Merge pull request #101907 from dcurwin/jan22-2020

PMEds28 · web-flow · commit 6ab340f2fcee · 2020-01-22T11:54:30.000Z
No outbound connectivity required
diff --git a/articles/backup/backup-azure-arm-vms-prepare.md b/articles/backup/backup-azure-arm-vms-prepare.md
@@ -30,7 +30,6 @@ In this article, you learn how to:
 In addition, there are a couple of things that you might need to do in some circumstances:
 
 * **Install the VM agent on the VM**: Azure Backup backs up Azure VMs by installing an extension to the Azure VM agent running on the machine. If your VM was created from an Azure marketplace image, the agent is installed and running. If you create a custom VM, or you migrate an on-premises machine, you might need to [install the agent manually](#install-the-vm-agent).
-* **Explicitly allow outbound access**: Generally, you don't need to explicitly allow outbound network access for an Azure VM in order for it to communicate with Azure Backup. However, some VMs might experience connection issues, showing the **ExtensionSnapshotFailedNoNetwork** error when attempting to connect. If this happens, you should [explicitly allow outbound access](#explicitly-allow-outbound-access), so the Azure Backup extension can communicate with Azure public IP addresses for backup traffic.
 
 ## Create a vault
 
@@ -39,7 +38,7 @@ In addition, there are a couple of things that you might need to do in some circ
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 2. In search, type **Recovery Services**. Under **Services**, click **Recovery Services vaults**.
 
-     ![Search for Recovery Services vaults](./media/backup-azure-arm-vms-prepare/browse-to-rs-vaults-updated.png) <br/>
+     ![Search for Recovery Services vaults](./media/backup-azure-arm-vms-prepare/browse-to-rs-vaults-updated.png)
 
 3. In **Recovery Services vaults** menu, click **+Add**.
 
@@ -115,6 +114,7 @@ After enabling backup:
 * When backups run, note that:
   * A VM that's running have the greatest chance for capturing an application-consistent recovery point.
   * However, even if the VM is turned off it's backed up. Such a VM is known as an offline VM. In this case, the recovery point will be crash-consistent.
+* Explicit outbound connectivity is not required to allow backup of Azure VMs.
 
 ### Create a custom policy
 
@@ -171,7 +171,7 @@ Failed | Failed | Failed
 Now with this capability, for the same VM, two backups can run in parallel, but in either phase (snapshot, transfer data to vault) only one sub task can be running. So in scenarios were a backup job in progress resulted in the next day’s backup to fail will be avoided with this decoupling functionality. Subsequent day’s backups can have snapshot completed while **Transfer data to vault** skipped if an earlier day’s backup job is in progress state.
 The incremental recovery point created in the vault will capture all the churn from the last recovery point created in the vault. There is no cost impact on the user.
 
-## Optional steps (install agent/allow outbound)
+## Optional steps
 
 ### Install the VM agent
 
@@ -182,114 +182,6 @@ Azure Backup backs up Azure VMs by installing an extension to the Azure VM agent
 **Windows** | 1. [Download and install](https://go.microsoft.com/fwlink/?LinkID=394789&clcid=0x409) the agent MSI file.<br/><br/> 2. Install with admin permissions on the machine.<br/><br/> 3. Verify the installation. In *C:\WindowsAzure\Packages* on the VM, right-click **WaAppAgent.exe** > **Properties**. On the **Details** tab, **Product Version** should be 2.6.1198.718 or higher.<br/><br/> If you're updating the agent, make sure that no backup operations are running, and [reinstall the agent](https://go.microsoft.com/fwlink/?LinkID=394789&clcid=0x409).
 **Linux** | Install by using an RPM or a DEB package from your distribution's package repository. This is the preferred method for installing and upgrading the Azure Linux agent. All the [endorsed distribution providers](https://docs.microsoft.com/azure/virtual-machines/linux/endorsed-distros) integrate the Azure Linux agent package into their images and repositories. The agent is available on [GitHub](https://github.com/Azure/WALinuxAgent), but we don't recommend installing from there.<br/><br/> If you're updating the agent, make sure no backup operations are running, and update the binaries.
 
-### Explicitly allow outbound access
-
-The backup extension running on the VM needs outbound access to Azure public IP addresses.
-
-* Generally you don't need to explicitly allow outbound network access for an Azure VM in order for it to communicate with Azure Backup.
-* If you do run into difficulties with VMs connecting, or if you see the error **ExtensionSnapshotFailedNoNetwork** when attempting to connect, you should explicitly allow access so the backup extension can communicate to Azure public IP addresses for backup traffic. Access methods are summarized in the following table.
-
-**Option** | **Action** | **Details**
---- | --- | ---
-**Set up NSG rules** | Allow the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653).<br/><br/> Instead of allowing and managing every address range, you can add a rule that allows access to the Azure Backup service using a [service tag](backup-azure-arm-vms-prepare.md#set-up-an-nsg-rule-to-allow-outbound-access-to-azure). | [Learn more](../virtual-network/security-overview.md#service-tags) about service tags.<br/><br/> Services tags simplify access management, and don't incur additional costs.
-**Deploy a proxy** | Deploy an HTTP proxy server for routing traffic. | Provides access to the whole of Azure, and not just storage.<br/><br/> Granular control over the storage URLs is allowed.<br/><br/> Single point of internet access for VMs.<br/><br/> Additional costs for proxy.
-**Set up Azure Firewall** | Allow traffic through the Azure Firewall on the VM, using an FQDN tag for the Azure Backup service | Simple to use if you have Azure Firewall set up in a VNet subnet.<br/><br/> You can't create your own FQDN tags, or modify FQDNs in a tag.<br/><br/> If your Azure VMs have managed disks, you might need to open an additional port (8443) on the firewalls.
-
-#### Establish network connectivity
-
-Establish connectivity with NSG, by proxy, or through the firewall
-
-##### Set up an NSG rule to allow outbound access to Azure
-
-If an NSG manages the VM access, allow outbound access for the backup storage to the required ranges and ports.
-
-1. In the VM properties > **Networking**, select **Add outbound port rule**.
-2. In **Add outbound security rule**, select **Advanced**.
-3. In **Source**, select **VirtualNetwork**.
-4. In **Source port ranges**, enter an asterisk (*) to allow outbound access from any port.
-5. In **Destination**, select **Service Tag**. From the list, select **Storage.region**. The region is where the vault, and the VMs that you want to back up, are located.
-6. In **Destination port ranges**, select the port.
-    * VM using unmanaged disks with unencrypted storage account: 80
-    * VM using unmanaged disks with encrypted storage account: 443 (default setting)
-    * VM using managed disks: 8443.
-7. In **Protocol**, select **TCP**.
-8. In **Priority**, specify a priority value less than any higher deny rules.
-
-   If you have a rule that denies access, the new allow rule must be higher. For example, if you have a **Deny_All** rule set at priority 1000, your new rule must be set to less than 1000.
-9. Provide a name and description for the rule, and select **OK**.
-
-You can apply the NSG rule to multiple VMs to allow outbound access. This video walks you through the process.
-
->[!VIDEO https://www.youtube.com/embed/1EjLQtbKm1M]
-
-##### Route backup traffic through a proxy
-
-You can route backup traffic through a proxy, and then give the proxy access to the required Azure ranges. Configure the proxy VM to allow the following:
-
-* The Azure VM should route all HTTP traffic bound for the public internet through the proxy.
-* The proxy should allow incoming traffic from VMs in the applicable virtual network.
-* The NSG **NSF-lockdown** needs a rule that allows outbound internet traffic from the proxy VM.
-
-###### Set up the proxy
-
-If you don't have a system account proxy, set one up as follows:
-
-1. Download [PsExec](https://technet.microsoft.com/sysinternals/bb897553).
-2. Run **PsExec.exe -i -s cmd.exe** to run the command prompt under a system account.
-3. Run the browser in system context. For example, use **%PROGRAMFILES%\Internet Explorer\iexplore.exe** for Internet Explorer.  
-4. Define the proxy settings.
-   * On Linux machines:
-     * Add this line to the **/etc/environment** file:
-       * **http_proxy=http:\//proxy IP address:proxy port**
-     * Add these lines to the **/etc/waagent.conf** file:
-         * **HttpProxy.Host=proxy IP address**
-         * **HttpProxy.Port=proxy port**
-   * On Windows machines, in the browser settings, specify that a proxy should be used. If you're currently using a proxy on a user account, you can use this script to apply the setting at the system account level.
-
-       ```powershell
-      $obj = Get-ItemProperty -Path Registry::"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
-      Set-ItemProperty -Path Registry::"HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" -Name DefaultConnectionSettings -Value $obj.DefaultConnectionSettings
-      Set-ItemProperty -Path Registry::"HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" -Name SavedLegacySettings -Value $obj.SavedLegacySettings
-      $obj = Get-ItemProperty -Path Registry::"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
-      Set-ItemProperty -Path Registry::"HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyEnable -Value $obj.ProxyEnable
-      Set-ItemProperty -Path Registry::"HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name Proxyserver -Value $obj.Proxyserver
-
-       ```
-
-###### Allow incoming connections on the proxy
-
-Allow incoming connections in the proxy settings.
-
-1. In Windows Firewall, open **Windows Firewall with Advanced Security**.
-2. Right-click **Inbound Rules** > **New Rule**.
-3. In **Rule Type**, select **Custom** > **Next**.
-4. In **Program**, select **All Programs** > **Next**.
-5. In **Protocols and Ports**:
-   * Set the type to **TCP**.
-   * Set **Local Ports** to **Specific Ports**.
-   * Set **Remote port** to **All Ports**.
-
-6. Finish the wizard and specify a name for the rule.
-
-###### Add an exception rule to the NSG for the proxy
-
-On the NSG **NSF-lockdown**, allow traffic from any port on 10.0.0.5 to any internet address on port 80 (HTTP) or 443 (HTTPS).
-
-The following PowerShell script provides an example for allowing traffic.
-Instead of allowing outbound to all public internet addresses, you can specify an IP address range (`-DestinationPortRange`), or use the storage.region service tag.
-
-```powershell
-Get-AzureNetworkSecurityGroup -Name "NSG-lockdown" |
-Set-AzureNetworkSecurityRule -Name "allow-proxy " -Action Allow -Protocol TCP -Type Outbound -Priority 200 -SourceAddressPrefix "10.0.0.5/32" -SourcePortRange "*" -DestinationAddressPrefix Internet -DestinationPortRange "80-443"
-```
-
-##### Allow firewall access with an FQDN tag
-
-You can set up Azure Firewall to allow outbound access for network traffic to Azure Backup.
-
-* [Learn about](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal) deploying Azure Firewall.
-* [Read about](https://docs.microsoft.com/azure/firewall/fqdn-tags) FQDN tags.
-
 >[!NOTE]
 > Azure Backup now supports selective disk backup and restore using the Azure Virtual Machine backup solution.
 >
diff --git a/articles/backup/backup-azure-troubleshoot-vm-backup-fails-snapshot-timeout.md b/articles/backup/backup-azure-troubleshoot-vm-backup-fails-snapshot-timeout.md
@@ -84,7 +84,6 @@ After you register and schedule a VM for the Azure Backup service, Backup initia
 
 **Cause 1: [The snapshot status can't be retrieved, or a snapshot can't be taken](#the-snapshot-status-cannot-be-retrieved-or-a-snapshot-cannot-be-taken)**  
 **Cause 2: [The backup extension fails to update or load](#the-backup-extension-fails-to-update-or-load)**  
-**Cause 3: [The VM doesn't have internet access](#the-vm-has-no-internet-access)**
 
 ## <a name="ExtensionOperationFailed-vmsnapshot-extension-operation-failed"></a>ExtensionOperationFailedForManagedDisks - VMSnapshot extension operation failed
 
@@ -108,7 +107,7 @@ After you register and schedule a VM for the Azure Backup service, Backup initia
 **Cause 3: [The snapshot status can't be retrieved, or a snapshot can't be taken](#the-snapshot-status-cannot-be-retrieved-or-a-snapshot-cannot-be-taken)**  
 **Cause 4: [The backup extension fails to update or load](#the-backup-extension-fails-to-update-or-load)**  
 **Cause 5: Backup service doesn't have permission to delete the old restore points because of a resource group lock** <br>
-**Cause 6: [The VM doesn't have internet access](#the-vm-has-no-internet-access)**
+
 
 ## UserErrorUnsupportedDiskSize - The configured disk size(s) is currently not supported by Azure Backup.
 
@@ -137,16 +136,6 @@ If the scheduled backup operation is taking longer, conflicting with the next ba
 
 ## Causes and solutions
 
-### <a name="the-vm-has-no-internet-access"></a>The VM doesn't have internet access
-
-Per the deployment requirement, the VM doesn't have internet access. Or, it might have restrictions that prevent access to the Azure infrastructure.
-
-To function correctly, the Backup extension requires connectivity to Azure public IP addresses. The extension sends commands to an Azure storage endpoint (HTTPs URL) to manage the snapshots of the VM. If the extension doesn't have access to the public internet, backup eventually fails.
-
-#### Solution
-
-To resolve the network issue, see [Establish network connectivity](backup-azure-arm-vms-prepare.md#establish-network-connectivity).
-
 ### <a name="the-agent-installed-in-the-vm-but-unresponsive-for-windows-vms"></a>The agent is installed in the VM, but it's unresponsive (for Windows VMs)
 
 #### Solution
diff --git a/articles/backup/backup-azure-vms-encryption.md b/articles/backup/backup-azure-vms-encryption.md
@@ -47,7 +47,6 @@ Before you start, do the following:
 In addition, there are a couple of things that you might need to do in some circumstances:
 
 - **Install the VM agent on the VM**: Azure Backup backs up Azure VMs by installing an extension to the Azure VM agent running on the machine. If your VM was created from an Azure marketplace image, the agent is installed and running. If you create a custom VM, or you migrate an on-premises machine, you might need to [install the agent manually](backup-azure-arm-vms-prepare.md#install-the-vm-agent).
-- **Explicitly allow outbound access**: Generally, you don't need to explicitly allow outbound network access for an Azure VM in order for it to communicate with Azure Backup. However, some VMs might experience connection issues, showing the **ExtensionSnapshotFailedNoNetwork** error when attempting to connect. If this happens, you should [explicitly allow outbound access](backup-azure-arm-vms-prepare.md#explicitly-allow-outbound-access), so the Azure Backup extension can communicate with Azure public IP addresses for backup traffic.
 
 ## Configure a backup policy
 
diff --git a/articles/backup/backup-azure-vms-troubleshoot.md b/articles/backup/backup-azure-vms-troubleshoot.md
@@ -258,7 +258,6 @@ Verify the VM Agent version on Windows VMs:
 
 VM backup relies on issuing snapshot commands to underlying storage. Not having access to storage or delays in a snapshot task run can cause the backup job to fail. The following conditions can cause snapshot task failure:
 
-* **Network access to Storage is blocked by using NSG**. Learn more on how to [establish network access](backup-azure-arm-vms-prepare.md#establish-network-connectivity) to Storage by using either allowed list of IPs or through a proxy server.
 * **VMs with SQL Server backup configured can cause snapshot task delay**. By default, VM backup creates a VSS full backup on Windows VMs. VMs that run SQL Server, with SQL Server backup configured, can experience snapshot delays. If snapshot delays cause backup failures, set following registry key:
 
    ```text
@@ -272,29 +271,9 @@ VM backup relies on issuing snapshot commands to underlying storage. Not having
 
 ## Networking
 
-Like all extensions, Backup extensions need access to the public internet to work. Not having access to the public internet can manifest itself in various ways:
+DHCP must be enabled inside the guest for IaaS VM backup to work. If you need a static private IP, configure it through the Azure portal or PowerShell. Make sure the DHCP option inside the VM is enabled.
+Get more information on how to set up a static IP through PowerShell:
 
-* Extension installation can fail.
-* Backup operations like disk snapshot can fail.
-* Displaying the status of the backup operation can fail.
+* [How to add a static internal IP to an existing VM](../virtual-network/virtual-networks-reserved-private-ip.md#how-to-add-a-static-internal-ip-to-an-existing-vm)
+* [Change the allocation method for a private IP address assigned to a network interface](../virtual-network/virtual-networks-static-private-ip-arm-ps.md#change-the-allocation-method-for-a-private-ip-address-assigned-to-a-network-interface)
 
-The need to resolve public internet addresses is discussed in [this Azure Support blog](https://blogs.msdn.com/b/mast/archive/2014/06/18/azure-vm-provisioning-stuck-on-quot-installing-extensions-on-virtual-machine-quot.aspx). Check the DNS configurations for the VNET and make sure the Azure URIs can be resolved.
-
-After name resolution is done correctly, access to the Azure IPs also needs to be provided. To unblock access to the Azure infrastructure, follow one of these steps:
-
-* Allow list of Azure datacenter IP ranges:
-   1. Get the list of [Azure datacenter IPs](https://www.microsoft.com/download/details.aspx?id=41653) to be in allow list.
-   1. Unblock the IPs by using the [New-NetRoute](https://docs.microsoft.com/powershell/module/nettcpip/new-netroute) cmdlet. Run this cmdlet within the Azure VM, in an elevated PowerShell window. Run as an Administrator.
-   1. Add rules to the NSG, if you have one in place, to allow access to the IPs.
-* Create a path for HTTP traffic to flow:
-   1. If you have some network restriction in place, deploy an HTTP proxy server to route the traffic. An example is a network security group. See the steps to deploy an HTTP proxy server in [Establish network connectivity](backup-azure-arm-vms-prepare.md#establish-network-connectivity).
-   1. Add rules to the NSG, if you have one in place, to allow access to the internet from the HTTP proxy.
-
-> [!NOTE]
-> DHCP must be enabled inside the guest for IaaS VM backup to work. If you need a static private IP, configure it through the Azure portal or PowerShell. Make sure the DHCP option inside the VM is enabled.
-> Get more information on how to set up a static IP through PowerShell:
->
-> * [How to add a static internal IP to an existing VM](../virtual-network/virtual-networks-reserved-private-ip.md#how-to-add-a-static-internal-ip-to-an-existing-vm)
-> * [Change the allocation method for a private IP address assigned to a network interface](../virtual-network/virtual-networks-static-private-ip-arm-ps.md#change-the-allocation-method-for-a-private-ip-address-assigned-to-a-network-interface)
->
->
diff --git a/includes/virtual-machines-common-backup-and-disaster-recovery-for-azure-iaas-disks.md b/includes/virtual-machines-common-backup-and-disaster-recovery-for-azure-iaas-disks.md
@@ -149,8 +149,6 @@ Use the following steps to enable backups of your VMs by using the [Azure portal
 
 1.	Make sure the Backup Agent is installed on the VM. If your VM is created by using an Azure gallery image, then the Backup Agent is already installed. Otherwise (that is, if you use a custom image), use the instructions to [install the VM agent on a virtual machine](../articles/backup/backup-azure-arm-vms-prepare.md#install-the-vm-agent).
 
-1.	Make sure that the VM allows network connectivity for the backup service to function. Follow the instructions for [network connectivity](../articles/backup/backup-azure-arm-vms-prepare.md#establish-network-connectivity).
-
 1.	After the previous steps are completed, the backup runs at regular intervals as specified in the backup policy. If necessary, you can trigger the first backup manually from the vault dashboard on the Azure portal.
 
 For automating Azure Backup by using scripts, refer to [PowerShell cmdlets for VM backup](../articles/backup/backup-azure-vms-automation.md).
