added includes

Author: AbhishekMallick-MS

includes/blob-backup-configure-policy-cli.md

@@ -0,0 +1,26 @@
+---
+author: AbhishekMallick-MS
+ms.service: backup
+ms.topic: include
+ms.date: 05/30/2024
+ms.author: v-abhmallick
+---
+
+Once the vault and policy are created, there are two critical points that you need to consider to protect all the Azure Blobs within a storage account.
+
+- Key entities
+- Permissions
+
+### Key entities
+
+- **Storage account containing the blobs to be protected**: Fetch the Azure Resource Manager ID of the storage account that contains the blobs to be protected. This will serve as the identifier of the storage account. We'll use an example of a storage account named *CLITestSA*, under the resource group *blobrg*, in a different subscription present in the Southeast Asia region.
+
+    ```azurecli-interactive
+    "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/blobrg/providers/Microsoft.Storage/storageAccounts/CLITestSA"
+    ```
+
+- **Backup vault**: The Backup vault requires permissions on the storage account to enable backups on blobs present within the storage account. The system-assigned managed identity of the vault is used for assigning such permissions.
+
+### Assign permissions
+
+You need to assign a few permissions via Azure RBAC to the created vault (represented by vault MSI) and the relevant storage account. These can be performed via Portal or PowerShell. Learn more about all the [related permissions](/azure/backup/blob-backup-configure-manage#grant-permissions-to-the-backup-vault-on-storage-accounts).

includes/blob-backup-create-policy-cli.md

@@ -0,0 +1,101 @@
+---
+author: AbhishekMallick-MS
+ms.service: backup
+ms.topic: include
+ms.date: 05/30/2024
+ms.author: v-abhmallick
+---
+
+To create a backup policy for blob vaulted backup, run the following commands:
+
+1. To understand the inner components of a Backup policy for Azure Blobs backup, retrieve the policy template using the `az dataprotection backup-policy get-default-policy-template` command.
+
+    This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.
+
+2. Once you have saved the policy JSON with  all the required values, proceed to create a new policy from the policy object using the `az dataprotection backup-policy create` command.
+
+   ```azurecli-interactive
+   Az dataprotection backup-policy create -g testBkpVaultRG –vault-name TestBkpVault -n BlobBackup-Policy –policy policy.json
+   ```
+
+   The following JSON is to configure a policy with *30 days retention* for *operational backup* and *30 days default retention* for *vaulted backup*. The vaulted backup is scheduled every day at *7:30 UTC*.
+
+    ```json
+    {
+      "datasourceTypes": [
+        "Microsoft.Storage/storageAccounts/blobServices"
+      ],
+      "name": "BlobPolicy1",
+      "objectType": "BackupPolicy",
+      "policyRules": [
+        {
+          "isDefault": true,
+          "lifecycles": [
+            {
+              "deleteAfter": {
+                "duration": "P30D",
+                "objectType": "AbsoluteDeleteOption"
+              },
+              "sourceDataStore": {
+                "dataStoreType": "OperationalStore",
+                "objectType": "DataStoreInfoBase"
+              },
+              "targetDataStoreCopySettings": []
+            }
+          ],
+          "name": "Default",
+          "objectType": "AzureRetentionRule"
+        },
+        {
+          "isDefault": true,
+          "lifecycles": [
+            {
+              "deleteAfter": {
+                "duration": "P30D",
+                "objectType": "AbsoluteDeleteOption"
+              },
+              "sourceDataStore": {
+                "dataStoreType": "VaultStore",
+                "objectType": "DataStoreInfoBase"
+              },
+              "targetDataStoreCopySettings": []
+            }
+          ],
+          "name": "Default",
+          "objectType": "AzureRetentionRule"
+        },
+        {
+          "backupParameters": {
+            "backupType": "Discrete",
+            "objectType": "AzureBackupParams"
+          },
+          "dataStore": {
+            "dataStoreType": "VaultStore",
+            "objectType": "DataStoreInfoBase"
+          },
+          "name": "BackupDaily",
+          "objectType": "AzureBackupRule",
+          "trigger": {
+            "objectType": "ScheduleBasedTriggerContext",
+            "schedule": {
+              "repeatingTimeIntervals": [
+                "R/2023-06-28T07:30:00+00:00/P1D"
+              ],
+              "timeZone": "UTC"
+            },
+            "taggingCriteria": [
+              {
+                "isDefault": true,
+                "tagInfo": {
+                  "id": "Default_",
+                  "tagName": "Default"
+                },
+                "taggingPriority": 93
+              }
+            ]
+          }
+        }
+      ]
+    }
+
+    ```

includes/blob-vaulted-backup-configure-policy-ps.md

@@ -0,0 +1,26 @@
+---
+author: AbhishekMallick-MS
+ms.service: backup
+ms.topic: include
+ms.date: 05/30/2024
+ms.author: v-abhmallick
+---
+
+Once the vault and policy are created, there are two critical points that you need to consider to protect all the Azure Blobs within a storage account.
+
+- Key entities
+- Permissions
+
+### Key entities
+
+- **Storage account containing the blobs to be protected**: Fetch the Azure Resource Manager ID of the storage account that contains the blobs to be protected. This will serve as the identifier of the storage account. We'll use an example of a storage account named *PSTestSA* under the resource group *blobrg* in a different subscription.
+
+    ```azurepowershell-interactive
+    $SAId = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/blobrg/providers/Microsoft.Storage/storageAccounts/PSTestSA"
+    ```
+
+- **Backup vault**: The Backup vault requires permissions on the storage account to enable backups on blobs present within the storage account. The system-assigned managed identity of the vault is used for assigning such permissions.
+
+### Assign permissions
+
+You need to assign a few permissions via Azure RBAC to the created vault (represented by vault MSI) and the relevant storage account. These can be performed via Portal or PowerShell. Learn more about all the [related permissions](/azure/backup/blob-backup-configure-manage#grant-permissions-to-the-backup-vault-on-storage-accounts).

includes/blob-vaulted-backup-create-policy-ps.md

@@ -0,0 +1,50 @@
+---
+author: AbhishekMallick-MS
+ms.service: backup
+ms.topic: include
+ms.date: 05/30/2024
+ms.author: v-abhmallick
+---
+
+To create a backup policy for blob vaulted backup, run the following commands:
+
+1. To retrieve the policy template, use the [Get-AzDataProtectionPolicyTemplate](/powershell/module/az.dataprotection/get-azdataprotectionpolicytemplate) command. This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.
+
+   ```azurepowershell
+   $defaultPol = Get-AzDataProtectionPolicyTemplate -DatasourceType AzureBlob`
+   ```
+
+2. To create a vaulted backup policy, define the schedule and retention for backups. The following commands create a backup policy with backup frequency every week on Friday and Tuesday at 10 AM and retention of three months.
+
+    ```azurepowershell-interactive
+    $schDates = @( 
+
+    ( 
+
+        (Get-Date -Year 2023 -Month 08 -Day 18 -Hour 10 -Minute 0 -Second 0) 
+
+    ), 
+
+    ( 
+
+        (Get-Date -Year 2023 -Month 08 -Day 22 -Hour 10 -Minute 0 -Second 0)  
+
+    )) 
+    
+
+    $trigger =  New-AzDataProtectionPolicyTriggerScheduleClientObject -ScheduleDays $schDates -IntervalType Weekly -IntervalCount 1 
+
+    Edit-AzDataProtectionPolicyTriggerClientObject -Schedule $trigger -Policy $defaultPol  
+
+
+    $lifeCycleVault = New-AzDataProtectionRetentionLifeCycleClientObject -SourceDataStore VaultStore -SourceRetentionDurationType Months -SourceRetentionDurationCount 3  
+
+    Edit-AzDataProtectionPolicyRetentionRuleClientObject -Policy $defaultPol -Name Default -LifeCycles $lifeCycleVault -IsDefault $true 
+
+    New-AzDataProtectionBackupPolicy -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -ResourceGroupName "resourceGroupName" -VaultName "vaultName" -Name "MyPolicy" -Policy $defaultPol 
+    ```
+
+
+ 
+
+ 

includes/blob-vaulted-backup-introduction.md

@@ -0,0 +1,17 @@
+---
+author: AbhishekMallick-MS
+ms.service: backup
+ms.topic: include
+ms.date: 05/30/2024
+ms.author: v-abhmallick
+---
+
+[Azure Backup](../articles/backup/backup-overview.md) now allows you to configure both [operational](../articles/backup/blob-backup-overview.md?tabs=operational-backup) and [vaulted](../articles/backup/blob-backup-overview.md?tabs=vaulted-backup) backups to protect block blobs in your storage accounts.
+
+Vaulted backup of blobs is a managed offsite backup solution that stores the backup data in a general v2 storage account, enabling you to protect your backup data against ransomware attacks or source data loss due to malicious or rogue admin. 
+
+With vaulted backup, you can:
+
+- Define the backup schedule to create recovery points and the retention settings that determine how long the backups will be retained in the vault.
+- Configure and manage the vaulted and operational backups using a single backup policy.
+- Copy and store the backup data in the Backup vault, thus providing an offsite copy of data that can be retained for a maximum of 10 years.

includes/blob-vaulted-backup-prepare-request-ps.md

@@ -0,0 +1,29 @@
+---
+author: AbhishekMallick-MS
+ms.service: backup
+ms.topic: include
+ms.date: 05/30/2024
+ms.author: v-abhmallick
+---
+
+Once all the relevant permissions are set, configure blob backup by running the following commands:
+
+1. Create a new backup configuration object to specify the set of containers you want to back up. To back up all containers, pass the `-IncludeAllContainer` parameter. To back up specific containers, pass the list of containers to the `-VaultedBackupContainer` parameter. 
+
+    ```azurepowershell-interactive
+    $backupConfig=New-AzDataProtectionBackupConfigurationClientObject -DatasourceType AzureBlob -IncludeAllContainer -StorageAccountResourceGroupName "StorageRG" -StorageAccountName "testpscmd"
+    ```
+
+2. Prepare the relevant request by using the relevant vault, policy, storage account, and the backup configuration object created in the above step using the [Initialize-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/initialize-azdataprotectionbackupinstance) command.  
+
+    ```azurepowershell-interactive
+    $instance=Initialize-AzDataProtectionBackupInstance -DatasourceType AzureBlob -DatasourceLocation $TestBkpVault.Location -PolicyId $blobBkpPol.Id -DatasourceId $SAId -BackupConfiguration $backupConfig
+    ```
+
+3. Submit the request to protect the blobs within the storage account using the [New-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/new-azdataprotectionbackupinstance) command.
+
+    ```azurepowershell-interactive
+    New-AzDataProtectionBackupInstance -ResourceGroupName "StorageRG" -VaultName $TestBkpVault.Name -BackupInstance $instance
+    ```
+
+ 

includes/blob-vaulted-backup-restore-ps.md

@@ -0,0 +1,44 @@
+---
+author: AbhishekMallick-MS
+ms.service: backup
+ms.topic: include
+ms.date: 05/30/2024
+ms.author: v-abhmallick
+---
+
+To  restore from vaulted blob backup, run the following commands:
+
+1. Fetch the backup instance for which you want to perform the restore.
+
+    ```azurepowershell-interactive
+    $instance = Get-AzDataProtectionBackupInstance -SubscriptionId "c3d3eb0c-9ba7-4d4c-828e-cb6874714034" -ResourceGroupName "StorageRG" -VaultName "contosobackupvault" -Name “abc”
+    ```
+
+2. Fetch the recovery point you want to use for restoring the data.
+
+    ```azurepowershell-interactive
+    $rp = Get-AzDataProtectionRecoveryPoint -SubscriptionId "c3d3eb0c-9ba7-4d4c-828e-cb6874714034" -ResourceGroupName "StorageRG" -VaultName "contosobackupvault" -BackupInstanceName $instance.Name
+    ```
+
+3. Use the [Initialize-AzDataProtectionRestoreRequest](/powershell/module/az.dataprotection/initialize-azdataprotectionrestorerequest) command to prepare the restore request with all the relevant details. The target resource ID is the ARM ID of the alternate storage account where the contents should be restored.
+
+    ```azurepowershell-interactive
+    $ResourceId="/subscriptions/xxxxxx /resourceGroups/StorageRG/providers/Microsoft.Storage/storageAccounts/xxxx "
+    $restorerequest =Initialize-AzDataProtectionRestoreRequest -DatasourceType AzureBlob -SourceDataStore VaultStore -RestoreType AlternateLocation -BackupInstance $instance -RecoveryPoint $rp[0].Name -TargetResourceId $ResourceId
+    ```
+
+4. To restore specific containers, pass the container list explicitly to the `-ContainersList` parameter and also pass the parameter -ItemLevelRecovery.
+
+    ```azurepowershell-interactive
+    $restorerequest = Initialize-AzDataProtectionRestoreRequest -DatasourceType AzureBlob -SourceDataStore VaultStore -RestoreType AlternateLocation -RecoveryPoint $rp[0].Name -TargetResourceId $ResourceId -ContainersList "test1" -RestoreLocation "eastus" -ItemLevelRecovery
+    ```
+
+5. Trigger the restore with the restore request prepared in the above steps.
+
+    ```azurepowershell-interactive
+    Start-AzDataProtectionBackupInstanceRestore -BackupInstanceName $instance.Name -ResourceGroupName "StorageRG" -VaultName $TestBkpVault.Name -Parameter $restorerequest
+    ```
+
+6. Restore specific blobs based on the prefix match in each container.
+
+Learn [how to restore specific blobs from vaulted backup](/powershell/module/az.dataprotection/start-azdataprotectionbackupinstancerestore?view=azps-11.6.0&preserve-view=true#example-10-trigger-vaulted-backup-conatiners-itemlevelrestore-with-prefixmatch-for-azureblob).

includes/blob-vaulted-backup-restore-restapi.md

@@ -0,0 +1,65 @@
+---
+author: AbhishekMallick-MS
+ms.service: backup
+ms.topic: include
+ms.date: 05/30/2024
+ms.author: v-abhmallick
+---
+
+### Fetch the relevant recovery point
+
+To list all the available recovery points for a backup instance, use the list recovery points API.
+
+```http
+GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataProtection/backupVaults/{vaultName}/backupInstances/{backupInstanceName}/recoveryPoints?api-version=2021-07-01
+```
+
+### Prepare the request body to perform restore from vaulted backup.
+
+Following is the request body to restore container bash 2 from a vaulted backup.
+
+```http
+{
+  "objectType": "AzureBackupRecoveryPointBasedRestoreRequest",
+  "sourceDataStoreType": "VaultStore",
+  "restoreTargetInfo": {
+    "objectType": "itemLevelRestoreTargetInfo",
+    "recoveryOption": "FailIfExists",
+    "dataSourceInfo": {
+      "objectType": "Datasource",
+      "resourceID": "/subscriptions/495944b2-66b7-4173-8824-77043bb269be/resourceGroups/Blob-Backup/providers/Microsoft.Storage/storageAccounts/azclitestrestore2",
+      "resourceName": "azclitestrestore2",
+      "resourceType": "Microsoft.Storage/storageAccounts",
+      "resourceLocation": "not specified",
+      "resourceUri": "/subscriptions/495944b2-66b7-4173-8824-77043bb269be/resourceGroups/Blob-Backup/providers/Microsoft.Storage/storageAccounts/azclitestrestore2",
+      "datasourceType": "Microsoft.Storage/storageAccounts/blobServices",
+      "resourceProperties": {}
+    },
+    "restoreCriteria": [
+      {
+        "objectType": "ItemPathBasedRestoreCriteria",
+        "itemPath": "bash2",
+        "isPathRelativeToBackupItem": true,
+        "subItemPathPrefix": null
+      }
+    ],
+    "restoreLocation": "eastus2euap"
+  },
+  "recoveryPointId": "33fdef0e0e2e4594b63092ae9a56f58d"
+}
+```
+
+If you want to restore blobs with specific prefixes, provide the list of prefixes as value for **subItemPathPrefix**. Here's an example to restore blobs starting with prefixes dd, ee, or ff in container2 of your backed-up storage account.
+
+```http
+   {
+        "is_path_relative_to_backup_item": true,
+        "item_path": "container2",
+        "object_type": "ItemPathBasedRestoreCriteria",
+        "sub_item_path_prefix": [
+          "dd",
+          "ee",
+          "ff"
+        ]
+      }
+```