-machine).
176176
| Lost |Lost |Not possible to recover the data or data is not available |
177177

178178

articles/backup/backup-sql-server-azure-troubleshoot.md

Lines changed: 33 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
title: Troubleshoot SQL Server database backup
2+
title: Troubleshoot SQL Server database backup
33
description: Troubleshooting information for backing up SQL Server databases running on Azure VMs with Azure Backup.
44
ms.topic: troubleshooting
55
ms.date: 06/18/2019
@@ -15,6 +15,25 @@ For more information about the backup process and limitations, see [About SQL Se
1515

1616
To configure protection for a SQL Server database on a virtual machine, you must install the **AzureBackupWindowsWorkload** extension on that virtual machine. If you get the error **UserErrorSQLNoSysadminMembership**, it means your SQL Server instance doesn't have the required backup permissions. To fix this error, follow the steps in [Set VM permissions](backup-azure-sql-database.md#set-vm-permissions).
1717

18+
## Troubleshoot discover and configure issues
19+
After creating and configuring a Recovery Services vault, discovering databases and configuring backup is a two-step process.<br>
20+
21+
![sql](./media/backup-azure-sql-database/sql.png)
22+
23+
During the backup configuration, if the SQL VM and its instances are not visible in the **Discovery DBs in VMs** and **Configure Backup** (refer to above image) ensure that:
24+
25+
### Step 1: Discovery DBs in VMs
26+
27+
- If the VM is not listed in the discovered VM list and also not registered for SQL backup in another vault, then follow the [Discovery SQL Server backup](https://docs.microsoft.com/azure/backup/backup-sql-server-database-azure-vms#discover-sql-server-databases) steps.
28+
29+
### Step 2: Configure Backup
30+
31+
- If the vault in which the SQL VM is registered in the same vault used to protect the databases, then follow the [Configure Backup](https://docs.microsoft.com/azure/backup/backup-sql-server-database-azure-vms#configure-backup) steps.
32+
33+
If the SQL VM needs to be registered in the new vault, then it must be unregistered from the old vault. Unregistration of a SQL VM from the vault requires all the protected data sources to be stop protected and then you can delete the backed up data. Deleting backed up data is a destructive operation. After you have reviewed and taken all the precautions to unregister the SQL VM, then register this same VM with a new vault and retry the backup operation.
34+
35+
36+
1837
## Error messages
1938

2039
### Backup type unsupported
@@ -120,18 +139,27 @@ Operation is blocked as you have reached the limit on number of operations permi
120139
|---|---|---|
121140
Operation is blocked as the vault has reached its maximum limit for such operations permitted in a span of 24 hours. | When you have reached the maximum permissible limit for an operation in a span of 24 hours, this error comes. This error usually comes when there are at-scale operations such as modify policy or auto-protection. Unlike in the case of CloudDosAbsoluteLimitReached, there is not much you can do to resolve this state, in fact, Azure Backup service will retry the operations internally for all the items in question.<br> For example: If you have a large number of datasources protected with a policy and you try to modify that policy, it will trigger configure protection jobs for each of the protected items and sometimes may hit the maximum limit permissible for such operations per day.| Azure Backup service will automatically retry this operation after 24 hours.
122141

142+
### UserErrorVMInternetConnectivityIssue
143+
144+
| Error message | Possible causes | Recommended action |
145+
|---|---|---|
146+
The VM is not able to contact Azure Backup service due to internet connectivity issues. | The VM needs outbound connectivity to Azure Backup Service, Azure Storage or Azure Active Directory services.| - If you use NSG to restrict connectivity, then you should use the AzureBackup service tag to allows outbound access to Azure Backup to Azure Backup Service, Azure Storage or Azure Active Directory services. Follow these [steps](https://aka.ms/nsgrulesforsqlbackup) to grant access.<br>- Ensure DNS is resolving Azure endpoints.<br>- Check if the VM is behind a load balancer blocking internet access. By assigning public IP to the VMs, discovery will work.<br>- Verify there is no firewall/antivirus/proxy that is blocking calls to the above three target services.
147+
148+
123149
## Re-registration failures
124150

125151
Check for one or more of the following symptoms before you trigger the re-register operation:
126152

127153
* All operations (such as backup, restore, and configure backup) are failing on the VM with one of the following error codes: **WorkloadExtensionNotReachable**, **UserErrorWorkloadExtensionNotInstalled**, **WorkloadExtensionNotPresent**, **WorkloadExtensionDidntDequeueMsg**.
128154
* The **Backup Status** area for the backup item is showing **Not reachable**. Rule out all the other causes that might result in the same status:
129155

130-
* Lack of permission to perform backup-related operations on the VM
131-
* Shutdown of the VM, so backups can’t take place
132-
* Network issues
156+
* Lack of permission to perform backup-related operations on the VM.
157+
* Shutdown of the VM, so backups can’t take place.
158+
* Network issues.
159+
160+
![re-registering VM](./media/backup-azure-sql-database/re-register-vm.png)
161+
133162

134-
!["Not reachable" status in re-registering a VM](./media/backup-azure-sql-database/re-register-vm.png)
135163

136164
* In the case of an Always On availability group, the backups started failing after you changed the backup preference or after a failover.
137165

articles/backup/backup-sql-server-database-azure-vms.md

Lines changed: 36 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
title: Back up SQL Server databases in Azure VMs
2+
title: Back up SQL Server databases in Azure VMs
33
description: In this article, learn how to back up SQL Server databases on Azure virtual machines with Azure Backup.
44
ms.reviewer: vijayts
55
ms.topic: conceptual
@@ -37,32 +37,47 @@ For all operations, a SQL Server VM requires connectivity to Azure public IP add
3737

3838
Establish connectivity by using one of the following options:
3939

40-
* **Allow the Azure datacenter IP ranges**. This option allows [IP ranges](https://www.microsoft.com/download/details.aspx?id=41653) in the download. To access a network security group (NSG), use the Set-AzureNetworkSecurityRule cmdlet. If you're safe recipients list only region-specific IPs, you'll also need to update the safe recipients list the Azure Active Directory (Azure AD) service tag to enable authentication.
40+
#### Allow the Azure datacenter IP ranges
4141

42-
* **Allow access using NSG tags**. If you use NSG to restrict connectivity, then you should use AzureBackup service tag to allows outbound access to Azure Backup. In addition, you should also allow connectivity for authentication and data transfer by using [rules](https://docs.microsoft.com/azure/virtual-network/security-overview#service-tags) for Azure AD and Azure Storage. This can be done from portal or PowerShell.
42+
This option allows the [IP ranges](https://www.microsoft.com/download/details.aspx?id=41653) in the downloaded file. To access a network security group (NSG), use the Set-AzureNetworkSecurityRule cmdlet. If your safe recipients list only includes region-specific IPs, you'll also need to update the safe recipients list the Azure Active Directory (Azure AD) service tag to enable authentication.
4343

44-
To create a rule using the portal:
44+
#### Allow access using NSG tags
4545

46-
* In **All Services**, go to **Network security groups** and select the network security group.
47-
* Select **Outbound security rules** under **Settings**.
48-
* Select **Add**. Enter all the required details for creating a new rule as described in [security rule settings](https://docs.microsoft.com/azure/virtual-network/manage-network-security-group#security-rule-settings). Ensure the option **Destination** is set to **Service Tag** and **Destination service tag** is set to **AzureBackup**.
49-
* Click **Add**, to save the newly created outbound security rule.
46+
If you use NSG to restrict connectivity, then you should use AzureBackup service tag to allows outbound access to Azure Backup. In addition, you should also allow connectivity for authentication and data transfer by using [rules](https://docs.microsoft.com/azure/virtual-network/security-overview#service-tags) for Azure AD and Azure Storage. This can be done from the Azure portal or via PowerShell.
5047

51-
To create a rule using Powershell:
48+
To create a rule using the portal:
5249

53-
* Add Azure account credentials and update the national clouds<br/>
54-
``Add-AzureRmAccount``
55-
* Select the NSG subscription<br/>
56-
``Select-AzureRmSubscription "<Subscription Id>"``
57-
* Select the NSG<br/>
58-
```$nsg = Get-AzureRmNetworkSecurityGroup -Name "<NSG name>" -ResourceGroupName "<NSG resource group name>"```
59-
* Add allow outbound rule for Azure Backup service tag<br/>
60-
```Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureBackupAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureBackup" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"```
61-
* Save the NSG<br/>
62-
```Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg```
50+
1. In **All Services**, go to **Network security groups** and select the network security group.
51+
2. Select **Outbound security rules** under **Settings**.
52+
3. Select **Add**. Enter all the required details for creating a new rule as described in [security rule settings](https://docs.microsoft.com/azure/virtual-network/manage-network-security-group#security-rule-settings). Ensure the option **Destination** is set to **Service Tag** and **Destination service tag** is set to **AzureBackup**.
53+
4. Click **Add**, to save the newly created outbound security rule.
6354

64-
* **Allow access by using Azure Firewall tags**. If you're using Azure Firewall, create an application rule by using the AzureBackup [FQDN tag](https://docs.microsoft.com/azure/firewall/fqdn-tags). This allows outbound access to Azure Backup.
65-
* **Deploy an HTTP proxy server to route traffic**. When you back up a SQL Server database on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. The backup extension also uses Azure AD for authentication. Route the backup extension traffic for these three services through the HTTP proxy. The extensions are the only component that's configured for access to the public internet.
55+
To create a rule using PowerShell:
56+
57+
1. Add Azure account credentials and update the national clouds<br/>
58+
`Add-AzureRmAccount`<br/>
59+
60+
2. Select the NSG subscription<br/>
61+
`Select-AzureRmSubscription "<Subscription Id>"`
62+
63+
3. Select the NSG<br/>
64+
`$nsg = Get-AzureRmNetworkSecurityGroup -Name "<NSG name>" -ResourceGroupName "<NSG resource group name>"`
65+
66+
4. Add allow outbound rule for Azure Backup service tag<br/>
67+
`Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureBackupAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureBackup" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"`
68+
69+
5. Add allow outbound rule for Storage service tag<br/>
70+
`Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "StorageAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "Storage" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"`
71+
72+
6. Add allow outbound rule for AzureActiveDirectory service tag<br/>
73+
`Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureActiveDirectoryAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureActiveDirectory" -DestinationPortRange 443 -Description "Allow outbound traffic to AzureActiveDirectory service"`
74+
75+
7. Save the NSG<br/>
76+
`Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg`
77+
78+
**Allow access by using Azure Firewall tags**. If you're using Azure Firewall, create an application rule by using the AzureBackup [FQDN tag](https://docs.microsoft.com/azure/firewall/fqdn-tags). This allows outbound access to Azure Backup.
79+
80+
**Deploy an HTTP proxy server to route traffic**. When you back up a SQL Server database on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. The backup extension also uses Azure AD for authentication. Route the backup extension traffic for these three services through the HTTP proxy. The extensions are the only component that's configured for access to the public internet.
6681

6782
Connectivity options include the following advantages and disadvantages:
6883

-54.9 KB
Loading
20.9 KB
Loading

0 commit comments

Comments
 (0)